Skip to content

feat(secops): add watchlist management tools#222

Merged
dandye merged 7 commits intomainfrom
feature/add-watchlist-tools
Feb 26, 2026
Merged

feat(secops): add watchlist management tools#222
dandye merged 7 commits intomainfrom
feature/add-watchlist-tools

Conversation

@mihirvala08
Copy link
Copy Markdown
Collaborator

@mihirvala08 mihirvala08 commented Jan 21, 2026

Summary

Added Watchlist Management tools to SecOps MCP for Chronicle SIEM, enabling AI-assisted entity risk scoring and watchlist lifecycle management.

What

Added 5 Chronicle SIEM Watchlist Management tools:

  • create_watchlist - Create new watchlist with risk multiplier
  • update_watchlist - Update watchlist properties (display name, description, risk multiplier, entity population mechanism, user preferences)
  • delete_watchlist - Delete watchlist by ID with force option
  • get_watchlist - Retrieve watchlist details and configuration
  • list_watchlists - List all watchlists with pagination support

Changelog

  • server/secops/secops_mcp/tools/watchlist_management.py: Added watchlist management tools for creating, updating, deleting, retrieving, and listing watchlists with comprehensive documentation and error handling
  • server/secops/secops_mcp/tools/__init__.py Added import for watchlist management tools
  • server/secops/tests/test_secops_watchlist_mcp.py: Integration tests for watchlist management tools covering full lifecycle (create, update, delete) and read operations (list, get) with real Chronicle API calls

Testing

  • 4 integration test methods covering all 5 tools
  • Full lifecycle test with create → update → delete workflow
  • Cleanup logic in finally blocks to prevent test data pollution
  • Skips gracefully when no watchlists available

@mihirvala08 mihirvala08 marked this pull request as ready for review January 22, 2026 12:02
@mihirvala08 mihirvala08 requested a review from a team January 22, 2026 12:02
@dandye dandye self-assigned this Feb 26, 2026
@dandye
Copy link
Copy Markdown
Collaborator

dandye commented Feb 26, 2026

Integration Test Evidence

list_watchlists

Screenshot 2026-02-26 at 5 34 17 PM

get_watchlist

Screenshot 2026-02-26 at 5 34 46 PM

update_watchlist

Screenshot 2026-02-26 at 5 36 28 PM

@dandye
Merge remote-tracking branch 'origin/main' into feature/add-watchlist…
51b1c77 
…-tools

# Conflicts:
#	docs/servers/secops_mcp.md
#	server/secops/README.md
#	server/secops/secops_mcp/tools/__init__.py
dandye
dandye approved these changes Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@dandye dandye left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test evidence in the comments. Nice work, @mihirvala08 !

Signed-off-by: @dandye

@dandye dandye merged commit 75b0134 into main Feb 26, 2026
1 check passed
@dandye dandye deleted the feature/add-watchlist-tools branch February 26, 2026 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dandye dandye dandye approved these changes

@ankitgoyal0301 ankitgoyal0301 Awaiting requested review from ankitgoyal0301

@prachib29 prachib29 Awaiting requested review from prachib29

Assignees

@dandye dandye

Labels

ready-for-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mihirvala08 @dandye