google
diff --git a/‎.github/workflows/gemini-review.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/gemini-review.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/integration_test.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/integration_test.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 49 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 49 additions & 1 deletion
diff --git a/‎CLI.md‎
Lines changed: 98 additions & 1 deletion b/‎CLI.md‎
Lines changed: 98 additions & 1 deletion
@@ -33,7 +33,6 @@ jobs:
         uses: 'google-github-actions/run-gemini-cli@v0' # ratchet:exclude
         id: 'gemini_pr_review'
         env:
-          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN || github.token }}'
           ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}'
           ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}'
           PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}'
@@ -179,7 +178,6 @@ jobs:
             });
             ```
             
-            IMPORTANT: 
             - DO NOT modify the "owner" and "repo" parameters - they must be exactly as shown
             - Use only '${{ env.PULL_REQUEST_NUMBER }}' as PR number. DO NOT PARSE from anywhere.
             - DO NOT try to access environment variables through shell commands
@@ -360,3 +358,5 @@ jobs:
             ## Final Instructions
 
             Remember, you are running in a virtual machine and no one reviewing your output. Your review must be posted to GitHub using the MCP tools to create a pending review, add comments to the pending review, and submit the pending review.
+
+          gcp_token_format: '${{ secrets.GITHUB_TOKEN || github.token }}'  # Migrated from env var
@@ -252,15 +252,15 @@ jobs:
           python -m pytest tests/ -m "integration" -v --junitxml=junit/integration-test-results.xml
       
       - name: Upload integration test results
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         if: always()
         with:
           name: integration-test-results
           path: junit/integration-test-results.xml
           retention-days: 1
 
       - name: Publish integration test results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@v2.23.0
         if: always()
         with:
           files: junit/integration-test-results.xml
 
@@ -53,7 +53,7 @@ jobs:
     # Only upload coverage report for Python 3.10
     - name: Upload coverage report
       if: matrix.python-version == '3.10'
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: coverage-report
         path: coverage.xml
 
@@ -5,13 +5,61 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.36.0] - 2026-03-31
+## [0.38.0] - 2026-03-31
 ### Added
 - CLI local configuration support with `--local` flag for config set and view commands
 - `SECOPS_LOCAL_CONFIG_DIR` environment variable support for managing multiple local configurations
 
 ### Updated
 - CLI argument parsing to properly handle global flags placed after subcommands
+## [0.37.0] - 2026-03-11
+### Added
+- Comprehensive case management functionality for Chronicle
+  - `get_case()` - Retrieve single case details with optional field expansion
+  - `list_cases()` - List cases with filtering, pagination, and sorting capabilities
+  - `patch_case()` - Update case properties using partial updates
+  - `merge_cases()` - Merge multiple cases into a single case
+  - `get_cases()` - Legacy batch case retrieval for multiple case IDs
+- Bulk case operations for efficient case management
+  - `execute_bulk_add_tag()` - Add tags to multiple cases
+  - `execute_bulk_assign()` - Assign multiple cases to users
+  - `execute_bulk_change_priority()` - Change priority for multiple cases
+  - `execute_bulk_change_stage()` - Change stage for multiple cases
+  - `execute_bulk_close()` - Close multiple cases with reasons
+  - `execute_bulk_reopen()` - Reopen multiple cases
+- Complete CLI support for case management through `secops case` commands
+  - `secops case get` - Get single case details
+  - `secops case list` - List cases with filtering and pagination
+  - `secops case update` - Update case properties
+  - `secops case merge` - Merge multiple cases
+  - `secops case bulk-*` commands for bulk operations
+
+## [0.36.0] - 2026-03-10
+### Added
+- Raw log search functionality with `search_raw_logs()` method
+- CLI command `secops search raw-logs` for searching raw logs
+
+## [0.35.3] - 2026-03-03
+### Updated
+- Dashboard methods to use centralized `chronicle_request` helper function for improved code consistency and maintainability
+
+### Added
+- Helper functions for formatting dashboard resources
+- Pagination helper for `list_dashboards` method
+
+## [0.35.2] - 2026-03-02
+### Added
+- `parse_statedump` parameter to `run_parser()` method for converting 
+  statedump strings into structured JSON format
+- CLI `--parse-statedump` flag for `secops parser run` command
+
+## [0.35.1] - 2026-02-23
+### Added
+- `as_list` parameter to `search_udm()` for returning events as a list instead of dictionary
+- CLI `--as-list` flag for `secops search` command
+
+### Updated
+- Migrated `search_udm()` to use `chronicle_request` helper for improved error handling and consistency
 
 ## [0.35.0] - 2026-02-18
 ### Added
 
@@ -165,6 +165,9 @@ Search for events using UDM query syntax:
 
 ```bash
 secops search --query "metadata.event_type = \"NETWORK_CONNECTION\"" --max-events 10
+
+# Get result as list
+secops search --query "metadata.event_type = \"NETWORK_CONNECTION\"" --max-events 10 --as-list
 ```
 
 Search using natural language:
@@ -212,6 +215,21 @@ Search ingested UDM field values that match a query:
 secops search udm-field-values --query "source" --page-size 10
 ```
 
+### Search Raw Logs
+
+Search for raw logs in Chronicle using the query language:
+
+```bash
+secops search raw-logs \
+  --query 'raw = \"authentication\"' \
+  --snapshot-query 'user != ""' \
+  --time-window 24 \
+  --case-sensitive \
+  --log-types "OKTA,AZURE_AD" \
+  --max-aggregations-per-field 100 \
+  --page-size 25
+```
+
 ### Get Statistics
 
 Run statistical analyses on your data:
@@ -654,8 +672,18 @@ secops parser run \
 secops parser run \
   --log-type OKTA \
   --logs-file "./test.log"
+
+# Run parser with statedump for debugging (outputs readable parser state)
+secops parser run \
+  --log-type WINEVTLOG \
+  --parser-code-file "./parser.conf" \
+  --logs-file "./logs.txt" \
+  --statedump-allowed \
+  --parse-statedump
 ```
 
+The `--statedump-allowed` flag enables statedump output in the parser results, which shows the internal state of the parser during execution. The `--parse-statedump` flag converts the statedump string into a structured JSON format.
+
 The command validates:
 - Log type and parser code are provided
 - At least one log is provided
@@ -1054,6 +1082,8 @@ secops rule-exclusion compute-activity \
 
 ### Case Management
 
+Chronicle also provides comprehensive case management capabilities for tracking and managing security investigations. The CLI supports listing, retrieving, updating, and performing bulk operations on cases.
+
 Get case details for specific case IDs:
 
 ```bash
@@ -1071,7 +1101,74 @@ secops alert --time-window 24 --max-alerts 50 > alerts.json
 secops case --ids "case-123,case-456"
 ```
 
-> **Note**: The case management uses a batch API that can retrieve multiple cases in a single request. You can provide up to 1000 case IDs separated by commas.
+> **Note**: You can provide up to 1000 case IDs separated by commas.
+
+#### List cases
+
+```bash
+# List all cases with default pagination
+secops case list --page-size 50
+
+# List with filtering
+secops case list --page-size 100 --filter 'status = "OPENED"' --order-by "createTime desc"
+
+# Get cases as a flat list instead of paginated dict
+secops case list --page-size 50 --as-list
+```
+
+#### Get case details
+
+```bash
+# Get a specific case by ID
+secops case get --id "12345"
+
+# Get case with expanded fields
+secops case get --id "12345" --expand "tags,products"
+
+# Legacy: Get multiple cases by IDs (batch API)
+secops case --ids "case-123,case-456"
+```
+
+> **Note**: The legacy batch API can retrieve up to 1000 case IDs in a single request.
+
+#### Update a case
+
+```bash
+# Update case priority
+secops case update --id "12345" --data '{"priority": "PRIORITY_HIGH"}' --update-mask "priority"
+
+# Update multiple fields
+secops case update --id "12345" --data '{"priority": "PRIORITY_MEDIUM", "stage": "Investigation"}' --update-mask "priority,stage"
+```
+
+#### Merge cases
+
+```bash
+# Merge source cases into target case
+secops case merge --source-ids "12345,67890" --target-id "11111"
+```
+
+#### Bulk operations
+
+```bash
+# Bulk add tags to cases
+secops case bulk-add-tag --ids "12345,67890" --tags "phishing,high-priority"
+
+# Bulk assign cases to a user
+secops case bulk-assign --ids "12345,67890" --username "@SecurityTeam"
+
+# Bulk change priority
+secops case bulk-change-priority --ids "12345,67890" --priority "HIGH"
+
+# Bulk change stage
+secops case bulk-change-stage --ids "12345,67890" --stage "Remediation"
+
+# Bulk close cases
+secops case bulk-close --ids "12345,67890" --close-reason "NOT_MALICIOUS" --root-cause "False positive - benign activity"
+
+# Bulk reopen cases
+secops case bulk-reopen --ids "12345,67890" --reopen-comment "New evidence discovered"
+```
 
 ### Investigation Management