This experimental Panther rule acts as a passthrough for open SOCRadar incidents, surfacing them as Panther alerts to enable triage and response. The rule does not detect threats itself; it centralizes visibility by ingesting SOCRadar incident data and generating Panther alerts for items with status OPEN. Severity is mapped dynamically from SOCRadar alarm_risk_level values (CRITICAL/HIGH/MEDIUM/LOW/INFO). Each alert carries core identifiers (alarm_id, alarm_asset), classification (alarm_main_type/alarm_sub_type), and recommended mitigations, along with rich context from the incident content. Indicators such as p_any_ip_addresses, p_any_domain_names, p_any_emails, and p_any_usernames are surfaced to support cross-source correlation. The content block includes fields like phishing_domain, compromised_emails, malware_family, content_link, and related metadata to aid investigation. The Runbook guides analysts to review complete alert context, correlate extracted indicators with other sources within a 24-hour window, and search for related incidents (same alarm_main_type or alarm_asset) over the past 30 days to determine if the finding is isolated or part of a pattern. The Tests section demonstrates representative open incidents that should generate alerts, and a closed incident that should not alert, validating the OPEN-status gate and severity mapping. This rule increases SOCRadar threat intel visibility in Panther, facilitating triage, investigation, and response workflows.