Feature/watchlist implementation

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.30.0] - 2025-12-22
+### Added
+- Support for following watchlist management methods:
+  - List watchlists
+  - Create watchlist
+  - Get watchlist details
+  - Update watchlist
+  - Delete watchlist
+
 ## [0.29.0] - 2025-12-17
 ### Added
 - Support for following log/data processing pipeline methods:

CLI.md

@@ -666,6 +666,49 @@ secops parser-extension activate --log-type OKTA --id "1234567890"
 secops parser-extension delete --log-type OKTA --id "1234567890"
 ```
 
+### Watchlist Management
+
+List watchlists:
+
+```bash
+# List all watchlists
+secops watchlist list
+
+# List watchlist with pagination 
+secops watchlist list --page-size 50
+```
+
+Get watchlist details:
+
+```bash
+secops watchlist get --watchlist-id "abc-123-def"
+```
+
+Create a new watchlist:
+
+```bash
+secops watchlist create --name "my_watchlist" --display-name "my_watchlist" --description "My watchlist description" --multiplying-factor 1.5
+```
+
+Update a watchlist:
+
+```bash
+# Update display name and description
+secops watchlist update --watchlist-id "abc-123-def" --display-name "Updated Name" --description "Updated description"
+
+# Update multiplying factor and pin the watchlist
+secops watchlist update --watchlist-id "abc-123-def" --multiplying-factor 2.0 --pinned true
+
+# Update entity population mechanism (JSON string or file path)
+secops watchlist update --watchlist-id "abc-123-def" --entity-population-mechanism '{"manual": {}}'
+```
+
+Delete a watchlist:
+
+```bash
+secops watchlist delete --watchlist-id "abc-123-def"
+```
+
 ### Rule Management
 
 List detection rules:

README.md

@@ -1704,6 +1704,60 @@ extension_id = "1234567890"
 chronicle.delete_parser_extension(log_type, extension_id)
 ```
 
+## Watchlist Management
+
+### Creating a Watchlist
+
+Create a new watchlist:
+
+```python
+watchlist = chronicle.create_watchlist(
+    name="my_watchlist",
+    display_name="my_watchlist",
+    multiplying_factor=1.5,
+    description="My new watchlist"
+)
+```
+
+### Updating a Watchlist
+
+Update a watchlist by ID:
+
+```python
+updated_watchlist = chronicle.update_watchlist(
+    watchlist_id="abc-123-def",
+    display_name="Updated Watchlist Name",
+    description="Updated description",
+    multiplying_factor=2.0,
+    entity_population_mechanism={"manual": {}},
+    watchlist_user_preferences={"pinned": True}
+)
+```
+
+### Deleting a Watchlist
+
+Delete a watchlist by ID:
+
+```python
+chronicle.delete_watchlist("acb-123-def", force=True)
+```
+
+### Getting a Watchlist
+
+Get a watchlist by ID:
+
+```python
+watchlist = chronicle.get_watchlist("acb-123-def")
+```
+
+### List all Watchlists
+
+List all watchlists:
+
+```python
+watchlists = chronicle.list_watchlists()
+```
+
 ## Rule Management
 
 The SDK provides comprehensive support for managing Chronicle detection rules:

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "secops"
-version = "0.29.0"
+version = "0.30.0"
 description = "Python SDK for wrapping the Google SecOps API for common use cases"
 readme = "README.md"
 requires-python = ">=3.10"

src/secops/chronicle/__init__.py

@@ -175,6 +175,13 @@
     find_udm_field_values,
 )
 from secops.chronicle.validate import validate_query
+from secops.chronicle.watchlist import (
+    list_watchlists,
+    get_watchlist,
+    delete_watchlist,
+    create_watchlist,
+    update_watchlist,
+)
 
 __all__ = [
     # Client
@@ -327,4 +334,10 @@
     "fetch_associated_pipeline",
     "fetch_sample_logs_by_streams",
     "test_pipeline",
+    # Watchlist
+    "list_watchlists",
+    "get_watchlist",
+    "delete_watchlist",
+    "create_watchlist",
+    "update_watchlist",
 ]

src/secops/chronicle/client.py

@@ -309,6 +309,13 @@
     find_udm_field_values as _find_udm_field_values,
 )
 from secops.chronicle.validate import validate_query as _validate_query
+from secops.chronicle.watchlist import (
+    list_watchlists as _list_watchlists,
+    get_watchlist as _get_watchlist,
+    delete_watchlist as _delete_watchlist,
+    create_watchlist as _create_watchlist,
+    update_watchlist as _update_watchlist,
+)
 from secops.exceptions import SecOpsError
 
 
@@ -605,6 +612,132 @@ def validate_query(self, query: str) -> dict[str, Any]:
         """
         return _validate_query(self, query)
 
+    def list_watchlists(
+        self,
+        page_size: int | None = None,
+        page_token: str | None = None,
+    ) -> dict[str, Any]:
+        """Get a list of all watchlists.
+
+        Args:
+            page_size: Maximum number of watchlists to return per page
+            page_token: Token for the next page of results, if available
+
+        Returns:
+            Dictionary with list of watchlists
+
+        Raises:
+            APIError: If the API request fails
+        """
+        return _list_watchlists(self, page_size, page_token)
+
+    def get_watchlist(
+        self,
+        watchlist_id: str,
+    ) -> dict[str, Any]:
+        """Get a specific watchlist by ID.
+
+        Args:
+            watchlist_id: ID of the watchlist to retrieve
+
+        Returns:
+            Watchlist
+
+        Raises:
+            APIError: If the API request fails
+        """
+        return _get_watchlist(self, watchlist_id)
+
+    def delete_watchlist(
+        self,
+        watchlist_id: str,
+        force: bool | None = None,
+    ) -> dict[str, Any]:
+        """Delete a watchlist by ID.
+
+        Args:
+            watchlist_id: ID of the watchlist to delete
+            force: Optional. If set to true, any entities under this
+             watchlist will also be deleted.
+              (Otherwise, the request will only work if the
+               watchlist has no entities.)
+
+        Returns:
+            Deleted watchlist
+
+        Raises:
+            APIError: If the API request fails
+        """
+        return _delete_watchlist(self, watchlist_id, force)
+
+    def create_watchlist(
+        self,
+        name: str,
+        display_name: str,
+        multiplying_factor: float,
+        description: str | None = None,
+    ) -> dict[str, Any]:
+        """Create a watchlist
+
+        Args:
+            name: Name of the watchlist
+            display_name: Display name of the watchlist
+            multiplying_factor: Multiplying factor for the watchlist
+            description: Optional. Description of the watchlist
+
+        Returns:
+            Created watchlist
+
+        Raises:
+            APIError: If the API request fails
+        """
+        return _create_watchlist(
+            self, name, display_name, multiplying_factor, description
+        )
+
+    def update_watchlist(
+        self,
+        watchlist_id: str,
+        display_name: str | None = None,
+        description: str | None = None,
+        multiplying_factor: float | None = None,
+        entity_population_mechanism: dict[str, Any] | None = None,
+        watchlist_user_preferences: dict[str, Any] | None = None,
+        update_mask: str | None = None,
+    ) -> dict[str, Any]:
+        """Update a watchlist.
+
+        Args:
+            watchlist_id: ID of the watchlist to update.
+            display_name: Optional. Display name of the watchlist.
+                Must be 1-63 characters.
+            description: Optional. Description of the watchlist.
+            multiplying_factor: Optional. Weight applied to risk score
+                for entities in this watchlist. Default is 1.0.
+            entity_population_mechanism: Optional. Mechanism to populate
+                entities in the watchlist. Example: {"manual": {}}.
+            watchlist_user_preferences: Optional. User preferences for
+                watchlist configuration. Example: {"pinned": True}.
+            update_mask: Optional. Comma-separated list of fields to
+                update. If not provided, all non-None fields are updated.
+
+        Returns:
+            Updated watchlist.
+
+        Raises:
+            APIError: If the API request fails.
+        """
+        return _update_watchlist(
+            self,
+            watchlist_id,
+            display_name,
+            description,
+            multiplying_factor,
+            entity_population_mechanism,
+            watchlist_user_preferences,
+            update_mask,
+        )
+
     def get_stats(
         self,
         query: str,