Skip to content

feat: added case managment support #182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mihirvala08 wants to merge 16 commits into
base: main
Choose a base branch
from
Open

feat: added case managment support #182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
68ee8c9
feat: added case management methods
mihirvala08 Nov 26, 2025
2403410
chore: added example. added unit tests
mihirvala08 Nov 26, 2025
6f84ac4
Merge branch 'main' into feature/case-management-methods
mihirvala08 Dec 22, 2025
a7327f0
chore: linting and formatting
mihirvala08 Dec 22, 2025
715c1cf
Merge branch 'main' into feature/case-management-methods
mihirvala08 Jan 19, 2026
af4a5c2
Merge branch 'main' into feature/case-management-methods
mihirvala08 Feb 9, 2026
95030b3
refactor: improve case management methods, example and tests.
mihirvala08 Feb 10, 2026
8572231
chore: lint fixes
mihirvala08 Feb 10, 2026
727be98
chore: minor improvements and refactoring.
mihirvala08 Feb 10, 2026
eecc1dd
chore: fixed unit tests
mihirvala08 Feb 10, 2026
fb45505
chore: added integration tests
mihirvala08 Feb 10, 2026
07844e6
chore: refactor integration tests
mihirvala08 Feb 11, 2026
8d512d7
chore: updated to use v1beta endpoint
mihirvala08 Feb 11, 2026
0857b9e
docs: add comprehensive case management documentation and API mapping
mihirvala08 Feb 11, 2026
b91a843
chore: client integration test fix.
mihirvala08 Feb 12, 2026
8b2fe41
chore: integration tests refactoring
mihirvala08 Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 70 additions & 1 deletion CLI.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -996,6 +996,8 @@ secops rule-exclusion compute-activity \

### Case Management

Chronicle also provides comprehensive case management capabilities for tracking and managing security investigations. The CLI supports listing, retrieving, updating, and performing bulk operations on cases.

Get case details for specific case IDs:

```bash
Expand All @@ -1013,7 +1015,74 @@ secops alert --time-window 24 --max-alerts 50 > alerts.json
secops case --ids "case-123,case-456"
```

> **Note**: The case management uses a batch API that can retrieve multiple cases in a single request. You can provide up to 1000 case IDs separated by commas.
> **Note**: You can provide up to 1000 case IDs separated by commas.

#### List cases

```bash
# List all cases with default pagination
secops case list --page-size 50

# List with filtering
secops case list --page-size 100 --filter 'status = "OPENED"' --order-by "createTime desc"

# Get cases as a flat list instead of paginated dict
secops case list --page-size 50 --as-list
```

#### Get case details

```bash
# Get a specific case by ID
secops case get --id "12345"

# Get case with expanded fields
secops case get --id "12345" --expand "tags,products"

# Legacy: Get multiple cases by IDs (batch API)
secops case --ids "case-123,case-456"
```

> **Note**: The legacy batch API can retrieve up to 1000 case IDs in a single request.

#### Update a case

```bash
# Update case priority
secops case update --id "12345" --data '{"priority": "PRIORITY_HIGH"}' --update-mask "priority"

# Update multiple fields
secops case update --id "12345" --data '{"priority": "PRIORITY_MEDIUM", "stage": "Investigation"}' --update-mask "priority,stage"
```

#### Merge cases

```bash
# Merge source cases into target case
secops case merge --source-ids "12345,67890" --target-id "11111"
```

#### Bulk operations

```bash
# Bulk add tags to cases
secops case bulk-add-tag --ids "12345,67890" --tags "phishing,high-priority"

# Bulk assign cases to a user
secops case bulk-assign --ids "12345,67890" --username "@SecurityTeam"

# Bulk change priority
secops case bulk-change-priority --ids "12345,67890" --priority "HIGH"

# Bulk change stage
secops case bulk-change-stage --ids "12345,67890" --stage "Remediation"

# Bulk close cases
secops case bulk-close --ids "12345,67890" --close-reason "NOT_MALICIOUS" --root-cause "False positive - benign activity"

# Bulk reopen cases
secops case bulk-reopen --ids "12345,67890" --reopen-comment "New evidence discovered"
```

### Investigation Management

Expand Down
128 changes: 128 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1403,6 +1403,134 @@ case = cases.get_case("case-id-1")

> **Note**: The case management API uses the `legacy:legacyBatchGetCases` endpoint to retrieve multiple cases in a single request. You can retrieve up to 1000 cases in a single batch.

### Case Management

Chronicle provides comprehensive case management capabilities for tracking and managing security investigations. The SDK supports listing, retrieving, updating, and performing bulk operations on cases.

#### List cases

Retrieve cases with optional filtering and pagination:

```python
# List all cases with default pagination
result = chronicle.list_cases(page_size=50)
for case_data in result["cases"]:
case_id = case_data["name"].split("/")[-1]
print(f"Case {case_id}: {case_data['displayName']}")

# List with filtering
open_cases = chronicle.list_cases(
page_size=100,
filter_query='status = "OPENED"',
order_by="createTime desc"
)

# Get cases as a flat list instead of paginated dict
cases_list = chronicle.list_cases(page_size=50, as_list=True)
for case in cases_list:
print(f"{case['displayName']}: {case['priority']}")
```

#### Get case details

Retrieve detailed information about a specific case:

```python
# Get case by ID
case = chronicle.get_case("12345")
print(f"Case: {case.display_name}")
print(f"Priority: {case.priority}")
print(f"Status: {case.status}")
print(f"Stage: {case.stage}")

# Get case with expanded fields
case_expanded = chronicle.get_case("12345", expand="tags,products")
```

#### Update a case

Update case fields using partial updates:

```python
# Update case priority
updated_case = chronicle.patch_case(
case_name="12345",
case_data={"priority": "PRIORITY_HIGH"},
update_mask="priority"
)

# Update multiple fields
updated_case = chronicle.patch_case(
case_name="12345",
case_data={
"priority": "PRIORITY_MEDIUM",
"stage": "Investigation"
},
update_mask="priority,stage"
)
```

#### Merge cases

Merge multiple cases into a single target case:

```python
# Merge source cases into target case
result = chronicle.merge_cases(
case_ids=[12345, 67890],
case_to_merge_with=11111
)

if result.get("isRequestValid"):
print(f"Cases merged into case {result['newCaseId']}")
else:
print(f"Merge failed: {result.get('errors')}")
```

#### Bulk operations

Perform operations on multiple cases simultaneously:

```python
# Bulk add tags
chronicle.execute_bulk_add_tag(
case_ids=[12345, 67890],
tags=["phishing", "high-priority"]
)

# Bulk assign cases
chronicle.execute_bulk_assign(
case_ids=[12345, 67890],
username="@SecurityTeam"
)

# Bulk change priority
chronicle.execute_bulk_change_priority(
case_ids=[12345, 67890],
priority="PRIORITY_HIGH"
)

# Bulk change stage
chronicle.execute_bulk_change_stage(
case_ids=[12345, 67890],
stage="Remediation"
)

# Bulk close cases
chronicle.execute_bulk_close(
case_ids=[12345, 67890],
close_reason="NOT_MALICIOUS",
root_cause="False positive - benign activity",
close_comment="Verified with asset owner"
)

# Bulk reopen cases
chronicle.execute_bulk_reopen(
case_ids=[12345, 67890],
reopen_comment="New evidence discovered"
)
```

### Investigation Management

Chronicle investigations provide automated analysis and recommendations for alerts and cases. The SDK provides methods to list, retrieve, trigger, and fetch associated investigations.
Expand Down
11 changes: 11 additions & 0 deletions api_module_mapping.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/
## Implementation Statistics

- **v1:** 17 endpoints implemented
- **v1beta:** 10 endpoints implemented
- **v1alpha:** 113 endpoints implemented

## Endpoint Mapping
Expand Down Expand Up @@ -85,6 +86,16 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/
| watchlists.get | v1beta | | |
| watchlists.list | v1beta | | |
| watchlists.patch | v1beta | | |
| cases.executeBulkAddTag | v1beta | chronicle.case.execute_bulk_add_tag | secops case bulk-add-tag |
| cases.executeBulkAssign | v1beta | chronicle.case.execute_bulk_assign | secops case bulk-assign |
| cases.executeBulkChangePriority | v1beta | chronicle.case.execute_bulk_change_priority | secops case bulk-change-priority |
| cases.executeBulkChangeStage | v1beta | chronicle.case.execute_bulk_change_stage | secops case bulk-change-stage |
| cases.executeBulkClose | v1beta | chronicle.case.execute_bulk_close | secops case bulk-close |
| cases.executeBulkReopen | v1beta | chronicle.case.execute_bulk_reopen | secops case bulk-reopen |
| cases.get | v1beta | chronicle.case.get_case | secops case get |
| cases.list | v1beta | chronicle.case.list_cases | secops case list |
| cases.merge | v1beta | chronicle.case.merge_cases | secops case merge |
| cases.patch | v1beta | chronicle.case.patch_case | secops case update |
| analytics.entities.analyticValues.list | v1alpha | | |
| analytics.list | v1alpha | | |
| batchValidateWatchlistEntities | v1alpha | | |
Expand Down
Loading