<?xml version="1.0" encoding="UTF-8"?>
<!-- AUTOGENERATED FILE. DO NOT EDIT. -->
<feed xmlns="http://www.w3.org/2005/Atom">
  <id>tag:google.com,2016:chronicle-release-notes</id>
  <title>Google SecOps SIEM - Release notes</title>
  <link rel="self" href="https://docs.cloud.google.com/feeds/chronicle-release-notes.xml"/>
  <author>
    <name>Google Cloud Platform</name>
  </author>
  <updated>2026-07-01T00:00:00-07:00</updated>

  <entry>
    <title>July 01, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#July_01_2026</id>
    <updated>2026-07-01T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#July_01_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>[Spotlight Feature] Security Tokens</strong></p>
<p>Security Tokens are now available for metering agentic consumption within Google
SecOps. Tokens are consumed by generally available security agents only. These
agents are invoked automatically or manually using the web interface, CLI, chat,
or Model Context Protocol (MCP). Assistive features, such as standard chat
panels and automated summaries, along with preview agents, won't consume
Security Tokens.</p>
<p>Security Tokens will start rolling out across all regions starting July 1. For
more information, see <a href="https://docs.cloud.google.com/chronicle/docs/agentic-soc/security-tokens">Google SecOps Agentic SOC Security Tokens pricing and
billing</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 30, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_30_2026</id>
    <updated>2026-06-30T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_30_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Increased multiple event limits</strong></p>
<p>Multiple event rule limits have been increased to 200 for Enterprise customers and 400 for Enterprise+ customers.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/secops/secops-packages#package_comparison">Package comparison</a></p>
<h3>Announcement</h3>
<p><strong>Unified rules interface</strong></p>
<p>The new rules interface is now available in public preview.</p>
<p>The Google SecOps unified rules interface brings custom and curated rule management into a single, cohesive workflow. This optimizes detection engineering with a redesigned dashboard, an advanced rule editor, and expanded API capabilities to streamline rule deployment and troubleshooting.</p>
<p>You can still revert to the legacy experience. At the top right of the screen, click <strong>Switch to the legacy experience</strong>.</p>
<p>For more information about the Unified rules interface, see <a href="https://docs.cloud.google.com/chronicle/docs/detection/unified-rules/manage-unified-rules">Manage unified rules</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 28, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_28_2026</id>
    <updated>2026-06-28T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_28_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">supported default parsers</a>. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>AIX system (<code>AIX_SYSTEM</code>)</li>
<li>Amazon API Gateway (<code>AWS_API_GATEWAY</code>)</li>
<li>Apache (<code>APACHE</code>)</li>
<li>Appian Cloud (<code>APPIAN_CLOUD</code>)</li>
<li>Aruba Switch (<code>ARUBA_SWITCH</code>)</li>
<li>Atlassian Bitbucket (<code>ATLASSIAN_BITBUCKET</code>)</li>
<li>Avaya Aura Experience Portal (<code>AVAYA_AURA</code>)</li>
<li>AWS CloudWatch (<code>AWS_CLOUDWATCH</code>)</li>
<li>AWS GuardDuty (<code>GUARDDUTY</code>)</li>
<li>AWS Network Firewall (<code>AWS_NETWORK_FIREWALL</code>)</li>
<li>AWS RDS (<code>AWS_RDS</code>)</li>
<li>AWS Security Hub (<code>AWS_SECURITY_HUB</code>)</li>
<li>AWS VPC Flow (<code>AWS_VPC_FLOW</code>)</li>
<li>AWS VPC Flow (CSV) (<code>AWS_VPC_FLOW_CSV</code>)</li>
<li>AWS WAF (<code>AWS_WAF</code>)</li>
<li>Azure AD (<code>AZURE_AD</code>)</li>
<li>Barracuda WAF (<code>BARRACUDA_WAF</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Cato Networks (<code>CATO_NETWORKS</code>)</li>
<li>Check Point Harmony (<code>CHECKPOINT_HARMONY</code>)</li>
<li>Chrome Management (<code>CHROME_MANAGEMENT</code>)</li>
<li>CircleCI (<code>CIRCLECI</code>)</li>
<li>Cisco ACS (<code>CISCO_ACS</code>)</li>
<li>Cisco ASA (<code>CISCO_ASA_FIREWALL</code>)</li>
<li>Cisco Email Security (<code>CISCO_EMAIL_SECURITY</code>)</li>
<li>Cisco Firepower NGFW (<code>CISCO_FIREPOWER_FIREWALL</code>)</li>
<li>Cisco IronPort (<code>CISCO_IRONPORT</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Meraki (<code>CISCO_MERAKI</code>)</li>
<li>Cisco Router (<code>CISCO_ROUTER</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Cisco Umbrella Cloud Firewall (<code>UMBRELLA_FIREWALL</code>)</li>
<li>Cisco Umbrella Web Proxy (<code>UMBRELLA_WEBPROXY</code>)</li>
<li>Cisco vManage SD-WAN (<code>CISCO_SDWAN</code>)</li>
<li>Cisco WLC/WCS (<code>CISCO_WIRELESS</code>)</li>
<li>Citrix Netscaler (<code>CITRIX_NETSCALER</code>)</li>
<li>Claroty Xdome (<code>CLAROTY_XDOME</code>)</li>
<li>Cloudflare (<code>CLOUDFLARE</code>)</li>
<li>Corelight (<code>CORELIGHT</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CyberArk PTA Privileged Threat Analytics (<code>CYBERARK_PTA</code>)</li>
<li>Cynet 360 AutoXDR (<code>CYNET_360_AUTOXDR</code>)</li>
<li>Dell Switch (<code>DELL_SWITCH</code>)</li>
<li>Elastic Windows Event Log Beats (<code>ELASTIC_WINLOGBEAT</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>F5 BIGIP LTM (<code>F5_BIGIP_LTM</code>)</li>
<li>FireEye ETP (<code>FIREEYE_ETP</code>)</li>
<li>FireEye NX (<code>FIREEYE_NX</code>)</li>
<li>Forcepoint Proxy (<code>FORCEPOINT_WEBPROXY</code>)</li>
<li>FortiGate (<code>FORTINET_FIREWALL</code>)</li>
<li>FortiMail Email Security (<code>FORTINET_FORTIMAIL</code>)</li>
<li>Fortinet FortiAnalyzer (<code>FORTINET_FORTIANALYZER</code>)</li>
<li>Fortinet Web Application Firewall (<code>FORTINET_FORTIWEB</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Cloud Audit (<code>GCP_CLOUDAUDIT</code>)</li>
<li>Google Cloud DNS (<code>GCP_DNS</code>)</li>
<li>HAProxy (<code>HAPROXY</code>)</li>
<li>IBM Tape Storages (<code>IBM_LTO</code>)</li>
<li>Imperva CEF (<code>IMPERVA_CEF</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Infoblox DNS (<code>INFOBLOX_DNS</code>)</li>
<li>Island Browser logs (<code>ISLAND_BROWSER</code>)</li>
<li>JumpCloud Directory Insights (<code>JUMPCLOUD_DIRECTORY_INSIGHTS</code>)</li>
<li>Kemp Load Balancer (<code>KEMP_LOADBALANCER</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>ManageEngine ADAudit Plus (<code>ADAUDIT_PLUS</code>)</li>
<li>Microsoft Defender for Endpoint (<code>MICROSOFT_DEFENDER_ENDPOINT</code>)</li>
<li>Microsoft Defender for Office 365 (<code>MICROSOFT_DEFENDER_MAIL</code>)</li>
<li>Microsoft Graph API Alerts (<code>MICROSOFT_GRAPH_ALERT</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Microsoft SQL Server (<code>MICROSOFT_SQL</code>)</li>
<li>MISP Threat Intelligence (<code>MISP_IOC</code>)</li>
<li>NetApp ONTAP (<code>NETAPP_ONTAP</code>)</li>
<li>NetIQ eDirectory (<code>NETIQ_EDIRECTORY</code>)</li>
<li>Netskope V2 (<code>NETSKOPE_ALERT_V2</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>NGINX (<code>NGINX</code>)</li>
<li>Noname API Security (<code>NONAME_API_SECURITY</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Okta (<code>OKTA</code>)</li>
<li>Oracle (<code>ORACLE_DB</code>)</li>
<li>Oracle Cloud Infrastructure VCN Flow Logs (<code>OCI_FLOW</code>)</li>
<li>Oracle NetSuite (<code>ORACLE_NETSUITE</code>)</li>
<li>Palo Alto Networks Firewall (<code>PAN_FIREWALL</code>)</li>
<li>Palo Alto Panorama (<code>PAN_PANORAMA</code>)</li>
<li>Palo Alto Prisma Access (<code>PAN_CASB</code>)</li>
<li>Palo Alto Prisma Cloud Alert payload (<code>PAN_PRISMA_CA</code>)</li>
<li>Ping Identity (<code>PING</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>RSA (<code>RSA_AUTH_MANAGER</code>)</li>
<li>Salesforce (<code>SALESFORCE</code>)</li>
<li>Security Command Center Error (<code>GCP_SECURITYCENTER_ERROR</code>)</li>
<li>Security Command Center Misconfiguration (<code>GCP_SECURITYCENTER_MISCONFIGURATION</code>)</li>
<li>Security Command Center Observation (<code>GCP_SECURITYCENTER_OBSERVATION</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>Security Command Center Unspecified (<code>GCP_SECURITYCENTER_UNSPECIFIED</code>)</li>
<li>Security Command Center Vulnerability (<code>GCP_SECURITYCENTER_VULNERABILITY</code>)</li>
<li>Sendmail (<code>SENDMAIL</code>)</li>
<li>Sentinelone Activity (<code>SENTINELONE_ACTIVITY</code>)</li>
<li>ServiceNow CMDB (<code>SERVICENOW_CMDB</code>)</li>
<li>Sophos Firewall (Next Gen) (<code>SOPHOS_FIREWALL</code>)</li>
<li>Squid Web Proxy (<code>SQUID_WEBPROXY</code>)</li>
<li>Symantec EDR (<code>SYMANTEC_EDR</code>)</li>
<li>Symantec Endpoint Protection (<code>SEP</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Thinkst Canary (<code>THINKST_CANARY</code>)</li>
<li>Trellix EDRF Trace Data and Telemetry (<code>TRELLIX_EDRF</code>)</li>
<li>Trend Micro Vision One Detections (<code>TRENDMICRO_VISION_ONE_DETECTIONS</code>)</li>
<li>Trend Micro Vision One Workbench (<code>TRENDMICRO_VISION_ONE_WORKBENCH</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Varonis (<code>VARONIS</code>)</li>
<li>Veeam (<code>VEEAM</code>)</li>
<li>VMware vCenter (<code>VMWARE_VCENTER</code>)</li>
<li>VMWare VSphere (<code>VMWARE_VSPHERE</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Windows Event (XML) (<code>WINEVTLOG_XML</code>)</li>
<li>Windows Sysmon (<code>WINDOWS_SYSMON</code>)</li>
<li>wiz.io (<code>WIZ_IO</code>)</li>
<li>Workday User Activity (<code>WORKDAY_USER_ACTIVITY</code>)</li>
<li>Zeek JSON (<code>BRO_JSON</code>)</li>
<li>Zscaler (<code>ZSCALER_WEBPROXY</code>)</li>
<li>ZScaler NGFW (<code>ZSCALER_FIREWALL</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Cisco Secure Access Enrollment (<code>CISCO_SECURE_ACCESS_ENROLLMENT</code>)</li>
<li>Cisco Secure Access Network (<code>CISCO_SECURE_ACCESS_NETWORK</code>)</li>
<li>CyberArk Certificate Manager SaaS (<code>CYBERARK_CERTIFICATE_MANAGER_SAAS</code>)</li>
<li>Gemini Enterprise Agent Platform (<code>GEMINI_ENTERPRISE_AGENT_PLATFORM</code>)</li>
<li>Schneider Electric GeoScada OT (<code>GEOSCADA_OT</code>)</li>
<li>Model Context Protocol Dev (<code>MCPDEV</code>)</li>
<li>Model Context Protocol Modify (<code>MCPMODIFY</code>)</li>
<li>Model Context Protocol View (<code>MCPVIEW</code>)</li>
<li>NetApp Ransomware Resilience (<code>NETAPP_RANSOMWARE_RESILIENCE</code>)</li>
<li>Netskope Log Streaming (<code>NETSKOPE_LOG_STREAMING</code>)</li>
<li>Pylon Audit Logs (<code>PYLON_LOGS</code>)</li>
<li>Reco AI CSPM (<code>RECO_CSPM</code>)</li>
<li>Salt Security API Protection Platform (<code>SALT_SECURITY</code>)</li>
<li>SentinelOne Application (<code>SENTINELONE_APPLICATION</code>)</li>
<li>Wiz Vulnerabilities (<code>WIZ_VULNERABILITIES</code>)</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>June 26, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_26_2026</id>
    <updated>2026-06-26T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_26_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Improved documentation portal navigation</strong></p>
<p>Finding help is now easier! We've updated the navigation of our documentation portal to be primarily user-centric. Sections have been reorganized and renamed to align with your workflows, providing a logical path through the documentation.</p>
<p>We've also added:</p>
<ul>
<li>A <a href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes"><strong>Support</strong> tab</a> for technical support, changelogs, and release notes</li>
<li>A <a href="https://docs.cloud.google.com/chronicle/docs/use-cases"><strong>Use cases</strong> tab</a> for persona-driven CUJs and workflows</li>
</ul>
<aside class="note"><strong>Note:</strong><span> Content-level modifications are not included in this update and are scheduled for subsequent phases.</span></aside>
]]>
    </content>
  </entry>

  <entry>
    <title>June 23, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_23_2026</id>
    <updated>2026-06-23T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_23_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Ask Gemini Cloud Assist in Feed Management</strong></p>
<p>Google SecOps now provides Gemini Cloud Assist (GCA) directly within the Feed Management interface to help you with feed creation, setup, and general troubleshooting questions.</p>
<p>A new <strong>Ask Gemini Cloud Assist</strong> button is now available in the Feed Management interface. You can click this button to open the Gemini Cloud Assist panel and ask questions to get guidance on:</p>
<ul>
<li>Configuring and managing data feeds.</li>
<li>Understanding ingestion pre-requisites and setup steps for different log sources.</li>
<li>Resolving common setup issues.</li>
</ul>
<p><em>Note: Gemini Cloud Assist provides recommendations and answers to your questions, but does not perform configuration changes on your behalf. You must apply any recommended changes manually to your feeds.</em></p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/administration/feed-management-overview">Feed management overview</a>.</p>
<h3>Change</h3>
<p><strong>Ingestion metrics reporting correction</strong></p>
<p>Google Security Operations has resolved an issue where certain ingestion metrics—which are displayed in both the dashboard and Cloud Monitoring—were under-reported.</p>
<p>Because of this correction, you might notice a one-time apparent spike in your ingestion metrics when the update is enabled for your region (between June 29 and July 10, 2026). The actual log volume ingested remains unchanged.</p>
<p>Historical metrics recorded before this update will not be modified or backfilled. This correction does not affect customer billing.</p>
<p>If you have questions or need assistance, contact Google Security Operations support.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 17, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_17_2026</id>
    <updated>2026-06-17T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_17_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p><strong>Auto-collapse setting for the query editor</strong></p>
<p>You can now configure the query editor to automatically collapse after you run
a search, maximizing the screen space available for viewing your search results.
By default, the query editor remains expanded.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#CollapsequeryEditor">Configure query editor behavior</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 16, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_16_2026</id>
    <updated>2026-06-16T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_16_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>New Documentation changelogs</strong></p>
<p>Google SecOps is now releasing a monthly changelog to capture major documentation updates.</p>
<p>For more information, refer to <a href="https://docs.cloud.google.com/chronicle/docs/changelogs/changelogs">Documentation changelog</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 13, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_13_2026</id>
    <updated>2026-06-13T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_13_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Non-prioritized IoC Matching rules Category</strong></p>
<p>Google SecOps has introduced a new detection category, <em>Non-prioritized IoC Matching rules</em>, as part of the <a href="https://docs.cloud.google.com/chronicle/docs/detection/curated-detections">Curated Detections</a> feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.</p>
<p>This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services.</p>
<p>For more information, refer to <a href="https://docs.cloud.google.com/chronicle/docs/detection/non-prioritized-ioc-matching-threats-category">Non-prioritized IoC Matching rules category overview</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 12, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_12_2026</id>
    <updated>2026-06-12T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_12_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>[Spotlight Feature] Investigate detections in Google SecOps Search</strong></p>
<p>Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the <strong>Alerts and Detections</strong> tab, providing a more holistic workflow for threat investigation.</p>
<p>For more details, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/investigate-detections-in-search">Investigate detections in Search</a>.</p>
<h3>Announcement</h3>
<p><strong>Asynchronous Search APIs for large datasets</strong></p>
<p>Google SecOps now supports asynchronous Search APIs that let you perform
long-running queries without blocking your applications. This is ideal for 
searches that return a large volume of results.</p>
<ul>
<li><strong>Non-blocking queries</strong>: Initiate searches and receive an operation ID to
track progress, so your application remains responsive.</li>
<li><strong>Handle large result sets</strong>: Retrieve up to 1 million results from data
sources including Unified Data Model (UDM) events, data tables, and Entity
Context Graph (ECG).</li>
<li><strong>Paginated results</strong>: View results efficiently in manageable pages.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/search-lro-api">Asynchronous Search APIs</a>
and <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#resultLimitsDataSources">Result limits for data sources</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 09, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#June_09_2026</id>
    <updated>2026-06-09T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#June_09_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>UDM fields now show the sources of enrichment</strong></p>
<p>The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data.</p>
<aside class="note"><strong>Note:</strong><span> The Enrichment feature requires the <code>chronicle.events.fetchEnrichedEvent</code> IAM permission. If you're using custom IAM roles, you must add one of the following permissions to your custom policies: <code>chronicle.googleapis.com/limitedViewer</code>, <code>chronicle.googleapis.com/restrictedDataAccessViewer</code>, or <code>chronicle.googleapis.com/viewer</code>.</span></aside>
<p>For more information, see: <a href="https://docs.cloud.google.com/chronicle/docs/event-processing/data-enrichment#viewing_events">Viewing events</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>May 31, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#May_31_2026</id>
    <updated>2026-05-31T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#May_31_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>1Password Audit Events (<code>ONEPASSWORD_AUDIT_EVENTS</code>)</li>
<li>AIX system (<code>AIX_SYSTEM</code>)</li>
<li>Apache (<code>APACHE</code>)</li>
<li>Aruba EdgeConnect SD-WAN (<code>ARUBA_EDGECONNECT_SDWAN</code>)</li>
<li>Avaya Aura Experience Portal (<code>AVAYA_AURA</code>)</li>
<li>AWS CloudFront (<code>AWS_CLOUDFRONT</code>)</li>
<li>AWS Cloudtrail (<code>AWS_CLOUDTRAIL</code>)</li>
<li>AWS GuardDuty (<code>GUARDDUTY</code>)</li>
<li>AWS Security Hub (<code>AWS_SECURITY_HUB</code>)</li>
<li>Azure AD (<code>AZURE_AD</code>)</li>
<li>Azure AD Organizational Context (<code>AZURE_AD_CONTEXT</code>)</li>
<li>Azure AD Sign-In (<code>AZURE_AD_SIGNIN</code>)</li>
<li>Azure SQL (<code>AZURE_SQL</code>)</li>
<li>Azure Storage Audit (<code>AZURE_STORAGE_AUDIT</code>)</li>
<li>Barracuda WAF (<code>BARRACUDA_WAF</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Chrome Management (<code>CHROME_MANAGEMENT</code>)</li>
<li>Cisco ACS (<code>CISCO_ACS</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Secure Workload (<code>CISCO_SECURE_WORKLOAD</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Citrix Netscaler (<code>CITRIX_NETSCALER</code>)</li>
<li>Claroty Xdome (<code>CLAROTY_XDOME</code>)</li>
<li>Claude Compliance Logs (<code>CLAUDE_COMPLIANCE_LOGS</code>)</li>
<li>Cloudflare (<code>CLOUDFLARE</code>)</li>
<li>Cloudflare Warp (<code>CLOUDFLARE_WARP</code>)</li>
<li>Corelight (<code>CORELIGHT</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CyberArk (<code>CYBERARK</code>)</li>
<li>CyberArk Privileged Access Manager (PAM) (<code>CYBERARK_PAM</code>)</li>
<li>Duo Administrator Logs (<code>DUO_ADMIN</code>)</li>
<li>EfficientIP DDI (<code>EFFICIENTIP_DDI</code>)</li>
<li>Elastic Audit Beats (<code>ELASTIC_AUDITBEAT</code>)</li>
<li>Elastic Windows Event Log Beats (<code>ELASTIC_WINLOGBEAT</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>Forcepoint Proxy (<code>FORCEPOINT_WEBPROXY</code>)</li>
<li>FortiGate (<code>FORTINET_FIREWALL</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Cloud Asset Inventory (<code>GCP_CLOUD_ASSET_INVENTORY</code>)</li>
<li>Google Cloud Audit (<code>GCP_CLOUDAUDIT</code>)</li>
<li>Google Compute Context (<code>GCP_COMPUTE_CONTEXT</code>)</li>
<li>Google Threat Intelligence IOC (<code>GTI_IOC</code>)</li>
<li>GTB Technologies DLP (<code>GTB_DLP</code>)</li>
<li>HP Aruba (ClearPass) (<code>CLEARPASS</code>)</li>
<li>IBM Websphere Application Server (<code>IBM_WEBSPHERE_APP_SERVER</code>)</li>
<li>IBM z/OS (<code>IBM_ZOS</code>)</li>
<li>Imperva (<code>IMPERVA_WAF</code>)</li>
<li>Imperva CEF (<code>IMPERVA_CEF</code>)</li>
<li>Imperva DRA (<code>IMPERVA_DRA</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Island Browser logs (<code>ISLAND_BROWSER</code>)</li>
<li>Juniper (<code>JUNIPER_FIREWALL</code>)</li>
<li>Juniper Mist (<code>JUNIPER_MIST</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>LastPass Password Management (<code>LASTPASS</code>)</li>
<li>Linux Auditing System (AuditD) (<code>AUDITD</code>)</li>
<li>Microsoft Azure Activity (<code>AZURE_ACTIVITY</code>)</li>
<li>Microsoft Defender for Office 365 (<code>MICROSOFT_DEFENDER_MAIL</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Mobileiron (<code>MOBILEIRON</code>)</li>
<li>Mongo Database (<code>MONGO_DB</code>)</li>
<li>MySQL (<code>MYSQL</code>)</li>
<li>Netapp Storagegrid (<code>NETAPP_STORAGEGRID</code>)</li>
<li>Netskope V2 (<code>NETSKOPE_ALERT_V2</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>NGFW Enterprise (<code>GCP_NGFW_ENTERPRISE</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Office 365 Message Trace (<code>OFFICE_365_MESSAGETRACE</code>)</li>
<li>Okta Scaleft (<code>OKTA_SCALEFT</code>)</li>
<li>Oracle (<code>ORACLE_DB</code>)</li>
<li>Oracle Cloud Infrastructure Audit Logs (<code>OCI_AUDIT</code>)</li>
<li>Orca Cloud Security Platform (<code>ORCA</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>Radware Web Application Firewall (<code>RADWARE_FIREWALL</code>)</li>
<li>Red Hat Directory Server LDAP (<code>REDHAT_DIRECTORY_SERVER</code>)</li>
<li>Red Hat OpenShift (<code>REDHAT_OPENSHIFT</code>)</li>
<li>Salesforce (<code>SALESFORCE</code>)</li>
<li>Sangfor Next Generation Firewall (<code>SANGFOR_NGAF</code>)</li>
<li>Security Command Center Error (<code>GCP_SECURITYCENTER_ERROR</code>)</li>
<li>Security Command Center Misconfiguration (<code>GCP_SECURITYCENTER_MISCONFIGURATION</code>)</li>
<li>Security Command Center Observation (<code>GCP_SECURITYCENTER_OBSERVATION</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>Security Command Center Unspecified (<code>GCP_SECURITYCENTER_UNSPECIFIED</code>)</li>
<li>Security Command Center Vulnerability (<code>GCP_SECURITYCENTER_VULNERABILITY</code>)</li>
<li>SentinelOne Singularity Cloud Funnel (<code>SENTINELONE_CF</code>)</li>
<li>ServiceNow Security (<code>SERVICENOW_SECURITY</code>)</li>
<li>Sourcefire (<code>SOURCEFIRE_IDS</code>)</li>
<li>Suricata EVE (<code>SURICATA_EVE</code>)</li>
<li>Symantec Endpoint Protection (<code>SEP</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Trend Micro Deep Security (<code>TRENDMICRO_DEEP_SECURITY</code>)</li>
<li>Trend Micro Vision One Observerd Attack Techniques (<code>TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES</code>)</li>
<li>Ubiquiti UniFi Switch (<code>UBIQUITI_SWITCH</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Upwind (<code>UPWIND</code>)</li>
<li>VMware ESXi (<code>VMWARE_ESX</code>)</li>
<li>VMWare VSphere (<code>VMWARE_VSPHERE</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Wiz.io (<code>WIZ_IO</code>)</li>
<li>Workday User Activity (<code>WORKDAY_USER_ACTIVITY</code>)</li>
<li>Workspace Activities (<code>WORKSPACE_ACTIVITY</code>)</li>
<li>Zscaler (<code>ZSCALER_WEBPROXY</code>)</li>
<li>Zscaler CASB (<code>ZSCALER_CASB</code>)</li>
<li>Zscaler DLP (<code>ZSCALER_DLP</code>)</li>
<li>Zscaler Private Access (<code>ZSCALER_ZPA</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Azure Software Vulnerabilities (<code>AZURE_SOFTWARE_VULNERABILITIES</code>)</li>
<li>Caller Verify (<code>CALLER_VERIFY</code>)</li>
<li>CertSecure Log (<code>CERTSECURE_LOG</code>)</li>
<li>Cisco MultiCloud Defense Firewall (<code>CISCO_MULTICLOUD_DEFENSE_FIREWALL</code>)</li>
<li>Cursor (<code>CURSOR</code>)</li>
<li>Cyfirma (<code>CYFIRMA_DECYFIR_LOG</code>)</li>
<li>Databahn (<code>DATABAHN</code>)</li>
<li>Flare Darkweb Alerts (<code>FLARE_DARKWEB_ALERTS</code>)</li>
<li>Fortinet FortiAppSec Cloud (<code>FORTINET_FORTIAPPSEC</code>)</li>
<li>Hikvision Network Video Recorders (<code>HIKVISION_NVR</code>)</li>
<li>IBM B2B Integrator (<code>IBM_B2B_INTEGRATOR</code>)</li>
<li>IBM InfoSphere Virtual Data Pipeline (<code>IBM_VDP</code>)</li>
<li>Imperva Account TakeOver (<code>IMPERVA_ATO</code>)</li>
<li>Imperva Client Side Protection (<code>IMPERVA_CSP</code>)</li>
<li>Imperva DNS (<code>IMPERVA_DNS</code>)</li>
<li>Imperva Network Security (<code>IMPERVA_NETWORK_SECURITY</code>)</li>
<li>Microsoft Defender XDR (<code>MICROSOFT_DEFENDER_XDR</code>)</li>
<li>Nakivo Backup and Recovery (<code>NAKIVO_BACKUP</code>)</li>
<li>Netcraft Takedown (<code>NETCRAFT_TAKEDOWN</code>)</li>
<li>Next Level Performance Amplify (<code>NXL_AMPLIFY</code>)</li>
<li>Siemens Desigo (<code>SIEMENS_DESIGO</code>)</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>May 28, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#May_28_2026</id>
    <updated>2026-05-28T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#May_28_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Upgraded Chronicle API</strong></p>
<p>We've upgraded the following <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest">Chronicle API</a> resources from v1 beta to v1. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for all new integrations, for a more robust, secure, and extensible experience. Learn more about <a href="https://google.aip.dev/181">API Stability</a>.</p>
<p>The following features and resources are included in this update:</p>
<ul>
<li><strong>Alerts and ATIs, UEBA:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.threatCollections">Threat Collection</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.iocs">IoC</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.coverageDetails">CoverageDetail</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances/getRiskConfig">EntityRisk</a></li>
<li><strong>Dashboards:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.nativeDashboards">NativeDashboard</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dashboardCharts">DashboardChart</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dashboardQueries">DashboardQuery</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.contentHub.featuredContentNativeDashboards">FeaturedContentNativeDashboard</a></li>
<li><strong>Data Tables:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dataTables">DataTable</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dataTables.dataTableRows">DataTableRow</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dataTableOperationErrors">DataTableOperationError</a></li>
<li><strong>Ingestion:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.logTypes.logs">Logs</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feeds">Feed</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feedSourceTypeSchemas.logTypeSchemas">LogTypeSchema</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feedSourceTypeSchemas">FeedSourceSchema</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feedPacks">FeedPack</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.forwarders">Forwarder</a></li>
<li><strong>Normalization:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.logTypes">Logtype</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.logTypes.parsers">Parser</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.ingestionLogLabels">IngestionLogLabel</a></li>
<li><strong>Detections:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.findingsRefinements">FindingsRefinement</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances/verifyRuleText">VerifyRuleText</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.contentHub.featuredContentRules">FeaturedContentRule</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.ruleExecutionErrors">RuleExecutionError</a></li>
<li><strong>Search &amp; Investigation:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.events">Event</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.entities">Entity</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.users.searchQueries">SearchQuery</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.savedColumnSets">SavedColumnSet</a></li>
<li><strong>Exports:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.bigQueryExport">BigQueryExportService</a></li>
<li><strong>Enrichment Controls:</strong> <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.enrichmentControls">EnrichmentControl</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances/getEnrichmentCombination">EnrichmentCombination</a></li>
</ul>
<p>For a full list of updated resources and links to the documentation, please see the <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest">Chronicle API documentation</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>May 27, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#May_27_2026</id>
    <updated>2026-05-27T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#May_27_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Standard parser support policy</strong></p>
<p>Google SecOps introduced a focused support policy for Standard parsers to scale platform stability, predictable performance, and high-quality data normalization. The new policy structures service level objectives (SLOs) and request triaging by customer support tiers (Standard versus Expert/Expert+), and prioritizes core security data through <a href="https://docs.cloud.google.com/chronicle/docs/reference/important-udm-fields">Important UDM Fields</a>. Additionally, the policy outlines a community-driven model where low-usage, longtail prebuilt parsers migrate to a dedicated GitHub repository maintained by partners and the Google SecOps community. </p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/standard-parser-support-policy">Standard parser support policy</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>May 18, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#May_18_2026</id>
    <updated>2026-05-18T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#May_18_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Enhanced Data Export API general availability and improvements</strong></p>
<p>The Data Export API is now GA and introduces significant security and capability improvements. This feature facilitates the bulk export of your security data from Google SecOps to a Google Cloud Storage bucket that you control, and it provides a more secure and scalable data archival experience than the legacy Data Export API feature. </p>
<p>Here's what's new:</p>
<ul>
<li><strong>Advanced data filtering</strong>: the API now lets you additionally scope export jobs using namespaces and ingestion labels.</li>
<li><strong>Zero-trust security (customer-managed encryption keys)</strong>: full integration with Google Cloud Key Management Service (KMS) ensures that all exported data is encrypted with customer-managed keys.</li>
<li><strong>Identity-aware extraction (RBAC)</strong>: export jobs now inherit the data RBAC scope of users creating an export job, preventing unauthorized data extraction.</li>
</ul>
<aside class="note"><strong>Note:</strong><span> It might take one to six days before you see the changes reflected in your region. </span></aside><aside class="special"><strong>Important:</strong><span> You need to update your API settings to call the new <code>v1</code> endpoint instead of the <code>v1alpha</code> endpoint. For example, to create a new data export job, you need to update the existing endpoint <code>POST https://chronicle.{region}.rep.googleapis.com/v1alpha/{parent}/dataExports</code> to the new endpoint <code>POST https://chronicle.{region}.rep.googleapis.com/v1/{parent}/dataExports</code>.</span></aside>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/reference/data-export-api-enhanced">Data Export API (enhanced)</a>.</p>
<h3>Deprecated</h3>
<p>The legacy Data Export API is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a> in favor of the <a href="https://docs.cloud.google.com/chronicle/docs/reference/data-export-api-enhanced">enhanced Data Export API</a>, which provides a more secure and scalable data archival experience. After June 18, 2026, legacy Data Export API won't work.</p>
<h3>Deprecated</h3>
<p>The <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.dataExports/fetchavailablelogtypes"><code>fetchavailablelogtypes</code></a> API endpoint is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a> in favor of the <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.logTypes/list"><code>list</code> endpoint</a>. After June 18, 2026, the <code>fetchavailablelogtypes</code> API endpoint won't work.</p>
<h3>Deprecated</h3>
<p>The <code>updateDataExport</code> endpoint in the enhanced Data Export API is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a>. The reduction in job queue times using the <a href="https://docs.cloud.google.com/chronicle/docs/reference/data-export-api-enhanced">enhanced Data Export API</a> has eliminated the need for the update functionality of the <code>updateDataExport</code> API endpoint. The <code>updateDataExport</code> endpoint was present in v1alpha only; it wasn't present in in v1beta or v1. After June 18, 2026, the <code>updateDataExport</code> API endpoint won't work. You can still cancel queued export jobs.</p>
<h3>Deprecated</h3>
<p>The <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.dataExports#DataExport:%7E:text=05%3A30%22.-,logType,to%20export.%20Format%3A%20projects/%7Bproject%7D/locations/%7Blocation%7D/instances/%7Binstance%7D/logTypes/%7BlogType%7D,-gcsBucket"><code>logType</code></a> field in the enhanced Data Export API is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a> in favor of the new (optional)<code>includeLogTypes</code> field, which supports an array of log types for data filtering. If left blank, the export job includes all log types by default. The <code>logType</code> field was present in v1alpha only; it wasn't present in in v1beta or v1. After June 18, 2026, the <code>logType</code> field is discontinued. </p>
]]>
    </content>
  </entry>

  <entry>
    <title>May 17, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#May_17_2026</id>
    <updated>2026-05-17T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#May_17_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>New parser documentation now available</strong></p>
<p>New parser documentation is available to help you ingest and normalize logs from the following sources:</p>
<ul>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/velo-firewall">Collect Arista VeloCloud SD-WAN logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/windows-defender-atp">Collect Microsoft Defender for Endpoint logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windchill">Collect PTC Windchill logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/steelhead">Collect Riverbed SteelHead logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sangfor-proxy">Collect Sangfor Proxy logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-btp">Collect SAP BTP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-netweaver">Collect SAP NetWeaver logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-sm20">Collect SAP SM20 logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-successfactors">Collect SAP SuccessFactors logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-ase">Collect SAP Sybase ASE logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/saviynt-eip">Collect Saviynt Enterprise Identity Cloud logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/securelink">Collect SecureLink logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/semperis-dsp">Collect Semperis DSP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sonrai">Collect Sonrai Security logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/soti-mobicontrol">Collect SOTI MobiControl logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/splunk-attack-analyzer">Collect Splunk Attack Analyzer logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/spycloud">Collect SpyCloud logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/stealthbits-audit">Collect Stealthbits Audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/stealthbits-defend">Collect Stealthbits StealthDEFEND logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/stix">Collect STIX Threat Intelligence logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/swift-amh">Collect Swift Alliance Messaging Hub logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/symantec-mail">Collect Symantec Messaging Gateway logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/symantec-sa">Collect Symantec Security Analytics logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tableau">Collect Tableau logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/talon">Collect Talon logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tcpwave-ddi">Collect TCPWave DDI logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/teleport-access-plane">Collect Teleport Access Plane logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tenable-audit">Collect Tenable Audit logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tenable-cspm">Collect Tenable CSPM logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/teradata-db">Collect Teradata Database logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/terraform-enterprise">Collect Terraform Enterprise logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/tetragon-ebpf-audit-logs">Collect Tetragon eBPF audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/threatlocker">Collect ThreatLocker Platform logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/threatx-waf">Collect ThreatX WAF logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/tintri">Collect Tintri logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/trendmicro-apex-central">Collect Trend Micro Apex Central logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/uberagent">Collect uberAgent logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ubika-waf">Collect Ubika WAF logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ukg">Collect UKG logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/upx-antiddos">Collect UPX AntiDDoS logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/verba-rec">Collect Verba Recording System logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/vercel-waf">Collect Vercel WAF logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/virtru-email-encryption">Collect Virtru Email Encryption logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/watchguard-edr">Collect WatchGuard EDR logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-applocker">Collect Windows AppLocker logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-defender-av">Collect Windows Defender Antivirus logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-firewall">Collect Windows Firewall logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-hyperv">Collect Windows Hyper-V logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-net-policy-server">Collect Windows Network Policy Server logs</a></li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>May 12, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#May_12_2026</id>
    <updated>2026-05-12T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#May_12_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p><strong>Time range selection for searches</strong></p>
<p>Google SecOps has now added relative and absolute time range options to define
the required time period for retrieving search results.</p>
<ul>
<li><strong>Relative time range</strong>: Set a search window looking backward from the current time
using custom intervals.</li>
<li><strong>Absolute time range</strong>: Define fixed start and end times using calendar presets,
exact date and time selections, or event-based timeframes.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#setDateTime">Set the date and time range</a>.</p>
<aside class="note"><strong>Note:</strong><span> This change follows a phased rollout from <strong>May 12, 2026</strong>, to <strong>May 18, 2026</strong>.
Reach out to support if you do not see the new limits applied to your environment
after <strong>May 18, 2026</strong>.</span></aside>
]]>
    </content>
  </entry>

  <entry>
    <title>May 05, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#May_05_2026</id>
    <updated>2026-05-05T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#May_05_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of list of <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">supported default parsers</a>. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>Akeyless Vault Platform (<code>AKEYLESS_VAULT</code>)</li>
<li>Apache Cassandra (<code>CASSANDRA</code>)</li>
<li>Aruba (<code>ARUBA_WIRELESS</code>)</li>
<li>Aruba EdgeConnect SD-WAN (<code>ARUBA_EDGECONNECT_SDWAN</code>)</li>
<li>Auth0 (<code>AUTH_ZERO</code>)</li>
<li>AWS Aurora (<code>AWS_AURORA</code>)</li>
<li>AWS EC2 VPCs (<code>AWS_EC2_VPCS</code>)</li>
<li>AWS Security Hub (<code>AWS_SECURITY_HUB</code>)</li>
<li>Azure Firewall (<code>AZURE_FIREWALL</code>)</li>
<li>Azure Front Door (<code>AZURE_FRONT_DOOR</code>)</li>
<li>Barracuda CloudGen Firewall (<code>BARRACUDA_CLOUDGEN_FIREWALL</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Check Point (<code>CHECKPOINT_FIREWALL</code>)</li>
<li>Check Point Sandblast (<code>CHECKPOINT_EDR</code>)</li>
<li>Checkpoint SmartDefense (<code>CHECKPOINT_SMARTDEFENSE</code>)</li>
<li>Chronicle SOAR Audit (<code>CHRONICLE_SOAR_AUDIT</code>)</li>
<li>Cisco Application Centric Infrastructure (<code>CISCO_ACI</code>)</li>
<li>Cisco ASA (<code>CISCO_ASA_FIREWALL</code>)</li>
<li>Cisco FireSIGHT Management Center (<code>CISCO_FIRESIGHT</code>)</li>
<li>Cisco Internetwork Operating System (<code>CISCO_IOS</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Meraki (<code>CISCO_MERAKI</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Secure Workload (<code>CISCO_SECURE_WORKLOAD</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Cisco WLC/WCS (<code>CISCO_WIRELESS</code>)</li>
<li>Citrix Netscaler (<code>CITRIX_NETSCALER</code>)</li>
<li>Claroty Xdome (<code>CLAROTY_XDOME</code>)</li>
<li>Cloudflare Warp (<code>CLOUDFLARE_WARP</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CyberArk (<code>CYBERARK</code>)</li>
<li>CyberArk Privileged Access Manager (PAM) (<code>CYBERARK_PAM</code>)</li>
<li>EPIC Systems (<code>EPIC</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>F5 BIGIP Access Policy Manager (<code>F5_BIGIP_APM</code>)</li>
<li>F5 BIGIP LTM (<code>F5_BIGIP_LTM</code>)</li>
<li>F5 Distributed Cloud Services (<code>F5_DCS</code>)</li>
<li>FireEye eMPS (<code>FIREEYE_EMPS</code>)</li>
<li>FireEye NX (<code>FIREEYE_NX</code>)</li>
<li>FortiGate (<code>FORTINET_FIREWALL</code>)</li>
<li>Fortinet FortiEDR (<code>FORTINET_FORTIEDR</code>)</li>
<li>Fortinet Proxy (<code>FORTINET_WEBPROXY</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Cloud Audit (<code>GCP_CLOUDAUDIT</code>)</li>
<li>Google Threat Intelligence IOC (<code>GTI_IOC</code>)</li>
<li>Guardicore Centra (<code>GUARDICORE_CENTRA</code>)</li>
<li>HP Aruba (ClearPass) (<code>CLEARPASS</code>)</li>
<li>Huawei Switches (<code>HUAWEI_SWITCH</code>)</li>
<li>IBM Websphere Application Server (<code>IBM_WEBSPHERE_APP_SERVER</code>)</li>
<li>IBM z/OS (<code>IBM_ZOS</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Infoblox (<code>INFOBLOX</code>)</li>
<li>Juniper (<code>JUNIPER_FIREWALL</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>Linux Auditing System (AuditD) (<code>AUDITD</code>)</li>
<li>ManageEngine ADManager Plus (<code>ADMANAGER_PLUS</code>)</li>
<li>McAfee ePolicy Orchestrator (<code>MCAFEE_EPO</code>)</li>
<li>McAfee Web Gateway (<code>MCAFEE_WEBPROXY</code>)</li>
<li>Microsoft Defender For Cloud (<code>MICROSOFT_DEFENDER_CLOUD_ALERTS</code>)</li>
<li>Microsoft Defender for Endpoint (<code>MICROSOFT_DEFENDER_ENDPOINT</code>)</li>
<li>Microsoft Defender for Identity (<code>MICROSOFT_DEFENDER_IDENTITY</code>)</li>
<li>Microsoft Graph API Alerts (<code>MICROSOFT_GRAPH_ALERT</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Mobileiron (<code>MOBILEIRON</code>)</li>
<li>Model Armor (<code>GCP_MODEL_ARMOR</code>)</li>
<li>MySQL (<code>MYSQL</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>Noname API Security (<code>NONAME_API_SECURITY</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Okta (<code>OKTA</code>)</li>
<li>Oracle Cloud Infrastructure Audit Logs (<code>OCI_AUDIT</code>)</li>
<li>Oracle NetSuite (<code>ORACLE_NETSUITE</code>)</li>
<li>Palo Alto Networks Firewall (<code>PAN_FIREWALL</code>)</li>
<li>Palo Alto Panorama (<code>PAN_PANORAMA</code>)</li>
<li>Palo Alto Prisma Access (<code>PAN_CASB</code>)</li>
<li>Palo Alto Prisma Cloud Alert payload (<code>PAN_PRISMA_CA</code>)</li>
<li>Ping Identity (<code>PING</code>)</li>
<li>PostFix Mail (<code>POSTFIX_MAIL</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>Proofpoint Tap Alerts (<code>PROOFPOINT_MAIL</code>)</li>
<li>Proofpoint Threat Response (<code>PROOFPOINT_TRAP</code>)</li>
<li>Radware Web Application Firewall (<code>RADWARE_FIREWALL</code>)</li>
<li>Rapid7 Insight (<code>RAPID7_INSIGHT</code>)</li>
<li>SAP Hana Audit (<code>SAP_HANA_AUDIT</code>)</li>
<li>SecureAuth (<code>SECUREAUTH_SSO</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>SentinelOne Deep Visibility (<code>SENTINEL_DV</code>)</li>
<li>SentinelOne Singularity Cloud Funnel (<code>SENTINELONE_CF</code>)</li>
<li>Silverfort Authentication Platform (<code>SILVERFORT</code>)</li>
<li>SiteMinder Web Access Management (<code>CA_SSO_WEB</code>)</li>
<li>SonicWall (<code>SONIC_FIREWALL</code>)</li>
<li>Squid Web Proxy (<code>SQUID_WEBPROXY</code>)</li>
<li>STIX Threat Intelligence (<code>STIX</code>)</li>
<li>Suricata EVE (<code>SURICATA_EVE</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Tanium Threat Response (<code>TANIUM_THREAT_RESPONSE</code>)</li>
<li>Thinkst Canary (<code>THINKST_CANARY</code>)</li>
<li>Trend Micro Apex one (<code>TRENDMICRO_APEX_ONE</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Vectra XDR (<code>VECTRA_XDR</code>)</li>
<li>VMware ESXi (<code>VMWARE_ESX</code>)</li>
<li>Wallix Bastion (<code>WALLIX_BASTION</code>)</li>
<li>WatchGuard (<code>WATCHGUARD</code>)</li>
<li>Windows Defender AV (<code>WINDOWS_DEFENDER_AV</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Windows Event (XML) (<code>WINEVTLOG_XML</code>)</li>
<li>wiz.io (<code>WIZ_IO</code>)</li>
<li>Zscaler Email DLP (<code>ZSCALER_EMAIL_DLP</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Altiris Logs (<code>ALTIRIS_LOGS</code>)</li>
<li>Aruba Access Point (<code>ARUBA_AP</code>)</li>
<li>BloxOne Threat Defense DHCP (<code>BLOXONE_DHCP</code>)</li>
<li>Checkmarx One (<code>CHECKMARX_ONE</code>)</li>
<li>Cisco Nexus Dashboard Orchestrator (<code>CISCO_NDO</code>)</li>
<li>CrowdStrike Cloud Security (<code>CROWDSTRIKE_CSPM</code>)</li>
<li>F5 F5OS-A Logging (<code>F5_F5OS_A</code>)</li>
<li>GateWatcher NDR (<code>GATEWATCHER_NDR</code>)</li>
<li>Hashicorp Terraform (<code>HASHICORP_TERRAFORM</code>)</li>
<li>Jamf Protect Alerts V2 (<code>JAMF_PROTECT_V2</code>)</li>
<li>Oracle Cloud Infrastructure Web Application Firewall (<code>OCI_WAF</code>)</li>
<li>Qualys File Integrity Monitoring (<code>QUALYS_FIM</code>)</li>
<li>SailPoint IdentityNow (<code>SAILPOINT_IDENTITYNOW</code>)</li>
<li>ServiceNow Certificate Logs (<code>SERVICENOW_CERTIFICATE</code>)</li>
<li>ServiceNow User Logs (<code>SERVICENOW_USER</code>)</li>
<li>ServiceNow User Login History (<code>SERVICENOW_USER_LOGIN_HISTORY</code>)</li>
<li>SiteGuard Server (<code>SITEGUARD_SERVER</code>)</li>
<li>Tosi Hub (<code>TOSI_HUB</code>)</li>
<li>Trellix Network Detection and Response (<code>TRELLIX_NDR</code>)</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>April 22, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#April_22_2026</id>
    <updated>2026-04-22T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#April_22_2026"/>
    <content type="html"><![CDATA[<h3>Deprecated</h3>
<p>Support for the legacy Google Security Operations SIEM infrastructure will end on April 30, 2027. After this date, you will no longer have access to your Google SecOps SIEM instance on the legacy infrastructure. You need to self-migrate Google Security Operations SIEM in legacy Infrastructure to Google Cloud to align with industry standards and improve your reliability, privacy, security, compliance, and granular access controls. Follow the <a href="https://docs.cloud.google.com/chronicle/docs/administration/migrate-legacy-siem-infra">Migration guide</a> and <a href="https://security.googlecloudcommunity.com/community-blog-42/elevate-your-defense-modernizing-google-secops-for-the-agentic-soc-7087">Community post</a> to begin your transition. </p>
<p>This migration applies to you <strong>only</strong> if your SIEM instance meets <strong>one of the conditions</strong> below:</p>
<ul>
<li>Not deployed in your Google Cloud Project</li>
<li>Not using Google Cloud Authentication (Workforce Identity Federation / Cloud Identity)</li>
<li>Not using Google Cloud IAM for Feature Role based access controls.</li>
</ul>
<p>This migration <strong>does not apply</strong> to you if your SIEM instance meets <strong>all the conditions</strong> below:</p>
<ul>
<li>Is deployed in your Google Cloud project</li>
<li>Uses Workforce Identity Federation or Cloud Identity for authentication</li>
<li>Uses Google Cloud IAM to manage granular access permissions</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>April 19, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#April_19_2026</id>
    <updated>2026-04-19T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#April_19_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>New parser documentation now available</strong></p>
<p>New parser documentation is available to help you ingest and normalize logs from the following sources:</p>
<ul>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/group-ib">Collect Group-IB Threat Intelligence logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/microsoft-scep">Collect Microsoft System Center Endpoint Protection (SCEP) logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/nagios">Collect Nagios XI logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/neo4j">Collect Neo4j Aura logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/nucleus-vulnerability">Collect Nucleus Security - Nucleus Unified Vulnerability Management logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/nyansa-events">Collect Nyansa Voyance / VMware Edge Network Intelligence logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/okera-dap">Collect Okera Dynamic Access Platform (ODAP) audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/okta-scaleft">Collect Okta Advanced Server Access logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/onapsis">Collect Onapsis Platform logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/oneidentity-tpam">Collect One Identity TPAM logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/oci-cloudguard">Collect Oracle Cloud Infrastructure - Oracle Cloud Guard logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/oort">Collect Cisco Identity Intelligence logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/sharepoint">Collect Microsoft SharePoint (Office 365) logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/netapp-bluexp">Collect NetApp Console (formerly BlueXP) audit logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/netwrix">Collect Netwrix Auditor logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/vitalqip">Collect Nokia VitalQIP DDI logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/openai-auditlog">Collect OpenAI Audit logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/netflow-otel">Collect OpenTelemetry Netflow Receiver logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/oracle-fusion">Collect Oracle Fusion Cloud Applications logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/net-suite">Collect Oracle NetSuite - NetSuite Applications Suite logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/oracle-netsuite">Collect Oracle NetSuite logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/vectra-alerts">Collect Vectra Alerts logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/vectra-xdr">Collect Vectra XDR logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/winevtlog-xml">Collect Windows Event logs (XML format)</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/winscp">Collect WinSCP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/workday-user-activity">Collect Workday User Activity logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/wpengine">Collect WP Engine logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/xiting-xams">Collect XAMS by Xiting logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/yubico-otp">Collect Yubico OTP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zero-networks">Collect Zero Networks logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zix-email-encryption">Collect Zix Email Encryption logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zscaler-nss-feeds">Collect Zscaler NSS Feeds for Alerts logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zywall">Collect ZyXEL ZyWALL logs</a></li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>April 08, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#April_08_2026</id>
    <updated>2026-04-08T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#April_08_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Emerging Threats Center general availability</strong></p>
<p>The <strong>Emerging Threats Center</strong> is now in General Availability (GA) and includes
the following new features and enhancements:</p>
<ul>
<li><strong>Expanded campaign filtering:</strong> Filter the Emerging Threats feed by new
categories, including associated malware, tools, and threat actors.</li>
<li><strong>MITRE ATT&amp;CK matrix visualization:</strong> Evaluate your detection rule coverage
for specific tactics, techniques, and procedures (TTPs) using the new
visualization matrix in the <strong>Associated Rules</strong> panel. You can customize
heat map metrics, filter the matrix by rule or alerting status, and view
detailed context for specific sub-techniques.</li>
<li><strong>Enhanced Entity context panel:</strong> Investigate an indicator of compromise (IoC)
using the <strong>Entity context</strong> panel to view its point-in-time state and related
cases.</li>
<li><strong>GTI-associated IoC categories:</strong> Filter GTI-associated IoCs by specific
categories, including <strong>Files</strong>, <strong>URLs</strong>, <strong>Domains</strong>, and <strong>IPs</strong>.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/detection/emerging-threats">Emerging Threats Center overview</a>
and <a href="https://docs.cloud.google.com/chronicle/docs/detection/emerging-threats-detailed-view">Emerging Threats Center detail view</a>. </p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 07, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#April_07_2026</id>
    <updated>2026-04-07T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#April_07_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p><strong>Search query editor enhancements</strong></p>
<p>Google SecOps has enhanced the search query editor to  provide intelligent
auto-suggestions and improved error handling.</p>
<ul>
<li><strong>Auto-suggestions</strong>: The query editor now provides context-aware auto-suggestions
for fields, operators, and valid values as you type. </li>
<li><strong>Error handling</strong>: The editor now highlights syntax errors with a red squiggly
line and displays a tooltip with the specific error description when you hover
over it. Additionally, runtime errors now display persistently in the <strong>Results panel</strong>
to assist with troubleshooting.</li>
</ul>
<p>For more information, see
<a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#search_autosuggestions">Use auto-suggestions to build queries</a>.</p>
<aside class="note"><strong>Note:</strong><span> This change follows a phased rollout from <strong>April 07, 2026</strong>, to <strong>April 10, 2026</strong>.
Reach out to support if you do not see the new limits applied to your environment
after <strong>April 10, 2026</strong>.</span></aside>
<h3>Feature</h3>
<p><strong>Health Hub</strong></p>
<p>This feature is currently in Preview.</p>
<p>The <strong>Health Hub</strong> is the central location in Google Security Operations for you to monitor the status and health of all configured data sources. The <strong>Health Hub</strong> provides crucial information on data sources and log types, offering the context needed to diagnose and remediate data pipeline issues.</p>
<p>The <strong>Health Hub</strong> includes information about the following:</p>
<ul>
<li>Ingestion volumes and ingestion health.</li>
<li>Parsing volumes from raw logs to <a href="https://docs.cloud.google.com/chronicle/docs/event-processing/udm-overview">Unified Data Model (UDM) events</a>.</li>
<li>Context and links to interfaces with additional relevant information and functionality.</li>
<li>Irregular and failed sources and log types. </li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/reports/data-health-monitoring-and-troubleshooting-dashboard">Use the Health Hub</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 06, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#April_06_2026</id>
    <updated>2026-04-06T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#April_06_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p><strong>Updates to search query limits and error messaging</strong></p>
<p>Google SecOps has updated search query limits for programmatic and web interface
access:</p>
<ul>
<li>Increased Queries Per Hour (QPH) limits of up to 2,000 for APIs and 1,000
for the web interface.</li>
<li>New concurrency limits for both simple and complex queries.</li>
<li>More descriptive error messages for quota failures in the API and web interface.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#QPHlimits">Search limits and quotas</a></p>
<aside class="note"><strong>Note:</strong><span> This change follows a phased rollout from <strong>April 06, 2026</strong>, to <strong>May 31, 2026</strong>.
Contact Support if you don't see the new limits applied to your environment after
<strong>May 31, 2026</strong>.</span></aside>
<h3>Deprecated</h3>
<p><strong>v1 Cloud Storage Feed Types (GCS, S3, SQS, Azure)</strong></p>
<p>The v1 feed types for <code>GOOGLE_CLOUD_STORAGE</code>, <code>AMAZON_S3</code>, <code>AMAZON_SQS</code>, and <code>AZURE_BLOBSTORE</code> are deprecated and will be discontinued on <strong>March 15, 2027</strong>. The new v2 feed types uses the Google Cloud Storage Transfer Service (STS) to provide improved performance, scalability, and reliability.</p>
<p>To ensure continued ingestion, transition your feeds before the March 15, 2027 shutdown date:</p>
<ul>
<li>Google SecOps will automatically migrate your feeds using v1 feed types to v2 in waves starting from April 6, 2026. To facilitate this, some feeds may require additional IP allowlist or service account permission updates. You can also self-migrate by replacing your existing data feeds with new feeds using v2 feed types.</li>
</ul>
<p>You can also self-migrate by creating new feeds using v2 feed types to substitute your existing feeds using v1 feed types by following the steps documented in our <a href="https://docs.cloud.google.com/chronicle/docs/reference/feed-management-api#source-types">feed configuration guides</a> before March 15, 2027.</p>
<p><strong>Key Dates:</strong></p>
<ul>
<li><strong>April 6, 2026:</strong> Transition begins; auto-migration available.</li>
<li><strong>September 15, 2026:</strong> Support for v1 feeds is discontinued.</li>
<li><strong>March 15, 2027:</strong> v1 feeds reach End of Life (EOL) and will stop returning data.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">Feature deprecations</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 03, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#April_03_2026</id>
    <updated>2026-04-03T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#April_03_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google Security Operations has updated the list of <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">supported default parsers</a>. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>Abnormal Security (<code>ABNORMAL_SECURITY</code>)</li>
<li>Active Countermeasures (<code>AI_HUNTER</code>)</li>
<li>AIX system (<code>AIX_SYSTEM</code>)</li>
<li>Apache (<code>APACHE</code>)</li>
<li>Apache Cassandra (<code>CASSANDRA</code>)</li>
<li>Aruba (<code>ARUBA_WIRELESS</code>)</li>
<li>Aruba EdgeConnect SD-WAN (<code>ARUBA_EDGECONNECT_SDWAN</code>)</li>
<li>Auth0 (<code>AUTH_ZERO</code>)</li>
<li>AWS Aurora (<code>AWS_AURORA</code>)</li>
<li>AWS CloudFront (<code>AWS_CLOUDFRONT</code>)</li>
<li>AWS Cloudtrail (<code>AWS_CLOUDTRAIL</code>)</li>
<li>AWS CloudWatch (<code>AWS_CLOUDWATCH</code>)</li>
<li>AWS VPC Flow (<code>AWS_VPC_FLOW</code>)</li>
<li>AWS WAF (<code>AWS_WAF</code>)</li>
<li>Azure AD (<code>AZURE_AD</code>)</li>
<li>Azure AD Directory Audit (<code>AZURE_AD_AUDIT</code>)</li>
<li>Azure Front Door (<code>AZURE_FRONT_DOOR</code>)</li>
<li>Azure SQL (<code>AZURE_SQL</code>)</li>
<li>BeyondTrust (<code>BOMGAR</code>)</li>
<li>BeyondTrust BeyondInsight (<code>BEYONDTRUST_BEYONDINSIGHT</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Broadcom Support Portal Audit Logs (<code>BROADCOM_SUPPORT_PORTAL</code>)</li>
<li>Check Point Harmony (<code>CHECKPOINT_HARMONY</code>)</li>
<li>Chronicle SOAR Audit (<code>CHRONICLE_SOAR_AUDIT</code>)</li>
<li>Cisco ASA (<code>CISCO_ASA_FIREWALL</code>)</li>
<li>Cisco Email Security (<code>CISCO_EMAIL_SECURITY</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Meraki (<code>CISCO_MERAKI</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Cisco Umbrella DNS (<code>UMBRELLA_DNS</code>)</li>
<li>Cisco WSA (<code>CISCO_WSA</code>)</li>
<li>Cloud DNS (<code>GCP_DNS</code>)</li>
<li>Cloud SQL (<code>GCP_CLOUDSQL</code>)</li>
<li>Cloudflare (<code>CLOUDFLARE</code>)</li>
<li>Cloudflare Warp (<code>CLOUDFLARE_WARP</code>)</li>
<li>Code42 Incydr (<code>CODE42_INCYDR</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CrowdStrike Falcon Stream (<code>CS_STREAM</code>)</li>
<li>CyberArk Privileged Access Manager (PAM) (<code>CYBERARK_PAM</code>)</li>
<li>Cybereason EDR (<code>CYBEREASON_EDR</code>)</li>
<li>CYJAX Threat Intelligence (<code>CYJAX_THREAT_INTELLIGENCE</code>)</li>
<li>Cyware Threat Intelligence Exchange (<code>CTIX</code>)</li>
<li>Databricks (<code>DATABRICKS</code>)</li>
<li>Duo Auth (<code>DUO_AUTH</code>)</li>
<li>Elastic Defend (<code>ELASTIC_DEFEND</code>)</li>
<li>ESET AV (<code>ESET_AV</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>F5 BIGIP Access Policy Manager (<code>F5_BIGIP_APM</code>)</li>
<li>FireEye eMPS (<code>FIREEYE_EMPS</code>)</li>
<li>FireEye ETP (<code>FIREEYE_ETP</code>)</li>
<li>FireEye NX (<code>FIREEYE_NX</code>)</li>
<li>Forescout NAC (<code>FORESCOUT_NAC</code>)</li>
<li>ForgeRock Identity Cloud (<code>FORGEROCK_IDENTITY_CLOUD</code>)</li>
<li>Fortinet FortiAnalyzer (<code>FORTINET_FORTIANALYZER</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Threat Intelligence IOC (<code>GTI_IOC</code>)</li>
<li>HP Aruba (ClearPass) (<code>CLEARPASS</code>)</li>
<li>Huawei Switches (<code>HUAWEI_SWITCH</code>)</li>
<li>IBM DataPower Gateway (<code>IBM_DATAPOWER</code>)</li>
<li>IBM Safenet (<code>IBM_SAFENET</code>)</li>
<li>IBM Websphere Application Server (<code>IBM_WEBSPHERE_APP_SERVER</code>)</li>
<li>Imperva Advanced Bot Protection (<code>IMPERVA_ABP</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Juniper (<code>JUNIPER_FIREWALL</code>)</li>
<li>Kolide Endpoint Security (<code>KOLIDE</code>)</li>
<li>Kubernetes Audit (<code>KUBERNETES_AUDIT</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>Linux Auditing System (AuditD) (<code>AUDITD</code>)</li>
<li>Maria Database (<code>MARIA_DB</code>)</li>
<li>McAfee ePolicy Orchestrator (<code>MCAFEE_EPO</code>)</li>
<li>McAfee Skyhigh CASB (<code>MCAFEE_SKYHIGH_CASB</code>)</li>
<li>McAfee Web Gateway (<code>MCAFEE_WEBPROXY</code>)</li>
<li>Microsoft Azure Activity (<code>AZURE_ACTIVITY</code>)</li>
<li>Microsoft Defender For Cloud (<code>MICROSOFT_DEFENDER_CLOUD_ALERTS</code>)</li>
<li>Microsoft Graph API Alerts (<code>MICROSOFT_GRAPH_ALERT</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Microsoft SQL Server (<code>MICROSOFT_SQL</code>)</li>
<li>Mimecast Mail V2 (<code>MIMECAST_MAIL_V2</code>)</li>
<li>Mobile Endpoint Security (<code>LOOKOUT_MOBILE_ENDPOINT_SECURITY</code>)</li>
<li>Mobileiron (<code>MOBILEIRON</code>)</li>
<li>NetApp ONTAP (<code>NETAPP_ONTAP</code>)</li>
<li>Netskope V2 (<code>NETSKOPE_ALERT_V2</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>Obsidian (<code>OBSIDIAN</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Oort Security Tool (<code>OORT</code>)</li>
<li>Oracle (<code>ORACLE_DB</code>)</li>
<li>Orca Cloud Security Platform (<code>ORCA</code>)</li>
<li>Palo Alto Cortex XDR Events (<code>PAN_CORTEX_XDR_EVENTS</code>)</li>
<li>Palo Alto Networks Firewall (<code>PAN_FIREWALL</code>)</li>
<li>Palo Alto Prisma Cloud Alert payload (<code>PAN_PRISMA_CA</code>)</li>
<li>PostFix Mail (<code>POSTFIX_MAIL</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>Proofpoint Tap Alerts (<code>PROOFPOINT_MAIL</code>)</li>
<li>Proofpoint Threat Response (<code>PROOFPOINT_TRAP</code>)</li>
<li>Radware Web Application Firewall (<code>RADWARE_FIREWALL</code>)</li>
<li>Red Hat OpenShift (<code>REDHAT_OPENSHIFT</code>)</li>
<li>Salesforce (<code>SALESFORCE</code>)</li>
<li>SAP Change Document (<code>SAP_CHANGE_DOCUMENT</code>)</li>
<li>SAP Gateway (<code>SAP_GATEWAY</code>)</li>
<li>SAP Hana Audit (<code>SAP_HANA_AUDIT</code>)</li>
<li>SAP Security Audit (<code>SAP_SECURITY_AUDIT</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Sensitive Data Risk (<code>GCP_SECURITYCENTER_SENSITIVE_DATA_RISK</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>Snyk Group level audit Logs (<code>SNYK_SDLC</code>)</li>
<li>Suricata EVE (<code>SURICATA_EVE</code>)</li>
<li>Symantec EDR (<code>SYMANTEC_EDR</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Tenable Active Directory Security (<code>TENABLE_ADS</code>)</li>
<li>ThreatConnect IOC V3 (<code>THREATCONNECT_IOC_V3</code>)</li>
<li>Trellix HX Alerts (<code>TRELLIX_HX_ALERTS</code>)</li>
<li>Trellix HX Audit Events (<code>TRELLIX_HX_AUDIT</code>)</li>
<li>Trellix HX Event Streamer (<code>TRELLIX_HX_ES</code>)</li>
<li>Trellix HX Hosts (<code>TRELLIX_HX_HOSTS</code>)</li>
<li>Trend Micro Vision One Endpoint Vulnerabilities (<code>TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES</code>)</li>
<li>Trend Micro Vision One Observerd Attack Techniques (<code>TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES</code>)</li>
<li>Trend Micro Vision One Workbench (<code>TRENDMICRO_VISION_ONE_WORKBENCH</code>)</li>
<li>TrendMicro Apex Central (<code>TRENDMICRO_APEX_CENTRAL</code>)</li>
<li>TXOne Stellar (<code>TRENDMICRO_STELLAR</code>)</li>
<li>Ubika Waf (<code>UBIKA_WAF</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Varonis (<code>VARONIS</code>)</li>
<li>Vmware Avinetworks iWAF (<code>VMWARE_AVINETWORKS_IWAF</code>)</li>
<li>VMware ESXi (<code>VMWARE_ESX</code>)</li>
<li>VMware Horizon (<code>VMWARE_HORIZON</code>)</li>
<li>Wallix Bastion (<code>WALLIX_BASTION</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Windows Event (XML) (<code>WINEVTLOG_XML</code>)</li>
<li>wiz.io (<code>WIZ_IO</code>)</li>
<li>Zeek JSON (<code>BRO_JSON</code>)</li>
<li>Zscaler (<code>ZSCALER_WEBPROXY</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Action1 (<code>ACTION1</code>)</li>
<li>CDNetworks Cloud Security (<code>CDNETWORKS_CLOUD_SECURITY</code>)</li>
<li>Claude Compliance Logs (<code>CLAUDE_COMPLIANCE_LOGS</code>)</li>
<li>Dell RecoverPoint (<code>DELL_RECOVERPOINT</code>)</li>
<li>IBM Storwize (<code>IBM_STORWIZE</code>)</li>
<li>LeapXpert Audit Logs (<code>LEAPXPERT_AUDIT</code>)</li>
<li>Oracle Key Vault Audit Logs (<code>ORACLE_KEY_VAULT_AUDIT_LOGS</code>)</li>
<li>RSA Cloud (<code>RSA_CLOUD</code>)</li>
<li>ServiceNow Antivirus Activity (<code>SERVICENOW_ANTIVIRUS_ACTIVITY</code>)</li>
<li>ServiceNow Attachment (<code>SERVICENOW_ATTACHMENT</code>)</li>
<li>ServiceNow Email (<code>SERVICENOW_EMAIL</code>)</li>
<li>Versa Director (<code>VERSA_DIRECTOR</code>)</li>
<li>ZPE Systems NodeGrid (<code>ZPE_SYSTEMS_NODEGRID</code>)</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>March 31, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#March_31_2026</id>
    <updated>2026-03-31T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#March_31_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Multi-stage queries in YARA-L</strong></p>
<p>The Multi-stage queries feature is now GA. This feature lets you feed the output of one query stage into the input of another, providing more granular data transformation than a single, monolithic query.</p>
<p>You can use multi-stage queries in both Dashboards and Search to build sophisticated detection and visualization logic. No action is required to enable this feature.</p>
<p>Learn more about how to <a href="https://docs.cloud.google.com/chronicle/docs/investigation/multi-stage-yaral">create multi-stage queries with YARA-L 2.0</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>March 25, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#March_25_2026</id>
    <updated>2026-03-25T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#March_25_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Credential validation for third-party API feed types</strong></p>
<p>Credential validation is now available for all 49 third-party API connectors.</p>
<p>When you create a feed using a third-party API feed type, Google SecOps now automatically validates the provided credentials. This ensures that if credentials are incorrect:</p>
<ul>
<li><strong>Immediate feedback</strong>: The web interface displays an error message explaining the configuration failure.</li>
<li><strong>Prevention of broken feeds</strong>: The system blocks the creation of the feed until valid credentials are provided, preventing the creation of broken feeds that fail to ingest data later.</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>March 23, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#March_23_2026</id>
    <updated>2026-03-23T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#March_23_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>New parser documentation now available</strong></p>
<p>New parser documentation is available to help you ingest and normalize logs from the following sources:</p>
<ul>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/umbrella-firewall">Collect Cisco Umbrella Cloud Firewall logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/umbrella-ip">Collect Cisco Umbrella IP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/medigate-iot">Collect Claroty xDome for Healthcare logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/cloudm">Collect CloudM logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/digitalguardian-edr">Collect Digital Guardian EDR logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/dnsfilter">Collect DNSFilter logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/dope-swg">Collect Dope Security SWG logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/druva-backup">Collect Druva Backup logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/efficientip-ddi">Collect EfficientIP DDI logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/elastic-defend">Collect Elastic Defend logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/elastic-winlogbeat">Collect Elastic Windows Event Log Beats logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ergon-informatik-airlock-iam">Collect Ergon Informatik Airlock IAM logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/eset-ioc">Collect ESET Threat Intelligence logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/f5-dcs">Collect F5 Distributed Cloud Services logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/f5-shape">Collect F5 Shape logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/f5-silverline">Collect F5 Silverline logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/falco-ids">Collect Falco IDS logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/fastly-cdn">Collect Fastly CDN logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/file-scanning-framework">Collect File Scanning Framework logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/fireeye-etp">Collect FireEye ETP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/fireeye-hx-audit">Collect FireEye HX Audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/fireeye-nx-audit">Collect FireEye NX Audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/fivetran">Collect Fivetran logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/forcepoint-mail-relay">Collect Forcepoint Mail Relay logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/gitguardian-enterprise">Collect GitGuardian Enterprise logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/looker-audit">Collect Google Cloud Looker audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/guardicore-centra">Collect Guardicore Centra logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/hcl-bigfix">Collect HCL BigFix logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/hid-digitalpersona">Collect HID DigitalPersona logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ibm-as400">Collect IBM AS/400 logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/informix">Collect IBM Informix logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ibm-maas360">Collect IBM MaaS360 logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ibm-mainframe-storage">Collect IBM Mainframe Storage logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ibm-openpages">Collect IBM OpenPages logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ibm-sam">Collect IBM Security Access Manager logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ibm-sim">Collect IBM Security Identity Manager logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/iboss-webproxy">Collect iBoss Web Proxy logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/intel471-watcher-alerts">Collect Intel 471 Watcher Alerts logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/intel-ema">Collect Intel Endpoint Management Assistant logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ionix">Collect IONIX Attack Surface Management logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/island-browser">Collect Island Enterprise Browser logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/jamf-telemetry-v2">Collect Jamf Protect Telemetry V2 logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/keycloak">Collect Keycloak logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/kong-gateway">Collect Kong Gateway logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/lenel-onguard">Collect LenelS2 OnGuard logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/lookout-mobile-endpoint-security">Collect Lookout Mobile Endpoint Security logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/lucid">Collect Lucid audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/manage-engine-reporter-plus">Collect ManageEngine Exchange Reporter Plus logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/mandiant-custom-ioc">Collect Mandiant Threat Intelligence Custom IOC logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/menlo-security">Collect Menlo Security Isolation Platform (MSIP) logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/metabase">Collect Metabase logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/microsoft-defender-endpoint-ios">Collect Microsoft Defender for Endpoint on iOS logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/microsoft-dynamics-365">Collect Microsoft Dynamics 365 User Activity logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/microsoft-ias">Collect Microsoft IAS / Network Policy Server (NPS) logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/microsoft-nps">Collect Microsoft Network Policy Server (NPS) logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/kubernetes-auth-proxy">Collect OAuth2 Proxy logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/office-365-messagetrace">Collect Office 365 Message Trace logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ipswitch-moveit-transfer">Collect Progress MOVEit Transfer logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/arbor-sightline">Collect Netscout Arbor Sightline logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/mcafee-web-protection">Collect Skyhigh Secure Web Gateway (On-Premises) logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/malwarebytes-edr">Collect ThreatDown EDR logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/trellix-hx-alerts">Collect Trellix Endpoint Security (HX) alert logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/trellix-hx-audit">Collect Trellix Endpoint Security (HX) audit event logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/trellix-hx-hosts">Collect Trellix Endpoint Security (HX) host inventory logs</a></li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>March 18, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#March_18_2026</id>
    <updated>2026-03-18T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#March_18_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Bindplane features for Google SecOps general availability</strong></p>
<p>The following <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/use-bindplane-agent">Bindplane</a> features that relate to Google SecOps are now in General Availability (GA):</p>
<ul>
<li><p><strong>Single sign-on with custom claims role mapping</strong>: gives a production-ready way to manage Bindplane access through your identity provider. For more information, see <a href="https://docs.bindplane.com/feature-guides/saas-single-sign-on">Single Sign-On (Cloud)</a>.</p></li>
<li><p><strong>SecOps parser validator</strong>: validates that your logs will be parsed correctly by Google SecOps directly from the snapshot view. Get immediate feedback on parsed events or validation errors without waiting for data to appear in Google SecOps. For more information, see <a href="https://docs.bindplane.com/feature-guides/pipeline-intelligence#validate-secops-parser">Validate SecOps Parser</a>.</p></li>
<li><p><strong>Forwarder migration tool</strong>: provides production-ready paths to migrate existing forwarder configurations into Bindplane-managed pipelines. For more information, see <a href="https://docs.bindplane.com/feature-guides/pipeline-intelligence#migrate-configurations">Migrate Configurations</a>.</p></li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>March 12, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#March_12_2026</id>
    <updated>2026-03-12T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#March_12_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Manage parser versions</strong></p>
<p>The <a href="https://docs.cloud.google.com/chronicle/docs/release-notes#October_07_2025">Manage parser versions</a> feature is in Public Preview for all customers.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>March 10, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#March_10_2026</id>
    <updated>2026-03-10T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#March_10_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Set up and manage data processing pipelines</strong></p>
<p>This feature is currently in Preview.</p>
<p>You can now use the <strong>Data Processing</strong> pipelines to filter, transform, and redact
Google SecOps data before ingestion. This feature provides more
control over ingested data, letting you reduce costs by filtering out
unwanted events, transform data for better compatibility, and protect
sensitive information by redacting or masking values before storage.</p>
<p>You can configure data processing pipelines using the Bindplane console or the
Google SecOps Data Pipeline APIs.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/data-processing-pipeline">Set up and manage data processing pipelines</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>March 05, 2026</title>
    <id>tag:google.com,2016:chronicle-release-notes#March_05_2026</id>
    <updated>2026-03-05T00:00:00-08:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/release-notes#March_05_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region. For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">Supported log types and default parsers</a>.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>Acalvio (<code>ACALVIO</code>)</li>
<li>AIX system (<code>AIX_SYSTEM</code>)</li>
<li>Akamai WAF (<code>AKAMAI_WAF</code>)</li>
<li>Apache (<code>APACHE</code>)</li>
<li>Apache Cassandra (<code>CASSANDRA</code>)</li>
<li>Apache Hadoop (<code>HADOOP</code>)</li>
<li>Arcsight CEF (<code>ARCSIGHT_CEF</code>)</li>
<li>Aruba EdgeConnect SD-WAN (<code>ARUBA_EDGECONNECT_SDWAN</code>)</li>
<li>Attivo Networks (<code>ATTIVO</code>)</li>
<li>AWS Aurora (<code>AWS_AURORA</code>)</li>
<li>AWS Cloudtrail (<code>AWS_CLOUDTRAIL</code>)</li>
<li>AWS CloudWatch (<code>AWS_CLOUDWATCH</code>)</li>
<li>AWS GuardDuty (<code>GUARDDUTY</code>)</li>
<li>AWS Network Firewall (<code>AWS_NETWORK_FIREWALL</code>)</li>
<li>AWS Security Hub (<code>AWS_SECURITY_HUB</code>)</li>
<li>AWS WAF (<code>AWS_WAF</code>)</li>
<li>Azure AD (<code>AZURE_AD</code>)</li>
<li>Azure AD Directory Audit (<code>AZURE_AD_AUDIT</code>)</li>
<li>Azure AD Sign-In (<code>AZURE_AD_SIGNIN</code>)</li>
<li>Azure Firewall (<code>AZURE_FIREWALL</code>)</li>
<li>Azure Front Door (<code>AZURE_FRONT_DOOR</code>)</li>
<li>Barracuda Email (<code>BARRACUDA_EMAIL</code>)</li>
<li>Barracuda Firewall (<code>BARRACUDA_FIREWALL</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Check Point (<code>CHECKPOINT_FIREWALL</code>)</li>
<li>Check Point Harmony (<code>CHECKPOINT_HARMONY</code>)</li>
<li>Cisco Application Centric Infrastructure (<code>CISCO_ACI</code>)</li>
<li>Cisco ASA (<code>CISCO_ASA_FIREWALL</code>)</li>
<li>Cisco Firepower NGFW (<code>CISCO_FIREPOWER_FIREWALL</code>)</li>
<li>Cisco Internetwork Operating System (<code>CISCO_IOS</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Router (<code>CISCO_ROUTER</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco TACACS+ (<code>CISCO_TACACS</code>)</li>
<li>Cisco UCM (<code>CISCO_UCM</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Citrix Netscaler (<code>CITRIX_NETSCALER</code>)</li>
<li>Claroty Continuous Threat Detection (<code>CLAROTY_CTD</code>)</li>
<li>Claroty Enterprise Management Console (<code>CLAROTY_EMC</code>)</li>
<li>Claroty Xdome (<code>CLAROTY_XDOME</code>)</li>
<li>Cloud SQL (<code>GCP_CLOUDSQL</code>)</li>
<li>Cloudflare (<code>CLOUDFLARE</code>)</li>
<li>Cloudflare Audit (<code>CLOUDFLARE_AUDIT</code>)</li>
<li>Cloudflare WAF (<code>CLOUDFLARE_WAF</code>)</li>
<li>Cloudflare Warp (<code>CLOUDFLARE_WARP</code>)</li>
<li>Corelight (<code>CORELIGHT</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Detection Monitoring (<code>CS_DETECTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CrowdStrike Falcon Stream (<code>CS_STREAM</code>)</li>
<li>CyberArk (<code>CYBERARK</code>)</li>
<li>CyberArk Endpoint Privilege Manager (EPM) (<code>CYBERARK_EPM</code>)</li>
<li>CyberArk Privileged Access Manager (PAM) (<code>CYBERARK_PAM</code>)</li>
<li>Dell EMC Data Domain (<code>DELL_EMC_DATA_DOMAIN</code>)</li>
<li>Dell Switch (<code>DELL_SWITCH</code>)</li>
<li>Duo Auth (<code>DUO_AUTH</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>F5 BIGIP LTM (<code>F5_BIGIP_LTM</code>)</li>
<li>F5 Distributed Cloud Services (<code>F5_DCS</code>)</li>
<li>F5 DNS (<code>F5_DNS</code>)</li>
<li>FireEye NX (<code>FIREEYE_NX</code>)</li>
<li>Forcepoint  NGFW (<code>FORCEPOINT_FIREWALL</code>)</li>
<li>Forcepoint Proxy (<code>FORCEPOINT_WEBPROXY</code>)</li>
<li>FortiGate (<code>FORTINET_FIREWALL</code>)</li>
<li>Fortinet FortiAnalyzer (<code>FORTINET_FORTIANALYZER</code>)</li>
<li>Google Cloud (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Google Cloud (<code>GCP_MONITORING_ALERTS</code>)</li>
<li>Google Threat Intelligence IOC (<code>GTI_IOC</code>)</li>
<li>GreyNoise (<code>GREYNOISE</code>)</li>
<li>Halcyon Anti Ransomware (<code>HALCYON</code>)</li>
<li>HP Aruba (ClearPass) (<code>CLEARPASS</code>)</li>
<li>Huawei Switches (<code>HUAWEI_SWITCH</code>)</li>
<li>Infoblox DNS (<code>INFOBLOX_DNS</code>)</li>
<li>Island Browser logs (<code>ISLAND_BROWSER</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>Linux Auditing System (AuditD) (<code>AUDITD</code>)</li>
<li>Linux Sysmon (<code>LINUX_SYSMON</code>)</li>
<li>ManageEngine ADAudit Plus (<code>ADAUDIT_PLUS</code>)</li>
<li>Maria Database (<code>MARIA_DB</code>)</li>
<li>McAfee IPS (<code>MCAFEE_IPS</code>)</li>
<li>McAfee Web Gateway (<code>MCAFEE_WEBPROXY</code>)</li>
<li>Microsoft Azure Activity (<code>AZURE_ACTIVITY</code>)</li>
<li>Microsoft Defender For Cloud (<code>MICROSOFT_DEFENDER_CLOUD_ALERTS</code>)</li>
<li>Microsoft Graph API Alerts (<code>MICROSOFT_GRAPH_ALERT</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Microsoft SQL Server (<code>MICROSOFT_SQL</code>)</li>
<li>MISP Threat Intelligence (<code>MISP_IOC</code>)</li>
<li>Mobileiron (<code>MOBILEIRON</code>)</li>
<li>MySQL (<code>MYSQL</code>)</li>
<li>NetApp ONTAP (<code>NETAPP_ONTAP</code>)</li>
<li>Netskope V2 (<code>NETSKOPE_ALERT_V2</code>)</li>
<li>NGINX (<code>NGINX</code>)</li>
<li>Nozomi Networks Scada Guardian (<code>NOZOMI_GUARDIAN</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Open Cybersecurity Schema Framework (OCSF) (<code>OCSF</code>)</li>
<li>Orca Cloud Security Platform (<code>ORCA</code>)</li>
<li>Palo Alto Networks Firewall (<code>PAN_FIREWALL</code>)</li>
<li>Palo Alto Panorama (<code>PAN_PANORAMA</code>)</li>
<li>Palo Alto Prisma Cloud Alert payload (<code>PAN_PRISMA_CA</code>)</li>
<li>Ping One (<code>PING_ONE</code>)</li>
<li>PingIdentity Directory Server Logs (<code>PING_DIRECTORY</code>)</li>
<li>PostFix Mail (<code>POSTFIX_MAIL</code>)</li>
<li>PostgreSQL (<code>POSTGRESQL</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>Proofpoint Tap Alerts (<code>PROOFPOINT_MAIL</code>)</li>
<li>Proofpoint Threat Response (<code>PROOFPOINT_TRAP</code>)</li>
<li>Radware Web Application Firewall (<code>RADWARE_FIREWALL</code>)</li>
<li>Red Hat OpenShift (<code>REDHAT_OPENSHIFT</code>)</li>
<li>Rubrik Security Cloud (<code>RUBRIK_SECURITY_CLOUD</code>)</li>
<li>SailPoint IdentityIQ (<code>SAILPOINT_IIQ</code>)</li>
<li>Salesforce (<code>SALESFORCE</code>)</li>
<li>SAP Change Document (<code>SAP_CHANGE_DOCUMENT</code>)</li>
<li>SAP Gateway (<code>SAP_GATEWAY</code>)</li>
<li>SAP HANA (<code>SAP_HANA</code>)</li>
<li>SAP Hana Audit (<code>SAP_HANA_AUDIT</code>)</li>
<li>SAP Identity and Authentication Data (<code>SAP_IDENTITY_AND_AUTH_DATA</code>)</li>
<li>SAP Internet Communication Manager (<code>SAP_ICM</code>)</li>
<li>SAP Security Audit (<code>SAP_SECURITY_AUDIT</code>)</li>
<li>SAP Webdispatcher (<code>SAP_WEBDISP</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>Sophos Central (<code>SOPHOS_CENTRAL</code>)</li>
<li>STIX Threat Intelligence (<code>STIX</code>)</li>
<li>Stormshield Firewall (<code>STORMSHIELD_FIREWALL</code>)</li>
<li>Suricata EVE (<code>SURICATA_EVE</code>)</li>
<li>Symantec Endpoint Protection (<code>SEP</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Tableau (<code>TABLEAU</code>)</li>
<li>Teleport Access Plane (<code>TELEPORT_ACCESS_PLANE</code>)</li>
<li>Trend Micro (<code>TIPPING_POINT</code>)</li>
<li>Tripwire (<code>TRIPWIRE_FIM</code>)</li>
<li>TXOne Stellar (<code>TRENDMICRO_STELLAR</code>)</li>
<li>Ubika Waf (<code>UBIKA_WAF</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Velo Firewall (<code>VELO_FIREWALL</code>)</li>
<li>Veritas NetBackup (<code>VERITAS_NETBACKUP</code>)</li>
<li>Versa Firewall (<code>VERSA_FIREWALL</code>)</li>
<li>Vmware Avinetworks iWAF (<code>VMWARE_AVINETWORKS_IWAF</code>)</li>
<li>VMware ESXi (<code>VMWARE_ESX</code>)</li>
<li>VMware vCenter (<code>VMWARE_VCENTER</code>)</li>
<li>WatchGuard (<code>WATCHGUARD</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Windows Event (XML) (<code>WINEVTLOG_XML</code>)</li>
<li>wiz.io (<code>WIZ_IO</code>)</li>
<li>Workday Audit Logs (<code>WORKDAY_AUDIT</code>)</li>
<li>Zscaler (<code>ZSCALER_WEBPROXY</code>)</li>
<li>ZScaler VPN (<code>ZSCALER_VPN</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Alibaba Security Center (<code>ALIBABA_SECURITY_CENTER</code>)</li>
<li>Apache Airflow (<code>APACHE_AIRFLOW</code>)</li>
<li>Baramundi (<code>BARAMUNDI</code>)</li>
<li>Bravura Security (<code>BRAVURA</code>)</li>
<li>Buildkite Audit (<code>BUILDKITE_AUDIT</code>)</li>
<li>Palo Alto Cortex Xpanse (<code>CORTEX_XPANSE</code>)</li>
<li>Cyfirma DeCYFIR ServiceNow (<code>CYFIRMA_DECYFIR</code>)</li>
<li>DATEV (<code>DATEV</code>)</li>
<li>ELO (<code>ELO</code>)</li>
<li>Forcepoint Secure Web Gateway (<code>FORCEPOINT_SWG</code>)</li>
<li>JumpServer PAM (<code>JUMPSERVER_PAM</code>)</li>
<li>Keep Aware (<code>KEEP_AWARE</code>)</li>
<li>Lark Suite (<code>LARK_SUITE</code>)</li>
<li>Macmon (<code>MACMON</code>)</li>
<li>Mamori Database Activity Monitoring (<code>MAMORI_DAM</code>)</li>
<li>N8N Security Audit Logs (<code>N8N_SECURITY_AUDIT_LOGS</code>)</li>
<li>Oracle Cloud Infrastructure LoadBalancer (<code>OCI_LOADBALANCER</code>)</li>
<li>OpenText Self Service Password Reset (<code>OPENTEXT_SSPR</code>)</li>
<li>Rackspace (<code>RACKSPACE</code>)</li>
<li>Secui Bluemax NGF (<code>SECUI_BLUEMAX_NGF</code>)</li>
<li>Symantec Advanced Threat Protection (<code>SYMANTEC_ATP</code>)</li>
<li>Tenable Vulnerabilities Management (<code>TENABLE_VMGNT</code>)</li>
<li>Trellix EDRF Trace Data and Telemetry (<code>TRELLIX_EDRF</code>)</li>
<li>Trend Micro Vision One Endpoint Vulnerabilities (<code>TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES</code>)</li>
<li>Zafran (<code>ZAFRAN</code>)</li>
</ul>
]]>
    </content>
  </entry>

</feed>
