google · mihirvala08 · Mar 11, 2026 · Nov 26, 2025 · Nov 26, 2025 · Dec 22, 2025
@@ -5,6 +5,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.37.0] - 2026-03-11
+### Added
+- Comprehensive case management functionality for Chronicle
+  - `get_case()` - Retrieve single case details with optional field expansion
+  - `list_cases()` - List cases with filtering, pagination, and sorting capabilities
+  - `patch_case()` - Update case properties using partial updates
+  - `merge_cases()` - Merge multiple cases into a single case
+  - `get_cases()` - Legacy batch case retrieval for multiple case IDs
+- Bulk case operations for efficient case management
+  - `execute_bulk_add_tag()` - Add tags to multiple cases
+  - `execute_bulk_assign()` - Assign multiple cases to users
+  - `execute_bulk_change_priority()` - Change priority for multiple cases
+  - `execute_bulk_change_stage()` - Change stage for multiple cases
+  - `execute_bulk_close()` - Close multiple cases with reasons
+  - `execute_bulk_reopen()` - Reopen multiple cases
+- Complete CLI support for case management through `secops case` commands
+  - `secops case get` - Get single case details
+  - `secops case list` - List cases with filtering and pagination
+  - `secops case update` - Update case properties
+  - `secops case merge` - Merge multiple cases
+  - `secops case bulk-*` commands for bulk operations
+
 ## [0.36.0] - 2026-03-10
 ### Added
 - Raw log search functionality with `search_raw_logs()` method

@@ -1041,6 +1041,8 @@ secops rule-exclusion compute-activity \
 
 ### Case Management
 
+Chronicle also provides comprehensive case management capabilities for tracking and managing security investigations. The CLI supports listing, retrieving, updating, and performing bulk operations on cases.
+
 Get case details for specific case IDs:
 
 ```bash
@@ -1058,7 +1060,74 @@ secops alert --time-window 24 --max-alerts 50 > alerts.json
 secops case --ids "case-123,case-456"
 ```
 
-> **Note**: The case management uses a batch API that can retrieve multiple cases in a single request. You can provide up to 1000 case IDs separated by commas.
+> **Note**: You can provide up to 1000 case IDs separated by commas.
+
+#### List cases
+
+```bash
+# List all cases with default pagination
+secops case list --page-size 50
+
+# List with filtering
+secops case list --page-size 100 --filter 'status = "OPENED"' --order-by "createTime desc"
+
+# Get cases as a flat list instead of paginated dict
+secops case list --page-size 50 --as-list
+```
+
+#### Get case details
+
+```bash
+# Get a specific case by ID
+secops case get --id "12345"
+
+# Get case with expanded fields
+secops case get --id "12345" --expand "tags,products"
+
+# Legacy: Get multiple cases by IDs (batch API)
+secops case --ids "case-123,case-456"
+```
+
+> **Note**: The legacy batch API can retrieve up to 1000 case IDs in a single request.
+
+#### Update a case
+
+```bash
+# Update case priority
+secops case update --id "12345" --data '{"priority": "PRIORITY_HIGH"}' --update-mask "priority"
+
+# Update multiple fields
+secops case update --id "12345" --data '{"priority": "PRIORITY_MEDIUM", "stage": "Investigation"}' --update-mask "priority,stage"
+```
+
+#### Merge cases
+
+```bash
+# Merge source cases into target case
+secops case merge --source-ids "12345,67890" --target-id "11111"
+```
+
+#### Bulk operations
+
+```bash
+# Bulk add tags to cases
+secops case bulk-add-tag --ids "12345,67890" --tags "phishing,high-priority"
+
+# Bulk assign cases to a user
+secops case bulk-assign --ids "12345,67890" --username "@SecurityTeam"
+
+# Bulk change priority
+secops case bulk-change-priority --ids "12345,67890" --priority "HIGH"
+
+# Bulk change stage
+secops case bulk-change-stage --ids "12345,67890" --stage "Remediation"
+
+# Bulk close cases
+secops case bulk-close --ids "12345,67890" --close-reason "NOT_MALICIOUS" --root-cause "False positive - benign activity"
+
+# Bulk reopen cases
+secops case bulk-reopen --ids "12345,67890" --reopen-comment "New evidence discovered"
+```
 
 ### Investigation Management
 

@@ -1424,6 +1424,134 @@ case = cases.get_case("case-id-1")
 
 > **Note**: The case management API uses the `legacy:legacyBatchGetCases` endpoint to retrieve multiple cases in a single request. You can retrieve up to 1000 cases in a single batch.
 
+### Case Management
+
+Chronicle provides comprehensive case management capabilities for tracking and managing security investigations. The SDK supports listing, retrieving, updating, and performing bulk operations on cases.
+
+#### List cases
+
+Retrieve cases with optional filtering and pagination:
+
+```python
+# List all cases with default pagination
+result = chronicle.list_cases(page_size=50)
+for case_data in result["cases"]:
+    case_id = case_data["name"].split("/")[-1]
+    print(f"Case {case_id}: {case_data['displayName']}")
+
+# List with filtering
+open_cases = chronicle.list_cases(
+    page_size=100,
+    filter_query='status = "OPENED"',
+    order_by="createTime desc"
+)
+
+# Get cases as a flat list instead of paginated dict
+cases_list = chronicle.list_cases(page_size=50, as_list=True)
+for case in cases_list:
+    print(f"{case['displayName']}: {case['priority']}")
+```
+
+#### Get case details
+
+Retrieve detailed information about a specific case:
+
+```python
+# Get case by ID
+case = chronicle.get_case("12345")
+print(f"Case: {case.display_name}")
+print(f"Priority: {case.priority}")
+print(f"Status: {case.status}")
+print(f"Stage: {case.stage}")
+
+# Get case with expanded fields
+case_expanded = chronicle.get_case("12345", expand="tags,products")
+```
+
+#### Update a case
+
+Update case fields using partial updates:
+
+```python
+# Update case priority
+updated_case = chronicle.patch_case(
+    case_name="12345",
+    case_data={"priority": "PRIORITY_HIGH"},
+    update_mask="priority"
+)
+
+# Update multiple fields
+updated_case = chronicle.patch_case(
+    case_name="12345",
+    case_data={
+        "priority": "PRIORITY_MEDIUM",
+        "stage": "Investigation"
+    },
+    update_mask="priority,stage"
+)
+```
+
+#### Merge cases
+
+Merge multiple cases into a single target case:
+
+```python
+# Merge source cases into target case
+result = chronicle.merge_cases(
+    case_ids=[12345, 67890],
+    case_to_merge_with=11111
+)
+
+if result.get("isRequestValid"):
+    print(f"Cases merged into case {result['newCaseId']}")
+else:
+    print(f"Merge failed: {result.get('errors')}")
+```
+
+#### Bulk operations
+
+Perform operations on multiple cases simultaneously:
+
+```python
+# Bulk add tags
+chronicle.execute_bulk_add_tag(
+    case_ids=[12345, 67890],
+    tags=["phishing", "high-priority"]
+)
+
+# Bulk assign cases
+chronicle.execute_bulk_assign(
+    case_ids=[12345, 67890],
+    username="@SecurityTeam"
+)
+
+# Bulk change priority
+chronicle.execute_bulk_change_priority(
+    case_ids=[12345, 67890],
+    priority="PRIORITY_HIGH"
+)
+
+# Bulk change stage
+chronicle.execute_bulk_change_stage(
+    case_ids=[12345, 67890],
+    stage="Remediation"
+)
+
+# Bulk close cases
+chronicle.execute_bulk_close(
+    case_ids=[12345, 67890],
+    close_reason="NOT_MALICIOUS",
+    root_cause="False positive - benign activity",
+    close_comment="Verified with asset owner"
+)
+
+# Bulk reopen cases
+chronicle.execute_bulk_reopen(
+    case_ids=[12345, 67890],
+    reopen_comment="New evidence discovered"
+)
+```
+
 ### Investigation Management
 
 Chronicle investigations provide automated analysis and recommendations for alerts and cases. The SDK provides methods to list, retrieve, trigger, and fetch associated investigations.

@@ -7,6 +7,7 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/
 ## Implementation Statistics
 
 - **v1:** 17 endpoints implemented
+- **v1beta:** 10 endpoints implemented
 - **v1alpha:** 113 endpoints implemented
 
 ## Endpoint Mapping
@@ -85,6 +86,16 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/
 | watchlists.get                                                                 | v1beta  |                                                                                                                   |                                                |
 | watchlists.list                                                                | v1beta  |                                                                                                                   |                                                |
 | watchlists.patch                                                               | v1beta  |                                                                                                                   |                                                |
+| cases.executeBulkAddTag                                                        | v1beta  | chronicle.case.execute_bulk_add_tag                                                                               | secops case bulk-add-tag                       |
+| cases.executeBulkAssign                                                        | v1beta  | chronicle.case.execute_bulk_assign                                                                                | secops case bulk-assign                        |
+| cases.executeBulkChangePriority                                                | v1beta  | chronicle.case.execute_bulk_change_priority                                                                       | secops case bulk-change-priority               |
+| cases.executeBulkChangeStage                                                   | v1beta  | chronicle.case.execute_bulk_change_stage                                                                          | secops case bulk-change-stage                  |
+| cases.executeBulkClose                                                         | v1beta  | chronicle.case.execute_bulk_close                                                                                 | secops case bulk-close                         |
+| cases.executeBulkReopen                                                        | v1beta  | chronicle.case.execute_bulk_reopen                                                                                | secops case bulk-reopen                        |
+| cases.get                                                                      | v1beta  | chronicle.case.get_case                                                                                           | secops case get                                |
+| cases.list                                                                     | v1beta  | chronicle.case.list_cases                                                                                         | secops case list                               |
+| cases.merge                                                                    | v1beta  | chronicle.case.merge_cases                                                                                        | secops case merge                              |
+| cases.patch                                                                    | v1beta  | chronicle.case.patch_case                                                                                         | secops case update                             |
 | analytics.entities.analyticValues.list                                         | v1alpha |                                                                                                                   |                                                |
 | analytics.list                                                                 | v1alpha |                                                                                                                   |                                                |
 | batchValidateWatchlistEntities                                                 | v1alpha |                                                                                                                   |                                                |