Documentation changelog

This page tracks major updates to the Google SecOps documentation including new user guides, feature and parser updates.

May 2026

The Query Joiner action for the SiemplifyUtilities integration has two new parameters - Add Backticks and Delimiter.

New documentation for default parsers including: Preempt, Preempt Auth, Privacy-i, Proofpoint Mail Filter, Proofpoint Sendmail Sentrion, Proofpoint Secure Email Relay, Proofpoint TRAP, Proofpoint Web Browser Isolation, Pure Storage, Quest Change Auditor for EMC, Quest File Access Audit, Radware Alteon, Rapid7 Nexpose, Recordia, Red Canary EDR, ReviveSec, Ribbon Analytics Platform, RSA SecurID, Sailpoint IdentityIQ, and Salesforce Commerce Cloud.

Instructions for configuring Azure storage accounts for Microsoft Defender for Endpoint default parsers.

New documentation for default parsers including: HPE Nimble Storage OS, HUMAN Security, ForgeRock OpenDJ, LogonBox, ManageEngine Log360, MicroStrategy, MongoDB, NetDocuments, Netscout OCI, Netskope Client, Nucleus Asset Metadata, One Identity Identity Manager, OpenLDAP, Oracle Unified Directory, Ordr IoT, Passive DNS, Pharos, and PhishLabs.

New documentation for default parsers including: Halcyon Anti-Ransomware, Honeyd, HP Linux, Huawei Switch, IBM CICS, IBM QRadar, IBM Security Verify SaaS, IBM Tivoli, IBM WebSphere Application Sserver, Infoblox RPZ, Intel471 Malware Intelligence, InterSystems Caché, ION Spectrum, JAMF Security Cloud, JumpCloud Directory Insights, Kea DHCP, Keeper Enterprise Security, Kyriba Treasury Management, LinkShadow NDR, and Precisely Ironstream for IBM z/OS.

New guide for automating data enrichment using calculated fields.

New response integration for Cloud Identity.

New documentation for default parsers including: Comforte SecurDPS, COVID-19 Cyber Threat Coalition IOC, Citrix Receiver, Colinet Trotta GAUS SEGUROS, Custom DNS, CyberGatekeeper NAC, D3 Banking, Desynova Contido, DHS IOC, DigitalArts i-Filter,DMP Entre, Evision FircoSoft, FireEye alert, FireEye PX, Forescout eyeInspect, Fortinet DHCP, Fortinet FortiNAC, Fortinet FortiSandbox, Fortinet Web Proxy, and Google Cloud Identity Context.

New guide for mapping SOAR permissions to Google Cloud IAM.

New guide for migrating a Google SecOps instance to a new Google Cloud project.

Added field mappings for the title Microsoft Teams chat initiated by a suspicious external user in CFD for Microsoft Graph alerts.

Updates to the SOAR pre-validation guide to include OIDC troubleshooting.

Updates to SQS section with supported SQS message body formats in the Feed Management API documentation.

Added new connector parameter - Validate Dynamic List Entries to the Google Chronicle integration documentation.

Add new SOAR API endpoint mappings under cases, settings, and store to their corresponding Chronicle API methods, including legacy playbook and user endpoints.

Deprecation announcements for the legacy Data Export API reference.

Updates to the Export Raw Logs to Self-Managed GCS Bucket documentation.

Updates to the Enhanced Data Export API documentation.

Updated Cloud Audit field map with new protoPayload fields within protoPayload.request.ruleDeployment and protoPayload.response to target.resource.attribute.labels.

Support for two new Google SecOps Terraform resources - chronicle_native_dashboard and chronicle_dashboard_chart.

Revamped time and date range picker in the UDM Search documentation.

New row in the SCC field map table. finding.sourceProperties.severity now maps to security_result.severity. See Field mapping reference.

VPC-SC includes new service accounts for Advanced BQ datasets.

New Ingestion Data Plane API V1 Endpoints. See Ingestion Methods.

Updated permissions for Unified Rules Dashboard and added a Saved Views section. See Detect threats.

Update rule testing section to include curated rules in Test your rule.

Updated deprecation dates for Reference lists to May 2027. The removal date is July 2027. See Deprecations.

Enhanced Data Export API GA and deprecation of the legacy Data Export API and related items. See Google SecOps Release Notes.

New documentation for default parsers including: Arista VeloCloud SD-WAN, Microsoft Defender for Endpoint, Sangfor Proxy, SAP Sybase ASE, SAP BTP, SAP NetWeaver, SAP SM20, SAP SuccessFactors, Saviynt EIP, SecureLink, Semperis DSP, Sonrai Security, SOTI MobiControl, Splunk Attack Analyzer, SpyCloud, Stealthbits Audit, Stealthbits Defend, Riverbed SteelHead, STIX Threat Intelligence.

Clarify that Azure AD Context provides directory information on users, removing mention of groups and devices.

Updates to Zscaler default parsers: Zscaler CASB, Zscaler DLP, and Zscaler Web Proxy.

Updated documentation for 44 default parsers including: Imperva SecureSphere, JFrog Artifactory, ManageEngine AD360, and others.

Update Azure AD Context documentation to clarify entity generation.

Updated documentation for default parsers including: FireEye HX, Fivetran, Juniper Firewall, and others.

Updated documentation for default parsers including: Cisco DNAC, Cloudflare, CyberArk PAM, and others.

Updated the HTTP Header name in the sample script for Office 365 Message Trace.

Corrected ingestion method for Microsoft Defender for Cloud alerts to Third Party API.

Newly mapped events.parameters[device_compromised_state] raw log field with target.resource.attribute.labels[device_compromised_state] UDM field in the Workspace Activity default parser.

Added new TELNET, SFTP, IMAP, POP3, and IRC enums to the network.application_protocol UDM field for Corelight sensors.

Refactored ServiceNow Security parser documentation.

Updates to the F5 BIG-IP LTM default parser.

Updates to the Microsoft Intune and Microsoft Intune Context default parser documentation.

New Self-serviced public-preview feature management guide.

New Standard Parser Support Policy documentation.

New documentation for default parsers including: Static IP asset context, BMC Client Management, Zeek (Bro) TSV, Centripetal Networks IOC, Cequence Bot Defense, Cimcor CimTrak, CIS Albert alert, Cisco Secure Workload, Oracle Cloud Infrastructure Audit, Palo Alto Prisma Access CASB, Proofpoint TAP Forensics, Proofpoint TAP Threats, Red Hat Directory Server LDAP, Netwrix Privilege Secure for Discovery, Rubrik Security Cloud, Saiwall VPN, SAP Cloud Identity Services, SentinelOne Activity, and Smartsheet.

Updated the Salesforce default parser documentation for feed configuration and UDM mapping.

Added permissions section to Office 365 parser documentation.

Updated custom header in Falco Sidekick parser documentation to X-Webhook-Access-Key.