KOI: Add 13 read-only commands, modeling and parsing rules, and alerts dashboard

[ayman-m]

Summary

Updates the KOI pack to 1.3.0 with read-only visibility commands plus XSIAM event-modeling content.

Integration (KOI)

• 13 new read-only commands: koi-devices-list, koi-device-inventory-get, koi-findings-list, koi-groups-list, koi-users-list, koi-remediations-list, koi-approval-requests-list, koi-runtime-policies-list, koi-runtime-policy-get, koi-koidex-search, koi-koidex-risk-report, and koi-fetch-context-get/koi-fetch-context-set (fetch-state diagnostics & maintenance).
• New First Fetch Time Range (first_fetch) parameter.
• Preserves all 1.2.0 work (XSOAR marketplace support, graceful should_push_events, current Docker image).

Event collection (XSIAM)

• Koi Modeling Rule — maps alert and audit events to XDM over the koi_koi_raw dataset.
• Koi Parsing Rule — normalizes and promotes raw alert/audit fields.
• Koi Alerts Dashboard.

Tests & docs

• 11 test_data fixtures + unit tests for all 13 new commands (pytest green; coverage passes).
• README documents all 26 commands (existing example outputs preserved); command_examples.txt updated.
• Release notes 1_3_0.md; pack bumped to 1.3.0.

Verification

• demisto-sdk validate — all validations passed
• demisto-sdk pre-commit (ruff, pylint, mypy, pytest, secrets, coverage, markdownlint) — all green
• demisto-sdk upload -z to an XSIAM tenant — success (integration registers as the KOI data source)

🤖 Generated with Claude Code

relates: https://jira-dc.paloaltonetworks.com/browse/CIAC-17000

[CLAassistant]

All committers have signed the CLA.

[content-bot]

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @kamalq97 will know the proposed changes are ready to be reviewed.
For your convenience, here is a link to the contributions SLAs document.

[content-bot]

Hi @ayman-m, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

[content-bot]

🤖 AI-Powered Code Review Available

Hi @kamalq97, you can leverage AI-powered code review to assist with this PR!

Available Commands:

• @marketplace-ai-reviewer start review - Initiate a full AI code review
• @marketplace-ai-reviewer re-review - Incremental review for new commits

[ayman-m]

Hi @kamalq97 — thanks for taking this one! A quick orientation to speed up review:

What this is: KOI pack → 1.3.0. Adds 13 read-only commands (devices, findings, users, groups, remediations, approval-requests, runtime-policies + get, koidex search/risk-report, device-inventory, and fetch-context get/set), a Modeling Rule + Parsing Rule (alerts/audit → XDM over the koi_koi_raw dataset), and an Alerts dashboard.

Status: All automated checks are green — pre-commit/validate, CLA, CodeQL, security. The only two reds are the label gates:

• docs-approved — pending a docs review.
• supported-modules-approved — triggered because the new Modeling Rule, Parsing Rule, and XSIAM Dashboard carry supportedModules: [xsiam]. That's the correct scoping (these are XSIAM-only event-collection content), so it should be a quick PM approval.

I verified the integration's command paths + Bearer auth against the live KOI API (all endpoints return the expected response shapes). Happy to make any changes you'd like — thanks!