SOAR migration overview

Supported in:

This document describes the process and timelines to migrate SOAR infrastructure to Google Cloud. The migration aims to modernize the infrastructure and enhance its integration with Google Cloud services, benefiting both Google Security Operations unified customers and standalone SOAR users transitioning to Google Cloud.

This migration is necessary to provide critical infrastructure upgrades including enhanced reliability, improved security, greater compliance, and more granular access control. It also enables access to Agentic AI capabilities through Model Context Protocol (MCP) integration and best-in-class services including IAM for access control, Cloud Monitoring, and Cloud Audit Logs.

The migration is carried out in two Stages - Stage 1 and Stage 2.

Stage 1 includes the following migrations:

  • Migration of your Google-owned SOAR Project to Google Cloud infrastructure. This is carried out by Google.
  • Migration of SOAR Authentication to Google Cloud (only applicable for SOAR standalone customers).

Stage 2 includes the following migrations:

  • Migration of SOAR Permission Groups and Permissions to Google Cloud IAM.
  • Migration of SOAR APIs to the new unified Chronicle API, requiring updates to existing scripts and integrations.
  • Migration of remote agents.
  • Migration of SOAR Audit logs.

Migration stage 1 for Google SecOps unified customers

Check your in-product notification for your Stage 1 migration date and the included Google Form to confirm the time slot. Stage 1 includes the following migrations.

  • Migrate Google owned SOAR Project to Google Cloud

The migration includes a 90 minute downtime where the Google SecOps platform is not accessible. During this downtime, your SIEM services will continue to operate in the background, while SOAR services will be temporarily paused. Following the downtime, the platform will be accessible, and SOAR services will resume processing any alerts generated or ingested during the downtime.

Once the migration is complete, we will send you an email.

Migration stage 1 for SOAR standalone customers

You will get an in-product notification message when we are ready to initiate Stage 1 for you. Make sure to do the following:

  1. Set up a Google Cloud project. You can also use an Google Cloud project that may have been set up to access Chronicle Support but does not have a Google Security Operations instance yet.
  2. Enable Chronicle API.
  3. Set up Google Cloud Authentication to access SOAR. Refer to Set up Google Cloud Authentication to access SOAR.
  4. Provide the Google Cloud project ID in the Google form in the in-product notification and confirm the migration date and time slot before you submit the form.
  5. Accept the invitation email to the "Get Google Security Operations page" and complete the set up. Make sure your region information is accurate.

You will experience a downtime in SOAR services for 2 hours during the migration. We will send an email after the completion along with a new URL to access the SOAR platform. The old URL will work until June 30, 2026 by redirecting you to the new URL.

Set up Google Cloud authentication to access SOAR

Depending on what type of identity you want to set up and use, you need to set up one of the following options. You may need the help of your Google Cloud administrator to perform these instructions.

Option 1: Configure Cloud Identity Authentication in Google Cloud (Google Managed accounts)

This scenario is applicable if you manage user accounts directly within Cloud Identity using Google-managed usernames and passwords. It does not apply if you are using Cloud Identity for SSO with a third-party identity provider suich as Okta or Azure AD. Complete the following steps:

  1. Set up Cloud Identity in Google Cloud. You can skip this step if you already have Cloud Identity set up with Google-managed username and password..
  2. Make sure all existing SOAR users are configured in the Cloud Identity Admin console.
  3. Grant the required roles in IAM by following the role assignment format for Google accounts.
    1. Assign the following predefined IAM roles in Google Cloud to the onboarding SME:
    2. Assign one of the following predefined IAM roles to all existing SOAR users:
  4. Complete the authentication setup in SOAR by mapping each user (including administrators) to an email user group.
    1. Go to Settings > SOAR Settings > Advanced > Group Mapping.
    2. Click + and fill in the following information.
      • Add Group Name: The name you assign to an email group, such as T1 analysts or EU analysts.
      • Group Members: Add the required user emails. Press Enter after adding each email.
      • Choose necessary access to SOAR Permission Groups, Environments and SOC Roles Each time a user signs in to the platform, they're automatically added to the Settings > Organization > User Management page.

Option 2: Configure Workforce Identity Federation Authentication in Google Cloud

This scenario is applicable if you manage your user identities using third party IdPs such as Microsoft Azure Active Directory, Okta, Ping Identity and AD FS.

  1. Set up Workforce Identity Federation in Google Cloud You can skip this step if it was already set up.
  2. Make sure all the existing users in SOAR are part of the workforce pool groups set up in the Workforce Identity Federation.
  3. Grant the required roles in IAM by following the role assignment format for Google accounts.
    1. Assign all of the following predefined IAM roles to the onboarding SME.
    2. Assign one of the following roles in IAM to all existing SOAR users:
  4. Complete the authentication setup in SOAR by mapping all the IdP groups that need access to SOAR. Make sure the existing users are mapped to at least one of the IdP groups.
    1. Go to Settings > SOAR Settings > Advanced > IdP Group Mapping.
    2. Click + and fill in the following information..
      • IdP group name: Add the group name from your IdP.
      • Choose the necessary access to Permission groups, Environments and SOC Roles.
    3. Make sure you have added the Admin IdP group with Admin permissions for permission groups, SOC Roles and select All Environments.
    4. If you have any existing IdP group mappings in the External Authentication page, you should leave it as is in order not to override your existing SOAR authentication. For the new Google Cloud authentication to access SOAR, you would still need to set up IdP Group Mapping in Settings > SOAR Settings > Advanced > IDP Group Mapping page.
    5. Once you've finished, click Add. Each time a user signs in to the platform, they are automatically added to Settings > Organization > User Management page.

Stage 2 Migration for all customers

Early Access for Stage 2 will be available starting November 1, 2025 and generally available for all customers starting January 1, 2025. You can initiate Stage 2 at any time, after completing Stage 1, with a completion deadline of June 30, 2026.

Migrate SOAR permission groups to Google Cloud IAM

Migrate the SOAR permission groups and permissions to IAM through a single-click of the migration script in Google Cloud (Early access to be launched before November 1, 2025). The script creates new custom roles for each permission group and assigns them to users for Cloud Identity customers or IdP groups for Workforce Identity Federation customers.

For more information about how to set up permissions, see Configure feature access. The new predefined SOAR roles are:

  • Chronicle SOAR Admin
  • Chronicle SOAR Engineer
  • Chronicle SOAR Analyst
  • Chronicle SOAR Viewer
  • Chronicle SOAR Service Agent

After the migration of the permissions, the following happens

  • SOAR Settings > Organization > Permissions page is still available until June 30, 2026 (for backwards compatibility with Appkeys). Don't make any changes to this page. The permissions are all managed through IAM.
  • The Permission Group column on mapping pages is removed.
  • The restricted actions section in the Permissions page will move to the IDP Group Mapping page (or Email group page).

Migrate SOAR APIs to Chronicle API

The SOAR API is being replaced with the Chronicle API. You must complete the migration from permissions groups to IAM before using the Chronicle API. You can opt in for early access to use the SOAR endpoints v1 beta in Chronicle API beginning on November 1, 2025. A newer version, v1, will be available for all customers for general access from January 1, 2026.

You must update your scripts and integrations to replace the SOAR API endpoints with the corresponding Chronicle API endpoints. The legacy SOAR API and API Keys will be available till June 30, 2026 after which they will no longer function. For more information, refer to Migrate endpoints to Chronicle API

Migrate Remote Agents

You can migrate the Remote Agents to Google Cloud by doing the following:

  1. Create a Service Account instead of an API key for the remote agent.
  2. Perform a major version upgrade of the remote agent.

Existing Remote Agents will be available until June 30, 2026, after which they will no longer function. For detailed instructions, see Migrate Remote Agents to Google Cloud.

Migrate SOAR Audit Logs

SOAR logs will become available in Google Cloud once you complete the permissions migration to IAM. Any calls made to the legacy SOAR API until June 30, 2026 will remain accessible in the SOAR Audit logs For Google SecOps customers, see Collect Google SecOps SOAR logs. For SOAR standalone customers, see Collect SOAR logs

Further changes post migration:.

License type The license type is now determined by the user's assigned permissions in IAM.

Landing page The landing page will move from the Permissions page to the User Preferences menu, accessible from your avatar.

What's Next

Need more help? Get answers from Community members and Google SecOps professionals.