feat(secops): add investigation management tools

docs/servers/secops_mcp.md

@@ -344,6 +344,46 @@ The service account or user credentials need the following Chronicle roles:
       - Zero-day exploitation
       ```
 
+- **`list_investigations(page_size=50, page_token=None, project_id=None, customer_id=None, region=None)`**
+    - **Description:** List all investigations in Chronicle instance. Returns investigation status, verdict, and confidence. Supports pagination.
+    - **Parameters:**
+        - `page_size` (optional): Number of investigations to return per page (default: 50).
+        - `page_token` (optional): Token for pagination from previous response.
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing list of investigations with status, verdict, confidence, and pagination token.
+
+- **`get_investigation(investigation_id, project_id=None, customer_id=None, region=None)`**
+    - **Description:** Retrieve specific investigation by ID. Returns detailed investigation information including status and verdict.
+    - **Parameters:**
+        - `investigation_id` (required): The unique identifier of the investigation to retrieve.
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing detailed investigation information including display name, status, verdict, confidence, and timestamps.
+
+- **`trigger_investigation(alert_id, project_id=None, customer_id=None, region=None)`**
+    - **Description:** Create new investigation for a specific alert. Returns created investigation details and trigger type.
+    - **Parameters:**
+        - `alert_id` (required): The unique identifier of the alert to investigate.
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing created investigation details including name, status, and trigger type.
+
+- **`fetch_associated_investigations(detection_type, alert_ids=None, case_ids=None, association_limit_per_detection=5, project_id=None, customer_id=None, region=None)`**
+    - **Description:** Retrieve investigations associated with alerts or cases. Supports filtering by detection type (ALERT or CASE). Returns investigation associations with verdict information.
+    - **Parameters:**
+        - `detection_type` (required): Type of detection to query. Valid values: "ALERT", "CASE", "DETECTION_TYPE_ALERT", "DETECTION_TYPE_CASE".
+        - `alert_ids` (optional): List of alert IDs to query. Required if detection_type is ALERT.
+        - `case_ids` (optional): List of case IDs to query. Required if detection_type is CASE.
+        - `association_limit_per_detection` (optional): Maximum number of investigations to return per detection (default: 5).
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing investigation associations grouped by detection ID, with verdict and confidence information.
+
 ## Usage Examples
 
 ### Example 1: Natural Language Security Event Search

server/secops/README.md

@@ -120,6 +120,20 @@ Chronicle Security Operations suite.
 - **`generate_feed_secret(feed_id, project_id=None, customer_id=None, region=None)`**
     - Creates a new authentication secret for feeds that support authentication (e.g., HTTP feeds with basic auth). This replaces any existing secret.
 
+### Investigation Management Tools
+
+- **`list_investigations(page_size=50, page_token=None, project_id=None, customer_id=None, region=None)`**
+    - List all investigations in Chronicle instance. Returns investigation status, verdict, and confidence. Supports pagination.
+
+- **`get_investigation(investigation_id, project_id=None, customer_id=None, region=None)`**
+    - Retrieve specific investigation by ID. Returns detailed investigation information including status and verdict.
+
+- **`trigger_investigation(alert_id, project_id=None, customer_id=None, region=None)`**
+    - Create new investigation for a specific alert. Returns created investigation details and trigger type.
+
+- **`fetch_associated_investigations(detection_type, alert_ids=None, case_ids=None, association_limit_per_detection=5, project_id=None, customer_id=None, region=None)`**
+    - Retrieve investigations associated with alerts or cases. Supports filtering by detection type (ALERT or CASE). Returns investigation associations with verdict information.
+
 ### API Capabilities
 
 The MCP server provides the following capabilities:
@@ -136,7 +150,8 @@ The MCP server provides the following capabilities:
 10. **Data Table Management**: Create and manage structured data tables for detection rules
 11. **Reference List Management**: Create and manage reference lists for detection rules
 12. **Feed Management**: Create, update, enable, disable, and delete data feeds
-13. **UDM Search & Export**: Direct UDM querying, field value autocomplete, and CSV export
+13. **Investigation Management**: Manage cases and investigations, trigger investigations, and fetch associated investigations
+14. **UDM Search & Export**: Direct UDM querying, field value autocomplete, and CSV export
 
 ### Example
 
@@ -151,6 +166,7 @@ These tools focus on core security operations tasks:
 - **Entity Analysis**: Use `lookup_entity` to investigate IPs, domains, hashes, and other indicators
 - **Rule Management**: Use `list_security_rules` and `search_security_rules` to manage detection rules
 - **Threat Intelligence**: Use `get_ioc_matches` and `get_threat_intel` for IOC analysis and AI-powered insights
+- **Investigation Management**: Use `list_investigations`, `get_investigation`, `trigger_investigation`, and `fetch_associated_investigations` to manage investigations and cases
 - **UDM Analysis & Export**: Use `search_udm`, `export_udm_search_csv`, and `find_udm_field_values` for direct UDM querying, data export, and field discovery
 
 ### Data Ingestion & Parsing Tools

server/secops/secops_mcp/tools/__init__.py

@@ -26,3 +26,4 @@
 from .udm_search import *
 from .search import *
 from .feed_management import *
+from .investigation_management import *