New Documentation changelogs
Google SecOps is now releasing a monthly changelog to capture major documentation updates.
For more information, refer to Documentation changelog.
]]>Non-prioritized IoC Matching rules Category
Google SecOps has introduced a new detection category, Non-prioritized IoC Matching rules, as part of the Curated Detections feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.
This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services.
For more information, refer to Non-prioritized IoC Matching rules category overview.
]]>[Spotlight Feature] Search for cases using SIEM Search
Google SecOps SIEM Search now provides robust capabilities for analyzing cases and case history alongside existing Unified Data Model (UDM) events and entities. This update allows security analysts to seamlessly correlate case details with other security telemetry within a single interface, streamlining workflows and accelerating incident response.
Key Highlights:
Unified Search Experience: Conduct searches across UDM events, entities, cases, and case history from a single SIEM Search interface.
Correlate SIEM and SOAR Data: Effortlessly link case details and historical activities with security data, reducing context switching and improving investigation efficiency.
For more information, see Search cases and case history.
[Spotlight Feature] Investigate detections in Google SecOps Search
Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the Alerts and Detections tab, providing a more holistic workflow for threat investigation.
For more details, see Investigate detections in Search.
Asynchronous Search APIs for large datasets
Google SecOps now supports asynchronous Search APIs that let you perform long-running queries without blocking your applications. This is ideal for searches that return a large volume of results.
For more information, see Asynchronous Search APIs and Result limits for data sources.
]]>UDM fields now show the sources of enrichment
The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data.
For more information, see: Viewing events.
]]>The Manage access to preview features feature has been rolled back.
]]>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ONEPASSWORD_AUDIT_EVENTS)AIX_SYSTEM)APACHE)ARUBA_EDGECONNECT_SDWAN)AVAYA_AURA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)GUARDDUTY)AWS_SECURITY_HUB)AZURE_AD)AZURE_AD_CONTEXT)AZURE_AD_SIGNIN)AZURE_SQL)AZURE_STORAGE_AUDIT)BARRACUDA_WAF)BLUECOAT_WEBPROXY)CHROME_MANAGEMENT)CISCO_ACS)CISCO_ISE)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CITRIX_NETSCALER)CLAROTY_XDOME)CLAUDE_COMPLIANCE_LOGS)CLOUDFLARE)CLOUDFLARE_WARP)CORELIGHT)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)DUO_ADMIN)EFFICIENTIP_DDI)ELASTIC_AUDITBEAT)ELASTIC_WINLOGBEAT)F5_ASM)FORCEPOINT_WEBPROXY)FORTINET_FIREWALL)GITHUB)GCP_CLOUD_ASSET_INVENTORY)GCP_CLOUDAUDIT)GCP_COMPUTE_CONTEXT)GTI_IOC)GTB_DLP)CLEARPASS)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_WAF)IMPERVA_CEF)IMPERVA_DRA)IMPERVA_SECURESPHERE)ISLAND_BROWSER)JUNIPER_FIREWALL)JUNIPER_MIST)KUBERNETES_NODE)LASTPASS)AUDITD)AZURE_ACTIVITY)MICROSOFT_DEFENDER_MAIL)IIS)MOBILEIRON)MONGO_DB)MYSQL)NETAPP_STORAGEGRID)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)GCP_NGFW_ENTERPRISE)OFFICE_365)OFFICE_365_MESSAGETRACE)OKTA_SCALEFT)ORACLE_DB)OCI_AUDIT)ORCA)PROOFPOINT_ON_DEMAND)RADWARE_FIREWALL)REDHAT_DIRECTORY_SERVER)REDHAT_OPENSHIFT)SALESFORCE)SANGFOR_NGAF)GCP_SECURITYCENTER_ERROR)GCP_SECURITYCENTER_MISCONFIGURATION)GCP_SECURITYCENTER_OBSERVATION)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)GCP_SECURITYCENTER_UNSPECIFIED)GCP_SECURITYCENTER_VULNERABILITY)SENTINELONE_CF)SERVICENOW_SECURITY)SOURCEFIRE_IDS)SURICATA_EVE)SEP)SYSDIG)TRENDMICRO_DEEP_SECURITY)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)UBIQUITI_SWITCH)NIX_SYSTEM)UPWIND)VMWARE_ESX)VMWARE_VSPHERE)WINDOWS_DNS)WINEVTLOG)WIZ_IO)WORKDAY_USER_ACTIVITY)WORKSPACE_ACTIVITY)ZSCALER_WEBPROXY)ZSCALER_CASB)ZSCALER_DLP)ZSCALER_ZPA)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
AZURE_SOFTWARE_VULNERABILITIES)CALLER_VERIFY)CERTSECURE_LOG)CISCO_MULTICLOUD_DEFENSE_FIREWALL)CURSOR)CYFIRMA_DECYFIR_LOG)DATABAHN)FLARE_DARKWEB_ALERTS)FORTINET_FORTIAPPSEC)HIKVISION_NVR)IBM_B2B_INTEGRATOR)IBM_VDP)IMPERVA_ATO)IMPERVA_CSP)IMPERVA_DNS)IMPERVA_NETWORK_SECURITY)MICROSOFT_DEFENDER_XDR)NAKIVO_BACKUP)NETCRAFT_TAKEDOWN)NXL_AMPLIFY)SIEMENS_DESIGO)[Spotlight Feature] Unified and Upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. Further, we've upgraded the following Chronicle API resources from v1 beta to v1. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for a more robust, secure, and extensible experience. Learn more about API Stability.
The following features and resources are included in this update:
For a full list of updated resources and links to the documentation, please see the Chronicle API documentation.
[Spotlight Feature] Manage access to preview features
Google Sec0ps tenant administrators can enable or disable access to public preview features. Previously, all public preview features needed to be enabled through official Support channels.
The new Public Preview Features page lists all the public preview features, the status of each feature (on or off)—along with (when available) the expected GA date and a link to a relevant user guide.
For more information, see Manage access to preview features.
]]>Standard parser support policy
Google SecOps introduced a focused support policy for Standard parsers to scale platform stability, predictable performance, and high-quality data normalization. The new policy structures service level objectives (SLOs) and request triaging by customer support tiers (Standard versus Expert/Expert+), and prioritizes core security data through Important UDM Fields. Additionally, the policy outlines a community-driven model where low-usage, longtail prebuilt parsers migrate to a dedicated GitHub repository maintained by partners and the Google SecOps community.
For more information, see Standard parser support policy.
]]>[Spotlight Feature] Create and manage calculated fields
The Calculated Fields feature is now available in Preview. With Calculated Fields, you can dynamically derive new data points within Google Security Operations cases and alerts. By defining logical formulas, you can compute values based on existing system or custom fields. The calculated value is automatically evaluated and stored in a user-selected, pre-existing custom field (labeled Target Field) in real time.
For more information, see Create and manage calculated fields.
Time range selection for searches
Google SecOps has now added relative and absolute time range options to define the required time period for retrieving search results.
For more information, see Set the date and time range.
]]>[Spotlight Feature] Enhanced Data Export API general availability and improvements
The Data Export API is now GA and introduces significant security and capability improvements. This feature facilitates the bulk export of your security data from Google SecOps to a Google Cloud Storage bucket that you control, and it provides a more secure and scalable data archival experience than the legacy Data Export API feature.
Here's what's new:
For more information, see Data Export API (enhanced).
The legacy Data Export API is deprecated in favor of the enhanced Data Export API, which provides a more secure and scalable data archival experience. After June 18, 2026, legacy Data Export API won't work.
The fetchavailablelogtypes API endpoint is deprecated in favor of the list endpoint. After June 18, 2026, the fetchavailablelogtypes API endpoint won't work.
The updateDataExport endpoint in the enhanced Data Export API is deprecated. The reduction in job queue times using the enhanced Data Export API has eliminated the need for the update functionality of the updateDataExport API endpoint. The updateDataExport endpoint was present in v1alpha only; it wasn't present in in v1beta or v1. After June 18, 2026, the updateDataExport API endpoint won't work. You can still cancel queued export jobs.
The logType field in the enhanced Data Export API is deprecated in favor of the new (optional)includeLogTypes field, which supports an array of log types for data filtering. If left blank, the export job includes all log types by default. The logType field was present in v1alpha only; it wasn't present in in v1beta or v1. After June 18, 2026, the logType field is discontinued.
New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
AKEYLESS_VAULT)CASSANDRA)ARUBA_WIRELESS)ARUBA_EDGECONNECT_SDWAN)AUTH_ZERO)AWS_AURORA)AWS_EC2_VPCS)AWS_SECURITY_HUB)AZURE_FIREWALL)AZURE_FRONT_DOOR)BARRACUDA_CLOUDGEN_FIREWALL)BLUECOAT_WEBPROXY)CHECKPOINT_FIREWALL)CHECKPOINT_EDR)CHECKPOINT_SMARTDEFENSE)CHRONICLE_SOAR_AUDIT)CISCO_ACI)CISCO_ASA_FIREWALL)CISCO_FIRESIGHT)CISCO_IOS)CISCO_ISE)CISCO_MERAKI)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CISCO_WIRELESS)CITRIX_NETSCALER)CLAROTY_XDOME)CLOUDFLARE_WARP)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)EPIC)F5_ASM)F5_BIGIP_APM)F5_BIGIP_LTM)F5_DCS)FIREEYE_EMPS)FIREEYE_NX)FORTINET_FIREWALL)FORTINET_FORTIEDR)FORTINET_WEBPROXY)GITHUB)GCP_CLOUDAUDIT)GTI_IOC)GUARDICORE_CENTRA)CLEARPASS)HUAWEI_SWITCH)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_SECURESPHERE)INFOBLOX)JUNIPER_FIREWALL)KUBERNETES_NODE)AUDITD)ADMANAGER_PLUS)MCAFEE_EPO)MCAFEE_WEBPROXY)MICROSOFT_DEFENDER_CLOUD_ALERTS)MICROSOFT_DEFENDER_ENDPOINT)MICROSOFT_DEFENDER_IDENTITY)MICROSOFT_GRAPH_ALERT)IIS)MOBILEIRON)GCP_MODEL_ARMOR)MYSQL)NETSKOPE_WEBPROXY)NONAME_API_SECURITY)OFFICE_365)OKTA)OCI_AUDIT)ORACLE_NETSUITE)PAN_FIREWALL)PAN_PANORAMA)PAN_CASB)PAN_PRISMA_CA)PING)POSTFIX_MAIL)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)PROOFPOINT_TRAP)RADWARE_FIREWALL)RAPID7_INSIGHT)SAP_HANA_AUDIT)SECUREAUTH_SSO)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)SENTINEL_DV)SENTINELONE_CF)SILVERFORT)CA_SSO_WEB)SONIC_FIREWALL)SQUID_WEBPROXY)STIX)SURICATA_EVE)SYSDIG)TANIUM_THREAT_RESPONSE)THINKST_CANARY)TRENDMICRO_APEX_ONE)NIX_SYSTEM)VECTRA_XDR)VMWARE_ESX)WALLIX_BASTION)WATCHGUARD)WINDOWS_DEFENDER_AV)WINDOWS_DNS)WINEVTLOG)WINEVTLOG_XML)WIZ_IO)ZSCALER_EMAIL_DLP)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ALTIRIS_LOGS)ARUBA_AP)BLOXONE_DHCP)CHECKMARX_ONE)CISCO_NDO)CROWDSTRIKE_CSPM)F5_F5OS_A)GATEWATCHER_NDR)HASHICORP_TERRAFORM)JAMF_PROTECT_V2)OCI_WAF)QUALYS_FIM)SAILPOINT_IDENTITYNOW)SERVICENOW_CERTIFICATE)SERVICENOW_USER)SERVICENOW_USER_LOGIN_HISTORY)SITEGUARD_SERVER)TOSI_HUB)TRELLIX_NDR)Enhanced "Time to respond" options for multi-choice questions
Google SecOps now provides more granular control over playbook execution when the "time to respond" for a MultiChoiceQuestion step is exceeded. When configuring a multi-choice question, you can now choose to proceed with one of the predefined answer branches or to create a dedicated branch to handle this scenario.
For more information, see Add a multi-choice question flow.
]]>VPC Service Controls for Google SecOps general availability
VPC Service Controls is now GA. This feature helps to create perimeters and protect resources and services data from accidental or targeted action by external or insider entities. This in turn can minimize unwarranted data exfiltration risks from Google Cloud services. For more information, see Configure VPC Service Controls for Google SecOps and Overview of VPC Service Controls.
]]>New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Support for the legacy Google Security Operations SIEM infrastructure will end on April 30, 2027. After this date, you will no longer have access to your Google SecOps SIEM instance on the legacy infrastructure. You need to self-migrate Google Security Operations SIEM in legacy Infrastructure to Google Cloud to align with industry standards and improve your reliability, privacy, security, compliance, and granular access controls. Follow the Migration guide and Community post to begin your transition.
This migration applies to you only if your SIEM instance meets one of the conditions below:
This migration does not apply to you if your SIEM instance meets all the conditions below:
[Spotlight Feature] Unified and upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. In addition, we've upgraded the following Chronicle API resources from alpha to beta. This upgrade signals API Stability and functional completeness, enabling customer and partner adoption for production usage. We recommend customers use Chronicle API for a more robust, secure, and extensible experience.
For more information, see Chronicle API.
Emerging Threats Center general availability
The Emerging Threats Center is now in General Availability (GA) and includes the following new features and enhancements:
For more information, see Emerging Threats Center overview and Emerging Threats Center detail view.
]]>[Spotlight Feature] Search query editor enhancements
Google SecOps has enhanced the search query editor to provide intelligent auto-suggestions and improved error handling. The query editor now provides context-aware auto-suggestions for fields, operators, and valid values as you type. The editor also highlights syntax errors with a red squiggly line and displays a tooltip with the specific error description when you hover over it. Additionally, runtime errors now display persistently in the Results panel to assist with troubleshooting.
For more information, see Use auto-suggestions to build queries.
[Spotlight Feature] Health Hub
This feature is currently in Preview.
The Health Hub is the central location in Google Security Operations for you to monitor the status and health of all configured data sources. The Health Hub provides crucial information on data sources and log types, offering the context needed to diagnose and remediate data pipeline issues.
The Health Hub includes information about the following:
For more information, see Use the Health Hub.
]]>Updates to search query limits and error messaging
Google SecOps has updated search query limits for programmatic and web interface access:
For more information, see Search limits and quotas
v1 Cloud Storage Feed Types (GCS, S3, SQS, Azure)
The v1 feed types for GOOGLE_CLOUD_STORAGE, AMAZON_S3, AMAZON_SQS, and AZURE_BLOBSTORE are deprecated and will be discontinued on March 15, 2027. The new v2 feed types uses the Google Cloud Storage Transfer Service (STS) to provide improved performance, scalability, and reliability.
To ensure continued ingestion, transition your feeds before the March 15, 2027 shutdown date:
You can also self-migrate by creating new feeds using v2 feed types to substitute your existing feeds using v1 feed types by following the steps documented in our feed configuration guides before March 15, 2027.
Key Dates:
For more information, see Feature deprecations.
]]>Playbook Condition and Multi-Choice Question Flows
The maximum number of branches supported in Playbook Conditions and Multiple Choice Questions has been increased from 6 to 20. This allows for more complex branching logic within a single step.
For more information, see Use flows in playbooks.
]]>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ABNORMAL_SECURITY)AI_HUNTER)AIX_SYSTEM)APACHE)CASSANDRA)ARUBA_WIRELESS)ARUBA_EDGECONNECT_SDWAN)AUTH_ZERO)AWS_AURORA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)AWS_CLOUDWATCH)AWS_VPC_FLOW)AWS_WAF)AZURE_AD)AZURE_AD_AUDIT)AZURE_FRONT_DOOR)AZURE_SQL)BOMGAR)BEYONDTRUST_BEYONDINSIGHT)BLUECOAT_WEBPROXY)BROADCOM_SUPPORT_PORTAL)CHECKPOINT_HARMONY)CHRONICLE_SOAR_AUDIT)CISCO_ASA_FIREWALL)CISCO_EMAIL_SECURITY)CISCO_ISE)CISCO_MERAKI)CISCO_SECURE_ACCESS)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)UMBRELLA_DNS)CISCO_WSA)GCP_DNS)GCP_CLOUDSQL)CLOUDFLARE)CLOUDFLARE_WARP)CODE42_INCYDR)CS_ALERTS)CS_EDR)CS_STREAM)CYBERARK_PAM)CYBEREASON_EDR)CYJAX_THREAT_INTELLIGENCE)CTIX)DATABRICKS)DUO_AUTH)ELASTIC_DEFEND)ESET_AV)F5_ASM)F5_BIGIP_APM)FIREEYE_EMPS)FIREEYE_ETP)FIREEYE_NX)FORESCOUT_NAC)FORGEROCK_IDENTITY_CLOUD)FORTINET_FORTIANALYZER)GITHUB)GTI_IOC)CLEARPASS)HUAWEI_SWITCH)IBM_DATAPOWER)IBM_SAFENET)IBM_WEBSPHERE_APP_SERVER)IMPERVA_ABP)IMPERVA_SECURESPHERE)JUNIPER_FIREWALL)KOLIDE)KUBERNETES_AUDIT)KUBERNETES_NODE)AUDITD)MARIA_DB)MCAFEE_EPO)MCAFEE_SKYHIGH_CASB)MCAFEE_WEBPROXY)AZURE_ACTIVITY)MICROSOFT_DEFENDER_CLOUD_ALERTS)MICROSOFT_GRAPH_ALERT)IIS)MICROSOFT_SQL)MIMECAST_MAIL_V2)LOOKOUT_MOBILE_ENDPOINT_SECURITY)MOBILEIRON)NETAPP_ONTAP)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)OBSIDIAN)OFFICE_365)OORT)ORACLE_DB)ORCA)PAN_CORTEX_XDR_EVENTS)PAN_FIREWALL)PAN_PRISMA_CA)POSTFIX_MAIL)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)PROOFPOINT_TRAP)RADWARE_FIREWALL)REDHAT_OPENSHIFT)SALESFORCE)SAP_CHANGE_DOCUMENT)SAP_GATEWAY)SAP_HANA_AUDIT)SAP_SECURITY_AUDIT)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_SENSITIVE_DATA_RISK)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)SNYK_SDLC)SURICATA_EVE)SYMANTEC_EDR)SYSDIG)TENABLE_ADS)THREATCONNECT_IOC_V3)TRELLIX_HX_ALERTS)TRELLIX_HX_AUDIT)TRELLIX_HX_ES)TRELLIX_HX_HOSTS)TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)TRENDMICRO_VISION_ONE_WORKBENCH)TRENDMICRO_APEX_CENTRAL)TRENDMICRO_STELLAR)UBIKA_WAF)NIX_SYSTEM)VARONIS)VMWARE_AVINETWORKS_IWAF)VMWARE_ESX)VMWARE_HORIZON)WALLIX_BASTION)WINDOWS_DNS)WINEVTLOG)WINEVTLOG_XML)WIZ_IO)BRO_JSON)ZSCALER_WEBPROXY)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ACTION1)CDNETWORKS_CLOUD_SECURITY)CLAUDE_COMPLIANCE_LOGS)DELL_RECOVERPOINT)IBM_STORWIZE)LEAPXPERT_AUDIT)ORACLE_KEY_VAULT_AUDIT_LOGS)RSA_CLOUD)SERVICENOW_ANTIVIRUS_ACTIVITY)SERVICENOW_ATTACHMENT)SERVICENOW_EMAIL)VERSA_DIRECTOR)ZPE_SYSTEMS_NODEGRID)Chrome Enterprise Premium Integration general availability
The Chrome Enterprise Premium integration is now GA. This release includes the following new features and updates:
New Chrome Enterprise Connector which configures recommended data export settings and sends data through Google Cloud to Google Security Operations. Chrome Enterprise Premium customers can export data with additional security context provided by Google Safe Browsing.
Updates to the CHROME_MANAGEMENT parser documentation in Collect Chrome Enterprise data and
Chrome Enterprise Premium Threats.
Curated Detections for Chrome Enterprise Premium.
Curated Dashboards for Chrome Enterprise Premium.
Response actions to block and remove malicious extensions or to delete blocked extensions from the extension policy ExtensionInstallBlocklist.
[Spotlight Feature] Multi-stage queries in YARA-L
The Multi-stage queries feature is now GA. This feature lets you feed the output of one query stage into the input of another, providing more granular data transformation than a single, monolithic query. You can use multi-stage queries in both Dashboards and Search to build sophisticated detection and visualization logic. No action is required to enable this feature.
For more information, see create multi-stage queries with YARA-L 2.0.
]]>[Spotlight Feature] Credential validation for third-party API feed types
Credential validation is now available for all 49 third-party API connectors. When you create a feed using a third-party API feed type, Google SecOps now automatically validates the provided credentials.
This ensures that if credentials are incorrect, the following happens:
New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
[Spotlight Feature] View Triage and Investigation Agent (TIN) results in the Case Summary
The TIN feature is currently in Preview and is part of a gradual rollout. You can now view TIN results and verdict summaries directly within the Case Summary view. This integration provides real-time progress updates and automated verdicts for true or false positives without leaving the case.
For more information, see Use Triage and Investigation Agent (TIN) to investigate alerts.
[Spotlight Feature] Agentic Automation
The Agentic Automation feature is in Public Preview. You can now use Agentic Automation to embed AI Agents directly into your workflows. This feature lets you integrate AI-driven capabilities into your existing playbooks while staying in charge of critical actions by combining agents with deterministic automation steps.
For more information, see Agentic Automation.
]]>[Spotlight Feature] Bindplane features for Google SecOps
The following Bindplane features that relate to Google SecOps are now in General Availability (GA): Single sign-on with custom claims role mapping, SecOps parser validator and Forwarder migration tool.
Some of the main enhancements include:
Single sign-on with custom claims role mapping: gives a production-ready way to manage Bindplane access through your identity provider. For more information, see Single Sign-On (Cloud).
SecOps parser validator: validates that your logs will be parsed correctly by Google SecOps directly from the snapshot view. Get immediate feedback on parsed events or validation errors without waiting for data to appear in Google SecOps. For more information, see Validate SecOps Parser.
Forwarder migration tool: provides production-ready paths to migrate existing forwarder configurations into Bindplane-managed pipelines. For more information, see Migrate Configurations.
For more information, see Bindplane
]]>Unified Feature Role-based Access Control (RBAC) is now in General Availability (GA). This enables administrators to manage feature access control for Google SecOps including SOAR by leveraging Google Cloud IAM instead of managing it separately for SIEM and SOAR.
You can enable it by migrating the legacy SOAR permission groups and permissions to Google Cloud IAM through a self-service migration available from January 26, 2026. Please check the documentation and video for full instructions.
This update is available to all customers who have completed Stage 1 of the SOAR migration to Google Cloud.
]]>Stage 2 of the SOAR migration to Google Cloud deadline has been extended from June 30th to September 30th, 2026.
]]>