RFPD-96030: add rf-alert-lookup command

Packs/RecordedFutureV3/Integrations/RecordedFutureAlerts/RecordedFutureAlerts.py

@@ -263,6 +263,10 @@ def alert_rule_search_command(
     def alert_update_command(self) -> dict | list[CommandResults]:
         return self.client.alert_update()
 
+    def alert_lookup_command(self) -> dict | list[CommandResults]:
+        alert_id = demisto.args().get("alert_id", "")
+        return self.client.alert_lookup(alert_id)
+
     @staticmethod
     def _get_file_name_from_image_id(image_id: str) -> str:
         return f"{image_id.replace('img:', '')}.png"
@@ -419,6 +423,8 @@ def main():
             return_results(actions.alert_search_command())
         elif command == "rf-alert-update":
             return_results(actions.alert_update_command())
+        elif command == "rf-alert-lookup":
+            return_results(actions.alert_lookup_command())
         elif command == "rf-alert-images":
             return_results(actions.get_alert_images_command())
 

Packs/RecordedFutureV3/Integrations/RecordedFutureAlerts/RecordedFutureAlerts.yml

@@ -208,6 +208,88 @@ script:
         - contextPath: RecordedFutureAlerts.Alert.comment
           description: Note (Classic) or comment (Playbook) that was just applied.
           type: string
+    - name: rf-alert-lookup
+      description: Look up a single Recorded Future alert by ID. Supports both Classic Alerts and Playbook Alerts. Returns full alert data including rule details, entities, AI insights, and Playbook Alert panel data.
+      arguments:
+        - name: alert_id
+          required: true
+          description: ID of the alert to look up.
+      outputs:
+        - contextPath: RecordedFutureAlerts.Alert.id
+          description: Unique ID of the alert in Recorded Future.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.title
+          description: Title of the alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.type
+          description: Alert type (classic-alert / playbook-alert).
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.subtype
+          description: Alert subtype / category.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.status
+          description: Current status of the alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.created
+          description: Timestamp when the alert was created.
+          type: date
+        - contextPath: RecordedFutureAlerts.Alert.updated
+          description: Timestamp when the alert was last updated. For Classic Alerts this equals the created timestamp.
+          type: date
+        - contextPath: RecordedFutureAlerts.Alert.images
+          description: List of image IDs attached to the alert.
+          type: unknown
+        - contextPath: RecordedFutureAlerts.Alert.classic_alert_rule_name
+          description: (Classic Alert) Name of the alert rule that triggered this alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.classic_alert_rule_id
+          description: (Classic Alert) ID of the alert rule that triggered this alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.portal_url
+          description: (Classic Alert) URL to the alert in the Recorded Future portal.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.ai_insights
+          description: (Classic Alert) AI-generated insights summary for the alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.review.status
+          description: (Classic Alert) Review status of the alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.review.assignee
+          description: (Classic Alert) User the alert is assigned to.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.review.note
+          description: (Classic Alert) Review note on the alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.entities
+          description: (Classic Alert) List of entities referenced in the alert.
+          type: unknown
+        - contextPath: RecordedFutureAlerts.Alert.fragments
+          description: (Classic Alert) Text fragments from the alert hits.
+          type: unknown
+        - contextPath: RecordedFutureAlerts.Alert.documents
+          description: (Classic Alert) Documents associated with alert hits.
+          type: unknown
+        - contextPath: RecordedFutureAlerts.Alert.analyst_notes
+          description: (Classic Alert) URLs to analyst notes linked in the alert.
+          type: unknown
+        - contextPath: RecordedFutureAlerts.Alert.triggered_by
+          description: (Classic Alert) List of entities / paths that triggered the alert.
+          type: unknown
+        - contextPath: RecordedFutureAlerts.Alert.playbook_alert_category
+          description: (Playbook Alert) Category of the playbook alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.playbook_alert_priority
+          description: (Playbook Alert) Priority of the playbook alert.
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.entity_name
+          description: (Playbook Alert) Name of the primary entity (e.g. domain, CVE).
+          type: string
+        - contextPath: RecordedFutureAlerts.Alert.targets
+          description: (Playbook Alert) List of target names associated with the alert.
+          type: unknown
+        - contextPath: RecordedFutureAlerts.Alert.details
+          description: (Playbook Alert) Detailed panel data for the alert. Structure depends on the alert category.
+          type: unknown
     - name: rf-alerts
       description: List Classic or Playbook alerts.
       arguments:

Packs/RecordedFutureV3/Integrations/RecordedFutureAlerts/RecordedFutureAlerts_test.py

@@ -418,3 +418,11 @@ def test_main_dispatch_rf_alert_images(monkeypatch: pytest.MonkeyPatch):
         command="rf-alert-images",
         actions_attr="get_alert_images_command",
     )
+
+
+def test_main_dispatch_rf_alert_lookup(monkeypatch: pytest.MonkeyPatch):
+    _exercise_main(
+        monkeypatch,
+        command="rf-alert-lookup",
+        actions_attr="alert_lookup_command",
+    )