Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 70 additions & 1 deletion CLI.md
Original file line number Diff line number Diff line change
Expand Up @@ -996,6 +996,8 @@ secops rule-exclusion compute-activity \

### Case Management

Chronicle also provides comprehensive case management capabilities for tracking and managing security investigations. The CLI supports listing, retrieving, updating, and performing bulk operations on cases.

Get case details for specific case IDs:

```bash
Expand All @@ -1013,7 +1015,74 @@ secops alert --time-window 24 --max-alerts 50 > alerts.json
secops case --ids "case-123,case-456"
```

> **Note**: The case management uses a batch API that can retrieve multiple cases in a single request. You can provide up to 1000 case IDs separated by commas.
> **Note**: You can provide up to 1000 case IDs separated by commas.

#### List cases

```bash
# List all cases with default pagination
secops case list --page-size 50

# List with filtering
secops case list --page-size 100 --filter 'status = "OPENED"' --order-by "createTime desc"

# Get cases as a flat list instead of paginated dict
secops case list --page-size 50 --as-list
```

#### Get case details

```bash
# Get a specific case by ID
secops case get --id "12345"

# Get case with expanded fields
secops case get --id "12345" --expand "tags,products"

# Legacy: Get multiple cases by IDs (batch API)
secops case --ids "case-123,case-456"
```

> **Note**: The legacy batch API can retrieve up to 1000 case IDs in a single request.

#### Update a case

```bash
# Update case priority
secops case update --id "12345" --data '{"priority": "PRIORITY_HIGH"}' --update-mask "priority"

# Update multiple fields
secops case update --id "12345" --data '{"priority": "PRIORITY_MEDIUM", "stage": "Investigation"}' --update-mask "priority,stage"
```

#### Merge cases

```bash
# Merge source cases into target case
secops case merge --source-ids "12345,67890" --target-id "11111"
```

#### Bulk operations

```bash
# Bulk add tags to cases
secops case bulk-add-tag --ids "12345,67890" --tags "phishing,high-priority"

# Bulk assign cases to a user
secops case bulk-assign --ids "12345,67890" --username "@SecurityTeam"

# Bulk change priority
secops case bulk-change-priority --ids "12345,67890" --priority "HIGH"

# Bulk change stage
secops case bulk-change-stage --ids "12345,67890" --stage "Remediation"

# Bulk close cases
secops case bulk-close --ids "12345,67890" --close-reason "NOT_MALICIOUS" --root-cause "False positive - benign activity"

# Bulk reopen cases
secops case bulk-reopen --ids "12345,67890" --reopen-comment "New evidence discovered"
```

### Investigation Management

Expand Down
128 changes: 128 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1403,6 +1403,134 @@ case = cases.get_case("case-id-1")

> **Note**: The case management API uses the `legacy:legacyBatchGetCases` endpoint to retrieve multiple cases in a single request. You can retrieve up to 1000 cases in a single batch.

### Case Management

Chronicle provides comprehensive case management capabilities for tracking and managing security investigations. The SDK supports listing, retrieving, updating, and performing bulk operations on cases.

#### List cases

Retrieve cases with optional filtering and pagination:

```python
# List all cases with default pagination
result = chronicle.list_cases(page_size=50)
for case_data in result["cases"]:
case_id = case_data["name"].split("/")[-1]
print(f"Case {case_id}: {case_data['displayName']}")

# List with filtering
open_cases = chronicle.list_cases(
page_size=100,
filter_query='status = "OPENED"',
order_by="createTime desc"
)

# Get cases as a flat list instead of paginated dict
cases_list = chronicle.list_cases(page_size=50, as_list=True)
for case in cases_list:
print(f"{case['displayName']}: {case['priority']}")
```

#### Get case details

Retrieve detailed information about a specific case:

```python
# Get case by ID
case = chronicle.get_case("12345")
print(f"Case: {case.display_name}")
print(f"Priority: {case.priority}")
print(f"Status: {case.status}")
print(f"Stage: {case.stage}")

# Get case with expanded fields
case_expanded = chronicle.get_case("12345", expand="tags,products")
```

#### Update a case

Update case fields using partial updates:

```python
# Update case priority
updated_case = chronicle.patch_case(
case_name="12345",
case_data={"priority": "PRIORITY_HIGH"},
update_mask="priority"
)

# Update multiple fields
updated_case = chronicle.patch_case(
case_name="12345",
case_data={
"priority": "PRIORITY_MEDIUM",
"stage": "Investigation"
},
update_mask="priority,stage"
)
```

#### Merge cases

Merge multiple cases into a single target case:

```python
# Merge source cases into target case
result = chronicle.merge_cases(
case_ids=[12345, 67890],
case_to_merge_with=11111
)

if result.get("isRequestValid"):
print(f"Cases merged into case {result['newCaseId']}")
else:
print(f"Merge failed: {result.get('errors')}")
```

#### Bulk operations

Perform operations on multiple cases simultaneously:

```python
# Bulk add tags
chronicle.execute_bulk_add_tag(
case_ids=[12345, 67890],
tags=["phishing", "high-priority"]
)

# Bulk assign cases
chronicle.execute_bulk_assign(
case_ids=[12345, 67890],
username="@SecurityTeam"
)

# Bulk change priority
chronicle.execute_bulk_change_priority(
case_ids=[12345, 67890],
priority="PRIORITY_HIGH"
)

# Bulk change stage
chronicle.execute_bulk_change_stage(
case_ids=[12345, 67890],
stage="Remediation"
)

# Bulk close cases
chronicle.execute_bulk_close(
case_ids=[12345, 67890],
close_reason="NOT_MALICIOUS",
root_cause="False positive - benign activity",
close_comment="Verified with asset owner"
)

# Bulk reopen cases
chronicle.execute_bulk_reopen(
case_ids=[12345, 67890],
reopen_comment="New evidence discovered"
)
```

### Investigation Management

Chronicle investigations provide automated analysis and recommendations for alerts and cases. The SDK provides methods to list, retrieve, trigger, and fetch associated investigations.
Expand Down
11 changes: 11 additions & 0 deletions api_module_mapping.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/
## Implementation Statistics

- **v1:** 17 endpoints implemented
- **v1beta:** 10 endpoints implemented
- **v1alpha:** 113 endpoints implemented

## Endpoint Mapping
Expand Down Expand Up @@ -85,6 +86,16 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/
| watchlists.get | v1beta | | |
| watchlists.list | v1beta | | |
| watchlists.patch | v1beta | | |
| cases.executeBulkAddTag | v1beta | chronicle.case.execute_bulk_add_tag | secops case bulk-add-tag |
| cases.executeBulkAssign | v1beta | chronicle.case.execute_bulk_assign | secops case bulk-assign |
| cases.executeBulkChangePriority | v1beta | chronicle.case.execute_bulk_change_priority | secops case bulk-change-priority |
| cases.executeBulkChangeStage | v1beta | chronicle.case.execute_bulk_change_stage | secops case bulk-change-stage |
| cases.executeBulkClose | v1beta | chronicle.case.execute_bulk_close | secops case bulk-close |
| cases.executeBulkReopen | v1beta | chronicle.case.execute_bulk_reopen | secops case bulk-reopen |
| cases.get | v1beta | chronicle.case.get_case | secops case get |
| cases.list | v1beta | chronicle.case.list_cases | secops case list |
| cases.merge | v1beta | chronicle.case.merge_cases | secops case merge |
| cases.patch | v1beta | chronicle.case.patch_case | secops case update |
| analytics.entities.analyticValues.list | v1alpha | | |
| analytics.list | v1alpha | | |
| batchValidateWatchlistEntities | v1alpha | | |
Expand Down
Loading