demisto · shmuel44 · Aug 24, 2023 · Aug 13, 2023 · Aug 13, 2023 · Aug 13, 2023
@@ -3870,6 +3870,15 @@ def list_risky_users_or_host_command(client: CoreClient, command: str, args: dic
         ValueError: If the API connection fails.
 
     """
+    def _warn_if_module_is_disabled(e: DemistoException) -> None:
+        if (
+                e is not None
+                and e.res is not None
+                and e.res.status_code == 500
+                and 'No identity threat' in str(e)
+                and "An error occurred while processing XDR public API" in e.message
+        ):
+            return_warning(f'Please confirm the XDR Identity Threat Module is enabled.\nFull error message: {e}', exit=True)
 
     match command:
         case "user":
@@ -3890,6 +3899,7 @@ def list_risky_users_or_host_command(client: CoreClient, command: str, args: dic
         try:
             outputs = client.risk_score_user_or_host(id_).get('reply', {})
         except DemistoException as e:
+            _warn_if_module_is_disabled(e)
             if error_message := enrich_error_message_id_group_role(e=e, type_="id", custom_message=""):
                 not_found_message = 'was not found'
                 if not_found_message in error_message:
@@ -3903,8 +3913,12 @@ def list_risky_users_or_host_command(client: CoreClient, command: str, args: dic
 
     else:
         list_limit = int(args.get('limit', 50))
-        outputs = get_func().get('reply', [])[:list_limit]
 
+        try:
+            outputs = get_func().get('reply', [])[:list_limit]
+        except DemistoException as e:
+            _warn_if_module_is_disabled(e)
+            raise
         table_for_markdown = [parse_risky_users_or_hosts(user, *table_headers) for user in outputs]
 
     readable_output = tableToMarkdown(name=table_title, t=table_for_markdown, headers=table_headers)

@@ -4,7 +4,7 @@
 import os
 import zipfile
 from typing import Any
-
+from pytest_mock import MockerFixture
 import pytest
 
 import demistomock as demisto
@@ -3278,6 +3278,56 @@ def __init__(self, status_code) -> None:
     assert result.readable_output == 'The user test was not found'
 
 
+@pytest.mark.parametrize(
+    "command ,args, client_func",
+    [
+        ('user', {"user_id": "test"}, "risk_score_user_or_host"),
+        ('host', {"host_id": "test"}, "risk_score_user_or_host"),
+        ('user', {}, "list_risky_users"),
+        ('host', {}, "list_risky_hosts"),
+    ],
+    ids=['user_id', 'host_id', 'list_users', 'list_hosts']
+)
+def test_list_risky_users_hosts_command_no_license_warning(mocker: MockerFixture, command: str, args: dict, client_func: str):
+    """
+    Given:
+    - XDR API error indicating that the user / host was not found
+
+    When:
+    - executing the list_risky_users_or_host_command function
+
+    Then:
+    - make sure a message indicating that the user was not found is returned
+    """
+
+    client = CoreClient(
+        base_url="test",
+        headers={},
+    )
+
+    class MockException:
+        def __init__(self, status_code) -> None:
+            self.status_code = status_code
+
+    mocker.patch.object(
+        client,
+        client_func,
+        side_effect=DemistoException(
+            message="An error occurred while processing XDR public API, No identity threat",
+            res=MockException(500)
+        ),
+    )
+    import CoreIRApiModule
+    warning = mocker.patch.object(CoreIRApiModule, 'return_warning')
+
+    with pytest.raises(DemistoException):
+        list_risky_users_or_host_command(client, command, args)
+    assert warning.call_args[0][0] == ('Please confirm the XDR Identity Threat Module is enabled.\n'
+                                       'Full error message: An error occurred while processing XDR public API,'
+                                       ' No identity threat')
+    assert warning.call_args[1] == {"exit": True}
+
+
 def test_list_user_groups_command(mocker):
     """
     Test function to validate the behavior of the `list_user_groups_command` function.

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Investigation & Response
+
+Fixed an issue where the ***core-list-risky-users*** and ***core-list-risky-hosts*** commands would fail when the XDR Identity Threat Module was disabled or the license was missing.
@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "2.0.8",
+    "currentVersion": "2.0.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Cortex XDR Malware - Incident Enrichment
+
+Fixed an issue where the ***xdr-list-risky-users*** and ***xdr-list-risky-hosts*** commands would fail when the XDR Identity Threat Module was disabled or the license was missing.
@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "5.1.0",
+    "currentVersion": "5.1.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",