<?xml version="1.0" encoding="UTF-8"?>
<!-- AUTOGENERATED FILE. DO NOT EDIT. -->
<feed xmlns="http://www.w3.org/2005/Atom">
  <id>tag:google.com,2016:chronicle-security-operations-release-notes</id>
  <title>Google SecOps - Release notes</title>
  <link rel="self" href="https://docs.cloud.google.com/feeds/chronicle-security-operations-release-notes.xml"/>
  <author>
    <name>Google Cloud Platform</name>
  </author>
  <updated>2026-07-06T00:00:00-07:00</updated>

  <entry>
    <title>July 06, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#July_06_2026</id>
    <updated>2026-07-06T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#July_06_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Data RBAC for first-party (1P) cases and alerts in public preview</strong></p>
<p><strong>Availability:</strong> This feature is available <strong>only in the following regions:</strong> europe-central2, asia-northeast1, asia-south1, australia-southeast1, northamerica-northeast2, europe-west3, europe-west6, southamerica-east1, asia-southeast1, me-central1, me-central2, me-west1, europe-west2, europe-west9, europe-west12, asia-southeast2, africa-south1, asia-east1, and asia-northeast3.</p>
<p>Google SecOps now supports data role-based access control (Data RBAC) for first-party (1P) cases and alerts in SOAR. This feature automatically applies SIEM data access scopes to alerts and cases ingested using the Chronicle connector, ensuring analysts only see data they are authorized to access.</p>
<p><strong>Key highlights</strong></p>
<ul>
<li><strong>SIEM-scope-to-SOAR inheritance:</strong> Ingested 1P SIEM alerts carry their assigned data access scopes, which are automatically inherited by their parent SOAR cases.</li>
<li><strong>Dual access enforcement:</strong> To view a case or alert, users must have access to both the assigned SOAR environment and all associated data access scopes. Global users maintain full visibility.</li>
<li><strong>Scope-to-environment mapping:</strong> Administrators can map SIEM data access scopes to SOAR environments (<strong>SOAR settings &gt; Environments</strong>) to manage alert routing and grouping. Alerts without mapped scopes are routed to a fallback environment.</li>
<li><strong>Enhanced UI visibility and filtering:</strong> Assigned data access scopes are visible next to the environment in the <strong>Case header</strong> and the <strong>List cases</strong> table, allowing for easy filtering.</li>
<li><strong>Manual case and grouping logic:</strong> When creating cases manually, analysts can only select from the intersection of their permitted data access scopes and environment mappings.</li>
</ul>
<p><strong>Prerequisites and enablement</strong></p>
<ul>
<li>Requires a unified Google SecOps instance with the <strong>Chronicle connector</strong> using the modern Chronicle API.</li>
<li>Administrators can enable this feature under <strong>SIEM settings &gt; Data access</strong> by selecting <strong>Enforce data access in SOAR</strong> (or <strong>Enforce data access</strong> if SIEM data access is not yet active).</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/administration/datarbac-impact-cases">Control access to 1P cases and alerts</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>July 01, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#July_01_2026</id>
    <updated>2026-07-01T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#July_01_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>[Spotlight Feature] Security Tokens</strong></p>
<p>Security Tokens are now available for metering agentic consumption within Google
SecOps. Tokens are consumed by generally available security agents only. These
agents are invoked automatically or manually using the web interface, CLI, chat,
or Model Context Protocol (MCP). Assistive features, such as standard chat
panels and automated summaries, along with preview agents, won't consume
Security Tokens.</p>
<p>Security Tokens will start rolling out across all regions starting July 1. For
more information, see <a href="https://docs.cloud.google.com/chronicle/docs/agentic-soc/security-tokens">Google SecOps Agentic SOC Security Tokens pricing and
billing</a>.</p>
<h3>Feature</h3>
<p><strong>[Spotlight Feature] Enhanced security and compliance for the Advanced BigQuery Export feature</strong></p>
<p>The <a href="https://docs.cloud.google.com/chronicle/docs/reports/bigquery-export">Advanced BigQuery Export feature</a> is in Preview and is available for Google SecOps Enterprise Plus customers only. </p>
<p><strong>Here's what's new:</strong> We're excited to announce significant performance and coverage enhancements to Advanced BigQuery Export for Google SecOps Enterprise Plus customers.</p>
<ul>
<li><strong>Expanded dataset support</strong>: In addition to UDM events, rule detections, and IoC matches, we now support the export of Entity Graph and Ingestion Metrics.</li>
<li><strong>Enhanced security &amp; compliance</strong>: The offering natively supports <a href="https://docs.cloud.google.com/chronicle/docs/secops/vpcsc-for-secops">VPC Service Controls (VPC-SC)</a>, <a href="https://docs.cloud.google.com/chronicle/docs/secops/cmek_for_secops">Customer-Managed Encryption Keys (CMEK)</a>, and Data Residency (DRZ). Furthermore, customer-facing audit logs (Access Transparency) are delivered directly to your Cloud Logging workspace using the Federated Resource Identification Service.</li>
<li><strong>Data integrity and deduplication</strong>: The system now uses Fine-Grained DML merges to update records in place behind the scenes. This ensures that you receive clean, deduplicated data without needing to write complex SQL routines.</li>
<li><strong>Seamless MSSP support (hub and spoke)</strong>: Managed Security Service Providers (MSSPs) can now efficiently manage analytics across multiple customer tenants. This is achieved by programmatically subscribing to customers' linked datasets from a single centralized "Hub" project.</li>
<li><strong>Enum mapping tables</strong>: Advanced BigQuery Export now includes <code>entity_enum_value_to_name_mapping</code> and <code>udm_enum_value_to_name_mapping</code> tables. These allow you to easily join against your events to translate numerical enum values into human-readable strings.</li>
</ul>
<p><strong>Key reminders</strong></p>
<ul>
<li><strong>Public preview &amp; feature activation</strong>: This feature is currently in Public Preview, is enabled only upon request, and may require initial configuration in your organization's Google SecOps instance. Contact your Google SecOps representative to confirm feature enablement.</li>
<li><strong>Enterprise Plus only</strong>: This feature is exclusive to the Enterprise Plus tier.</li>
<li><strong>Zero-maintenance</strong>: Your security data remains in a Google-managed project, appearing as a read-only linked dataset directly in your own Google Cloud project. This lets you query the data locally without the overhead of managing the pipeline or paying for storage.</li>
<li><strong>Migration and dual operation</strong>: To support a smooth transition without disruption during the Public Preview, your data will be exported to the new BigQuery tenant project in addition to your existing Google-managed BigQuery project. You'll be notified before the old export pipeline is disabled for your account.</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>June 30, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_30_2026</id>
    <updated>2026-06-30T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_30_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Increased multiple event limits</strong></p>
<p>Multiple event rule limits have been increased to 200 for Enterprise customers and 400 for Enterprise+ customers.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/secops/secops-packages#package_comparison">Package comparison</a></p>
<h3>Announcement</h3>
<p><strong>[Spotlight Feature] Unified rules interface</strong></p>
<p>The new rules interface is now available in public preview. The Google SecOps unified rules interface brings custom and curated rule management into a single, cohesive workflow. This optimizes detection engineering with a redesigned dashboard, an advanced rule editor, and expanded API capabilities to streamline rule deployment and troubleshooting.</p>
<p>You can still revert to the legacy experience. At the top right of the screen, click <strong>Switch to the legacy experience</strong>.</p>
<p>For more information about the Unified rules interface, see <a href="https://docs.cloud.google.com/chronicle/docs/detection/unified-rules/manage-unified-rules">Manage unified rules</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 28, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_28_2026</id>
    <updated>2026-06-28T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_28_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">supported default parsers</a>. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>AIX system (<code>AIX_SYSTEM</code>)</li>
<li>Amazon API Gateway (<code>AWS_API_GATEWAY</code>)</li>
<li>Apache (<code>APACHE</code>)</li>
<li>Appian Cloud (<code>APPIAN_CLOUD</code>)</li>
<li>Aruba Switch (<code>ARUBA_SWITCH</code>)</li>
<li>Atlassian Bitbucket (<code>ATLASSIAN_BITBUCKET</code>)</li>
<li>Avaya Aura Experience Portal (<code>AVAYA_AURA</code>)</li>
<li>AWS CloudWatch (<code>AWS_CLOUDWATCH</code>)</li>
<li>AWS GuardDuty (<code>GUARDDUTY</code>)</li>
<li>AWS Network Firewall (<code>AWS_NETWORK_FIREWALL</code>)</li>
<li>AWS RDS (<code>AWS_RDS</code>)</li>
<li>AWS Security Hub (<code>AWS_SECURITY_HUB</code>)</li>
<li>AWS VPC Flow (<code>AWS_VPC_FLOW</code>)</li>
<li>AWS VPC Flow (CSV) (<code>AWS_VPC_FLOW_CSV</code>)</li>
<li>AWS WAF (<code>AWS_WAF</code>)</li>
<li>Azure AD (<code>AZURE_AD</code>)</li>
<li>Barracuda WAF (<code>BARRACUDA_WAF</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Cato Networks (<code>CATO_NETWORKS</code>)</li>
<li>Check Point Harmony (<code>CHECKPOINT_HARMONY</code>)</li>
<li>Chrome Management (<code>CHROME_MANAGEMENT</code>)</li>
<li>CircleCI (<code>CIRCLECI</code>)</li>
<li>Cisco ACS (<code>CISCO_ACS</code>)</li>
<li>Cisco ASA (<code>CISCO_ASA_FIREWALL</code>)</li>
<li>Cisco Email Security (<code>CISCO_EMAIL_SECURITY</code>)</li>
<li>Cisco Firepower NGFW (<code>CISCO_FIREPOWER_FIREWALL</code>)</li>
<li>Cisco IronPort (<code>CISCO_IRONPORT</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Meraki (<code>CISCO_MERAKI</code>)</li>
<li>Cisco Router (<code>CISCO_ROUTER</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Cisco Umbrella Cloud Firewall (<code>UMBRELLA_FIREWALL</code>)</li>
<li>Cisco Umbrella Web Proxy (<code>UMBRELLA_WEBPROXY</code>)</li>
<li>Cisco vManage SD-WAN (<code>CISCO_SDWAN</code>)</li>
<li>Cisco WLC/WCS (<code>CISCO_WIRELESS</code>)</li>
<li>Citrix Netscaler (<code>CITRIX_NETSCALER</code>)</li>
<li>Claroty Xdome (<code>CLAROTY_XDOME</code>)</li>
<li>Cloudflare (<code>CLOUDFLARE</code>)</li>
<li>Corelight (<code>CORELIGHT</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CyberArk PTA Privileged Threat Analytics (<code>CYBERARK_PTA</code>)</li>
<li>Cynet 360 AutoXDR (<code>CYNET_360_AUTOXDR</code>)</li>
<li>Dell Switch (<code>DELL_SWITCH</code>)</li>
<li>Elastic Windows Event Log Beats (<code>ELASTIC_WINLOGBEAT</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>F5 BIGIP LTM (<code>F5_BIGIP_LTM</code>)</li>
<li>FireEye ETP (<code>FIREEYE_ETP</code>)</li>
<li>FireEye NX (<code>FIREEYE_NX</code>)</li>
<li>Forcepoint Proxy (<code>FORCEPOINT_WEBPROXY</code>)</li>
<li>FortiGate (<code>FORTINET_FIREWALL</code>)</li>
<li>FortiMail Email Security (<code>FORTINET_FORTIMAIL</code>)</li>
<li>Fortinet FortiAnalyzer (<code>FORTINET_FORTIANALYZER</code>)</li>
<li>Fortinet Web Application Firewall (<code>FORTINET_FORTIWEB</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Cloud Audit (<code>GCP_CLOUDAUDIT</code>)</li>
<li>Google Cloud DNS (<code>GCP_DNS</code>)</li>
<li>HAProxy (<code>HAPROXY</code>)</li>
<li>IBM Tape Storages (<code>IBM_LTO</code>)</li>
<li>Imperva CEF (<code>IMPERVA_CEF</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Infoblox DNS (<code>INFOBLOX_DNS</code>)</li>
<li>Island Browser logs (<code>ISLAND_BROWSER</code>)</li>
<li>JumpCloud Directory Insights (<code>JUMPCLOUD_DIRECTORY_INSIGHTS</code>)</li>
<li>Kemp Load Balancer (<code>KEMP_LOADBALANCER</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>ManageEngine ADAudit Plus (<code>ADAUDIT_PLUS</code>)</li>
<li>Microsoft Defender for Endpoint (<code>MICROSOFT_DEFENDER_ENDPOINT</code>)</li>
<li>Microsoft Defender for Office 365 (<code>MICROSOFT_DEFENDER_MAIL</code>)</li>
<li>Microsoft Graph API Alerts (<code>MICROSOFT_GRAPH_ALERT</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Microsoft SQL Server (<code>MICROSOFT_SQL</code>)</li>
<li>MISP Threat Intelligence (<code>MISP_IOC</code>)</li>
<li>NetApp ONTAP (<code>NETAPP_ONTAP</code>)</li>
<li>NetIQ eDirectory (<code>NETIQ_EDIRECTORY</code>)</li>
<li>Netskope V2 (<code>NETSKOPE_ALERT_V2</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>NGINX (<code>NGINX</code>)</li>
<li>Noname API Security (<code>NONAME_API_SECURITY</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Okta (<code>OKTA</code>)</li>
<li>Oracle (<code>ORACLE_DB</code>)</li>
<li>Oracle Cloud Infrastructure VCN Flow Logs (<code>OCI_FLOW</code>)</li>
<li>Oracle NetSuite (<code>ORACLE_NETSUITE</code>)</li>
<li>Palo Alto Networks Firewall (<code>PAN_FIREWALL</code>)</li>
<li>Palo Alto Panorama (<code>PAN_PANORAMA</code>)</li>
<li>Palo Alto Prisma Access (<code>PAN_CASB</code>)</li>
<li>Palo Alto Prisma Cloud Alert payload (<code>PAN_PRISMA_CA</code>)</li>
<li>Ping Identity (<code>PING</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>RSA (<code>RSA_AUTH_MANAGER</code>)</li>
<li>Salesforce (<code>SALESFORCE</code>)</li>
<li>Security Command Center Error (<code>GCP_SECURITYCENTER_ERROR</code>)</li>
<li>Security Command Center Misconfiguration (<code>GCP_SECURITYCENTER_MISCONFIGURATION</code>)</li>
<li>Security Command Center Observation (<code>GCP_SECURITYCENTER_OBSERVATION</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>Security Command Center Unspecified (<code>GCP_SECURITYCENTER_UNSPECIFIED</code>)</li>
<li>Security Command Center Vulnerability (<code>GCP_SECURITYCENTER_VULNERABILITY</code>)</li>
<li>Sendmail (<code>SENDMAIL</code>)</li>
<li>Sentinelone Activity (<code>SENTINELONE_ACTIVITY</code>)</li>
<li>ServiceNow CMDB (<code>SERVICENOW_CMDB</code>)</li>
<li>Sophos Firewall (Next Gen) (<code>SOPHOS_FIREWALL</code>)</li>
<li>Squid Web Proxy (<code>SQUID_WEBPROXY</code>)</li>
<li>Symantec EDR (<code>SYMANTEC_EDR</code>)</li>
<li>Symantec Endpoint Protection (<code>SEP</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Thinkst Canary (<code>THINKST_CANARY</code>)</li>
<li>Trellix EDRF Trace Data and Telemetry (<code>TRELLIX_EDRF</code>)</li>
<li>Trend Micro Vision One Detections (<code>TRENDMICRO_VISION_ONE_DETECTIONS</code>)</li>
<li>Trend Micro Vision One Workbench (<code>TRENDMICRO_VISION_ONE_WORKBENCH</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Varonis (<code>VARONIS</code>)</li>
<li>Veeam (<code>VEEAM</code>)</li>
<li>VMware vCenter (<code>VMWARE_VCENTER</code>)</li>
<li>VMWare VSphere (<code>VMWARE_VSPHERE</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Windows Event (XML) (<code>WINEVTLOG_XML</code>)</li>
<li>Windows Sysmon (<code>WINDOWS_SYSMON</code>)</li>
<li>wiz.io (<code>WIZ_IO</code>)</li>
<li>Workday User Activity (<code>WORKDAY_USER_ACTIVITY</code>)</li>
<li>Zeek JSON (<code>BRO_JSON</code>)</li>
<li>Zscaler (<code>ZSCALER_WEBPROXY</code>)</li>
<li>ZScaler NGFW (<code>ZSCALER_FIREWALL</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Cisco Secure Access Enrollment (<code>CISCO_SECURE_ACCESS_ENROLLMENT</code>)</li>
<li>Cisco Secure Access Network (<code>CISCO_SECURE_ACCESS_NETWORK</code>)</li>
<li>CyberArk Certificate Manager SaaS (<code>CYBERARK_CERTIFICATE_MANAGER_SAAS</code>)</li>
<li>Gemini Enterprise Agent Platform (<code>GEMINI_ENTERPRISE_AGENT_PLATFORM</code>)</li>
<li>Schneider Electric GeoScada OT (<code>GEOSCADA_OT</code>)</li>
<li>Model Context Protocol Dev (<code>MCPDEV</code>)</li>
<li>Model Context Protocol Modify (<code>MCPMODIFY</code>)</li>
<li>Model Context Protocol View (<code>MCPVIEW</code>)</li>
<li>NetApp Ransomware Resilience (<code>NETAPP_RANSOMWARE_RESILIENCE</code>)</li>
<li>Netskope Log Streaming (<code>NETSKOPE_LOG_STREAMING</code>)</li>
<li>Pylon Audit Logs (<code>PYLON_LOGS</code>)</li>
<li>Reco AI CSPM (<code>RECO_CSPM</code>)</li>
<li>Salt Security API Protection Platform (<code>SALT_SECURITY</code>)</li>
<li>SentinelOne Application (<code>SENTINELONE_APPLICATION</code>)</li>
<li>Wiz Vulnerabilities (<code>WIZ_VULNERABILITIES</code>)</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>June 26, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_26_2026</id>
    <updated>2026-06-26T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_26_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Improved documentation portal navigation</strong></p>
<p>Finding help is now easier! We've updated the navigation of our documentation portal to be primarily user-centric. Sections have been reorganized and renamed to align with your workflows, providing a logical path through the documentation.</p>
<p>We've also added:</p>
<ul>
<li>A <a href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes"><strong>Support</strong> tab</a> for technical support, changelogs, and release notes</li>
<li>A <a href="https://docs.cloud.google.com/chronicle/docs/use-cases"><strong>Use cases</strong> tab</a> for persona-driven CUJs and workflows</li>
</ul>
<aside class="note"><strong>Note:</strong><span> Content-level modifications are not included in this update and are scheduled for subsequent phases.</span></aside>
]]>
    </content>
  </entry>

  <entry>
    <title>June 23, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_23_2026</id>
    <updated>2026-06-23T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_23_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>[Spotlight Feature] Ask Gemini Cloud Assist in Feed Management</strong></p>
<p>Google SecOps now provides Gemini Cloud Assist (GCA) directly within the Feed Management interface. Use the new <strong>Ask Gemini Cloud Assist</strong> button to get help with feed creation, setup, and general troubleshooting questions.</p>
<p>Click <strong>Ask Gemini Cloud Assist</strong> to open the Gemini Cloud Assist panel and ask questions to get guidance on:</p>
<ul>
<li>Configuring and managing data feeds.</li>
<li>Understanding ingestion pre-requisites and setup steps for different log sources.</li>
<li>Resolving common setup issues.</li>
</ul>
<p><em>Note: Gemini Cloud Assist provides recommendations and answers to your questions, but does not perform configuration changes on your behalf. You must apply any recommended changes manually to your feeds.</em></p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/administration/feed-management-overview">Feed management overview</a>.</p>
<h3>Change</h3>
<p><strong>Ingestion metrics reporting correction</strong></p>
<p>Google Security Operations has resolved an issue where certain ingestion metrics—which are displayed in both the dashboard and Cloud Monitoring—were under-reported.</p>
<p>Because of this correction, you might notice a one-time apparent spike in your ingestion metrics when the update is enabled for your region (between June 29 and July 10, 2026). The actual log volume ingested remains unchanged.</p>
<p>Historical metrics recorded before this update will not be modified or backfilled. This correction does not affect customer billing.</p>
<p>If you have questions or need assistance, contact Google Security Operations support.</p>
<h3>Breaking</h3>
<p><strong>Critical Notice: Upcoming reservation of siemAlertId field</strong></p>
<p>Effective July 5, 2026, the <code>siemAlertId</code> field will be strictly reserved for
internal Chronicle SIEM alert IDs.</p>
<p>Starting July 5, the system will automatically overwrite any custom or
user-supplied data passed through this field. This change impacts all ingestion
methods, including the Ingestion API, webhooks, and both first-party and
third-party connectors. If you are currently utilizing a custom field named
<code>siemAlertId</code> in any of your data ingestion configurations, please migrate to a
different field name immediately to prevent data loss.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 21, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_21_2026</id>
    <updated>2026-06-21T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_21_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Scheduled Maintenance</strong> </p>
<p>CloudSQL will undergo a scheduled minor upgrade this Sunday, June 21, 2026.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 17, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_17_2026</id>
    <updated>2026-06-17T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_17_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p><strong>Auto-collapse setting for the query editor</strong></p>
<p>You can now configure the query editor to automatically collapse after you run
a search, maximizing the screen space available for viewing your search results.
By default, the query editor remains expanded.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#CollapsequeryEditor">Configure query editor behavior</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 16, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_16_2026</id>
    <updated>2026-06-16T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_16_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>New Documentation changelogs</strong></p>
<p>Google SecOps is now releasing a monthly changelog to capture major documentation updates.</p>
<p>For more information, refer to <a href="https://docs.cloud.google.com/chronicle/docs/changelogs/changelogs">Documentation changelog</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 13, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_13_2026</id>
    <updated>2026-06-13T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_13_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Non-prioritized IoC Matching rules Category</strong></p>
<p>Google SecOps has introduced a new detection category, <em>Non-prioritized IoC Matching rules</em>, as part of the <a href="https://docs.cloud.google.com/chronicle/docs/detection/curated-detections">Curated Detections</a> feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.</p>
<p>This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services.</p>
<p>For more information, refer to <a href="https://docs.cloud.google.com/chronicle/docs/detection/non-prioritized-ioc-matching-threats-category">Non-prioritized IoC Matching rules category overview</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 12, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_12_2026</id>
    <updated>2026-06-12T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_12_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>[Spotlight Feature] Search for cases using SIEM Search</strong></p>
<p>Google SecOps SIEM Search now provides robust capabilities for analyzing cases and case history alongside existing Unified Data Model (UDM) events and entities. This update allows security analysts to seamlessly correlate case details with other security telemetry within a single interface, streamlining workflows and accelerating incident response.</p>
<p>Key Highlights:</p>
<ul>
<li><p><strong>Unified Search Experience</strong>: Conduct searches across UDM events, entities, cases, and case history from a single SIEM Search interface.</p></li>
<li><p><strong>Correlate SIEM and SOAR Data</strong>: Effortlessly link case details and historical activities with security data, reducing context switching and improving investigation efficiency.</p></li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/search-and-search-case-history">Search cases and case history</a>.</p>
<h3>Feature</h3>
<p><strong>[Spotlight Feature] Investigate detections in Google SecOps Search</strong></p>
<p>Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the <strong>Alerts and Detections</strong> tab, providing a more holistic workflow for threat investigation.</p>
<p>For more details, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/investigate-detections-in-search">Investigate detections in Search</a>.</p>
<h3>Announcement</h3>
<p><strong>Asynchronous Search APIs for large datasets</strong></p>
<p>Google SecOps now supports asynchronous Search APIs that let you perform
long-running queries without blocking your applications. This is ideal for 
searches that return a large volume of results.</p>
<ul>
<li><strong>Non-blocking queries</strong>: Initiate searches and receive an operation ID to
track progress, so your application remains responsive.</li>
<li><strong>Handle large result sets</strong>: Retrieve up to 1 million results from data
sources including Unified Data Model (UDM) events, data tables, and Entity
Context Graph (ECG).</li>
<li><strong>Paginated results</strong>: View results efficiently in manageable pages.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/search-lro-api">Asynchronous Search APIs</a>
and <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#resultLimitsDataSources">Result limits for data sources</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 09, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_09_2026</id>
    <updated>2026-06-09T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_09_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>UDM fields now show the sources of enrichment</strong></p>
<p>The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data.</p>
<aside class="note"><strong>Note:</strong><span> The Enrichment feature requires the <code>chronicle.events.fetchEnrichedEvent</code> IAM permission. If you're using custom IAM roles, you must add one of the following permissions to your custom policies: <code>chronicle.googleapis.com/limitedViewer</code>, <code>chronicle.googleapis.com/restrictedDataAccessViewer</code>, or <code>chronicle.googleapis.com/viewer</code>.</span></aside>
<p>For more information, see: <a href="https://docs.cloud.google.com/chronicle/docs/event-processing/data-enrichment#viewing_events">Viewing events</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>June 01, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#June_01_2026</id>
    <updated>2026-06-01T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#June_01_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p>The <a href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_28_2026">Manage access to preview features feature</a> has been rolled back.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>May 31, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_31_2026</id>
    <updated>2026-05-31T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_31_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>1Password Audit Events (<code>ONEPASSWORD_AUDIT_EVENTS</code>)</li>
<li>AIX system (<code>AIX_SYSTEM</code>)</li>
<li>Apache (<code>APACHE</code>)</li>
<li>Aruba EdgeConnect SD-WAN (<code>ARUBA_EDGECONNECT_SDWAN</code>)</li>
<li>Avaya Aura Experience Portal (<code>AVAYA_AURA</code>)</li>
<li>AWS CloudFront (<code>AWS_CLOUDFRONT</code>)</li>
<li>AWS Cloudtrail (<code>AWS_CLOUDTRAIL</code>)</li>
<li>AWS GuardDuty (<code>GUARDDUTY</code>)</li>
<li>AWS Security Hub (<code>AWS_SECURITY_HUB</code>)</li>
<li>Azure AD (<code>AZURE_AD</code>)</li>
<li>Azure AD Organizational Context (<code>AZURE_AD_CONTEXT</code>)</li>
<li>Azure AD Sign-In (<code>AZURE_AD_SIGNIN</code>)</li>
<li>Azure SQL (<code>AZURE_SQL</code>)</li>
<li>Azure Storage Audit (<code>AZURE_STORAGE_AUDIT</code>)</li>
<li>Barracuda WAF (<code>BARRACUDA_WAF</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Chrome Management (<code>CHROME_MANAGEMENT</code>)</li>
<li>Cisco ACS (<code>CISCO_ACS</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Secure Workload (<code>CISCO_SECURE_WORKLOAD</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Citrix Netscaler (<code>CITRIX_NETSCALER</code>)</li>
<li>Claroty Xdome (<code>CLAROTY_XDOME</code>)</li>
<li>Claude Compliance Logs (<code>CLAUDE_COMPLIANCE_LOGS</code>)</li>
<li>Cloudflare (<code>CLOUDFLARE</code>)</li>
<li>Cloudflare Warp (<code>CLOUDFLARE_WARP</code>)</li>
<li>Corelight (<code>CORELIGHT</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CyberArk (<code>CYBERARK</code>)</li>
<li>CyberArk Privileged Access Manager (PAM) (<code>CYBERARK_PAM</code>)</li>
<li>Duo Administrator Logs (<code>DUO_ADMIN</code>)</li>
<li>EfficientIP DDI (<code>EFFICIENTIP_DDI</code>)</li>
<li>Elastic Audit Beats (<code>ELASTIC_AUDITBEAT</code>)</li>
<li>Elastic Windows Event Log Beats (<code>ELASTIC_WINLOGBEAT</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>Forcepoint Proxy (<code>FORCEPOINT_WEBPROXY</code>)</li>
<li>FortiGate (<code>FORTINET_FIREWALL</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Cloud Asset Inventory (<code>GCP_CLOUD_ASSET_INVENTORY</code>)</li>
<li>Google Cloud Audit (<code>GCP_CLOUDAUDIT</code>)</li>
<li>Google Compute Context (<code>GCP_COMPUTE_CONTEXT</code>)</li>
<li>Google Threat Intelligence IOC (<code>GTI_IOC</code>)</li>
<li>GTB Technologies DLP (<code>GTB_DLP</code>)</li>
<li>HP Aruba (ClearPass) (<code>CLEARPASS</code>)</li>
<li>IBM Websphere Application Server (<code>IBM_WEBSPHERE_APP_SERVER</code>)</li>
<li>IBM z/OS (<code>IBM_ZOS</code>)</li>
<li>Imperva (<code>IMPERVA_WAF</code>)</li>
<li>Imperva CEF (<code>IMPERVA_CEF</code>)</li>
<li>Imperva DRA (<code>IMPERVA_DRA</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Island Browser logs (<code>ISLAND_BROWSER</code>)</li>
<li>Juniper (<code>JUNIPER_FIREWALL</code>)</li>
<li>Juniper Mist (<code>JUNIPER_MIST</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>LastPass Password Management (<code>LASTPASS</code>)</li>
<li>Linux Auditing System (AuditD) (<code>AUDITD</code>)</li>
<li>Microsoft Azure Activity (<code>AZURE_ACTIVITY</code>)</li>
<li>Microsoft Defender for Office 365 (<code>MICROSOFT_DEFENDER_MAIL</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Mobileiron (<code>MOBILEIRON</code>)</li>
<li>Mongo Database (<code>MONGO_DB</code>)</li>
<li>MySQL (<code>MYSQL</code>)</li>
<li>Netapp Storagegrid (<code>NETAPP_STORAGEGRID</code>)</li>
<li>Netskope V2 (<code>NETSKOPE_ALERT_V2</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>NGFW Enterprise (<code>GCP_NGFW_ENTERPRISE</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Office 365 Message Trace (<code>OFFICE_365_MESSAGETRACE</code>)</li>
<li>Okta Scaleft (<code>OKTA_SCALEFT</code>)</li>
<li>Oracle (<code>ORACLE_DB</code>)</li>
<li>Oracle Cloud Infrastructure Audit Logs (<code>OCI_AUDIT</code>)</li>
<li>Orca Cloud Security Platform (<code>ORCA</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>Radware Web Application Firewall (<code>RADWARE_FIREWALL</code>)</li>
<li>Red Hat Directory Server LDAP (<code>REDHAT_DIRECTORY_SERVER</code>)</li>
<li>Red Hat OpenShift (<code>REDHAT_OPENSHIFT</code>)</li>
<li>Salesforce (<code>SALESFORCE</code>)</li>
<li>Sangfor Next Generation Firewall (<code>SANGFOR_NGAF</code>)</li>
<li>Security Command Center Error (<code>GCP_SECURITYCENTER_ERROR</code>)</li>
<li>Security Command Center Misconfiguration (<code>GCP_SECURITYCENTER_MISCONFIGURATION</code>)</li>
<li>Security Command Center Observation (<code>GCP_SECURITYCENTER_OBSERVATION</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>Security Command Center Unspecified (<code>GCP_SECURITYCENTER_UNSPECIFIED</code>)</li>
<li>Security Command Center Vulnerability (<code>GCP_SECURITYCENTER_VULNERABILITY</code>)</li>
<li>SentinelOne Singularity Cloud Funnel (<code>SENTINELONE_CF</code>)</li>
<li>ServiceNow Security (<code>SERVICENOW_SECURITY</code>)</li>
<li>Sourcefire (<code>SOURCEFIRE_IDS</code>)</li>
<li>Suricata EVE (<code>SURICATA_EVE</code>)</li>
<li>Symantec Endpoint Protection (<code>SEP</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Trend Micro Deep Security (<code>TRENDMICRO_DEEP_SECURITY</code>)</li>
<li>Trend Micro Vision One Observerd Attack Techniques (<code>TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES</code>)</li>
<li>Ubiquiti UniFi Switch (<code>UBIQUITI_SWITCH</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Upwind (<code>UPWIND</code>)</li>
<li>VMware ESXi (<code>VMWARE_ESX</code>)</li>
<li>VMWare VSphere (<code>VMWARE_VSPHERE</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Wiz.io (<code>WIZ_IO</code>)</li>
<li>Workday User Activity (<code>WORKDAY_USER_ACTIVITY</code>)</li>
<li>Workspace Activities (<code>WORKSPACE_ACTIVITY</code>)</li>
<li>Zscaler (<code>ZSCALER_WEBPROXY</code>)</li>
<li>Zscaler CASB (<code>ZSCALER_CASB</code>)</li>
<li>Zscaler DLP (<code>ZSCALER_DLP</code>)</li>
<li>Zscaler Private Access (<code>ZSCALER_ZPA</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Azure Software Vulnerabilities (<code>AZURE_SOFTWARE_VULNERABILITIES</code>)</li>
<li>Caller Verify (<code>CALLER_VERIFY</code>)</li>
<li>CertSecure Log (<code>CERTSECURE_LOG</code>)</li>
<li>Cisco MultiCloud Defense Firewall (<code>CISCO_MULTICLOUD_DEFENSE_FIREWALL</code>)</li>
<li>Cursor (<code>CURSOR</code>)</li>
<li>Cyfirma (<code>CYFIRMA_DECYFIR_LOG</code>)</li>
<li>Databahn (<code>DATABAHN</code>)</li>
<li>Flare Darkweb Alerts (<code>FLARE_DARKWEB_ALERTS</code>)</li>
<li>Fortinet FortiAppSec Cloud (<code>FORTINET_FORTIAPPSEC</code>)</li>
<li>Hikvision Network Video Recorders (<code>HIKVISION_NVR</code>)</li>
<li>IBM B2B Integrator (<code>IBM_B2B_INTEGRATOR</code>)</li>
<li>IBM InfoSphere Virtual Data Pipeline (<code>IBM_VDP</code>)</li>
<li>Imperva Account TakeOver (<code>IMPERVA_ATO</code>)</li>
<li>Imperva Client Side Protection (<code>IMPERVA_CSP</code>)</li>
<li>Imperva DNS (<code>IMPERVA_DNS</code>)</li>
<li>Imperva Network Security (<code>IMPERVA_NETWORK_SECURITY</code>)</li>
<li>Microsoft Defender XDR (<code>MICROSOFT_DEFENDER_XDR</code>)</li>
<li>Nakivo Backup and Recovery (<code>NAKIVO_BACKUP</code>)</li>
<li>Netcraft Takedown (<code>NETCRAFT_TAKEDOWN</code>)</li>
<li>Next Level Performance Amplify (<code>NXL_AMPLIFY</code>)</li>
<li>Siemens Desigo (<code>SIEMENS_DESIGO</code>)</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>May 28, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_28_2026</id>
    <updated>2026-05-28T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_28_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>[Spotlight Feature] Unified and Upgraded Chronicle API</strong></p>
<p><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest">Chronicle API</a> has been unified with API resources from <a href="https://docs.cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis">legacy SOAR API</a>. Further, we've upgraded the following Chronicle API resources from v1 beta to v1. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for a more robust, secure, and extensible experience. Learn more about <a href="https://google.aip.dev/181">API Stability</a>.</p>
<p>The following features and resources are included in this update:</p>
<table>
<tr>
<td style="background-color: null"><strong>Feature</strong>
</td>
<td style="background-color: null"><strong>Chronicle API Resources upgraded to v1</strong>
</td>
</tr>
<tr>
<td style="background-color: null">Alerts and ATIs, UEBA
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.threatCollections">Threat Collection</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.iocs">IoC</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.coverageDetails">CoverageDetail</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances/getRiskConfig">EntityRisk</a>
</td>
</tr>
<tr>
<td style="background-color: null">Dashboards
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.nativeDashboards">NativeDashboard</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dashboardCharts">DashboardChart</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dashboardQueries">DashboardQuery</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.contentHub.featuredContentNativeDashboards">FeaturedContentNativeDashboard</a>
</td>
</tr>
<tr>
<td style="background-color: null">Data Tables
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dataTables">DataTable</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dataTables.dataTableRows">DataTableRow</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dataTableOperationErrors">DataTableOperationError</a>
</td>
</tr>
<tr>
<td style="background-color: null">Ingestion
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.logTypes.logs">Logs</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feeds">Feed</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feedSourceTypeSchemas.logTypeSchemas">LogTypeSchema</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feedSourceTypeSchemas">FeedSourceSchema</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.feedPacks">FeedPack</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.forwarders">Forwarder</a>
</td>
</tr>
<tr>
<td style="background-color: null">Normalization
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.logTypes">Logtype</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.logTypes.parsers">Parser</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.ingestionLogLabels">IngestionLogLabel</a>
</td>
</tr>
<tr>
<td style="background-color: null">Detections
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.findingsRefinements">FindingsRefinement</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances/verifyRuleText">VerifyRuleText</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.contentHub.featuredContentRules">FeaturedContentRule</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.ruleExecutionErrors">RuleExecutionError</a>
</td>
</tr>
<tr>
<td style="background-color: null">Search &amp; Investigation
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.events">Event</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.entities">Entity</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.users.searchQueries">SearchQuery</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.savedColumnSets">SavedColumnSet</a>
</td>
</tr>
<tr>
<td style="background-color: null">Exports
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.bigQueryExport">BigQueryExportService</a>
</td>
</tr>
<tr>
<td style="background-color: null">Enrichment Controls
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.enrichmentControls">EnrichmentControl</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances/getEnrichmentCombination">EnrichmentCombination</a>
</td>
</tr>
<tr>
<td style="background-color: null">SOAR
   </td>
<td style="background-color: null"><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases">Case</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases.caseAlerts">CaseAlert</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.caseStageDefinitions">CaseStageDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.caseTagDefinitions">CaseTagDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.caseQueueFilters">CaseQueueFilter</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.caseCloseDefinitions">CaseCloseDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases.caseAlerts.contextProperties">ContextProperty</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases.caseAlerts.involvedEntities">InvolvedEntity</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.tasks">Task</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases.caseComments">CaseComment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases.caseWallRecords">CaseWallRecord</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases.chatMessages">ChatMessage</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.views">View</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.ontologyRecords.visualFamilies">VisualFamily</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.cases.chatMessages.attachments">ChatMessages.attachment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.contentHub.contentPacks">ContentPack</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.socRoles">SocRole</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.emailTemplates">EmailTemplate</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dynamicParameters">DynamicParameter</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.entitiesBlocklists">EntitiesBlocklist</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.environments">Environment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.environmentGroups">EnvironmentGroup</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations">Integration</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.actions">Integrationaction</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.legacySoarUsers.userNotifications">UserNotification</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.actions.revisions">Integrationactionrevision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.connectors">Connector</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.connectors.connectorInstances">ConnectorInstance</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.remoteAgents">RemoteAgent</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.connectors.connectorInstances.logs">Connectorlog</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.connectors.revisions">Connectorrevision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.integrationInstances">IntegrationInstance</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.uniqueEntities">UniqueEntity</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.jobs">Integrationsjob</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.jobs.jobInstances">JobInstance</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.jobs.jobInstances.logs">JobInstances.log</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.jobs.revisions">Jobs.revision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.managers">Integrationmanager</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.integrations.managers.revisions">Integrationmanagerrevision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.alertGroupingRules">AlertGroupingRule</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.announcements">Announcement</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.legacySoarUsers.attachments">Attachment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.customLists">CustomList</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.formDynamicParameters">FormDynamicParameter</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.marketplaceIntegrations">MarketplaceIntegration</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.moduleSettings">ModuleSetting</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.slaDefinitions">SlaDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.legacySoarUsers/getNotificationSettings">NotificationSetting</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.propertySchemaDefinitions">PropertySchemaDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.requestTemplates">RequestTemplate</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.soarDomains">SoarDomain</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.soarNetworks">SoarNetwork</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.legacySoarUsers.workdeskLinks">WorkdeskLink</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.systemNotifications">SystemNotification</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.legacySoarUsers.workdeskContacts">WorkdeskContact</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.legacySoarUsers.workdeskNotes">WorkdeskNote</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.legacySoarUsers/getLocalization">LegacySoarUsers.localization</a>.
   </td>
</tr>
</table>
<p>For a full list of updated resources and links to the documentation, please see the <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest">Chronicle API documentation</a>.</p>
<h3>Feature</h3>
<p><strong>[Spotlight Feature] Manage access to preview features</strong></p>
<p>Google SecOps tenant administrators can enable or disable access to public preview features. Previously, all public preview features needed to be enabled through official Support channels.</p>
<p>The new <strong>Public Preview Features</strong> page lists all the public preview features, the status of each feature (on or off)—along with (when available) the expected GA date and a link to a relevant user guide.</p>
<aside class="note"><strong>Note:</strong><span> In <a href="https://docs.cloud.google.com/chronicle/docs/onboard#set-up-assured-workloads-folder">compliance-controlled tenants</a> (for example, FedRAMP or HIPAA), using the <strong>Public Preview Features</strong> page to turn features on and off isn't available. In these tenants, you must contact Google SecOps support to get public preview features enabled.</span></aside>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/secops/preview-features-manage">Manage access to preview features</a>.</p>
<aside class="note"><strong>Note:</strong><span> It might take one to six days before you see the changes reflected in your region.</span></aside>
]]>
    </content>
  </entry>

  <entry>
    <title>May 27, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_27_2026</id>
    <updated>2026-05-27T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_27_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Standard parser support policy</strong></p>
<p>Google SecOps introduced a focused support policy for Standard parsers to scale platform stability, predictable performance, and high-quality data normalization. The new policy structures service level objectives (SLOs) and request triaging by customer support tiers (Standard versus Expert/Expert+), and prioritizes core security data through <a href="https://docs.cloud.google.com/chronicle/docs/reference/important-udm-fields">Important UDM Fields</a>. Additionally, the policy outlines a community-driven model where low-usage, longtail prebuilt parsers migrate to a dedicated GitHub repository maintained by partners and the Google SecOps community. </p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/standard-parser-support-policy">Standard parser support policy</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>May 24, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_24_2026</id>
    <updated>2026-05-24T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_24_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>[Spotlight Feature] Create and manage calculated fields</strong></p>
<p>The Calculated Fields feature is now available in Preview. With Calculated Fields, you can dynamically derive new data points within Google Security Operations cases and alerts. By defining logical formulas, you can compute values based on existing system or custom fields. The calculated value is automatically evaluated and stored in a user-selected, pre-existing custom field (labeled <strong>Target Field</strong>) in real time.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/soar/investigate/working-with-cases/calculated-fields">Create and manage calculated fields</a>.</p>
<h3>Change</h3>
<p><strong>Time range selection for searches</strong></p>
<p>Google SecOps has now added relative and absolute time range options to define
the required time period for retrieving search results.</p>
<ul>
<li><strong>Relative time range</strong>: Set a search window looking backward from the current time
using custom intervals.</li>
<li><strong>Absolute time range</strong>: Define fixed start and end times using calendar presets,
exact date and time selections, or event-based timeframes.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#setDateTime">Set the date and time range</a>.</p>
<aside class="note"><strong>Note:</strong><span> This change follows a phased rollout from <strong>May 12, 2026</strong>, to <strong>May 18, 2026</strong>.
Reach out to support if you do not see the new limits applied to your environment
after <strong>May 18, 2026</strong>.</span></aside>
]]>
    </content>
  </entry>

  <entry>
    <title>May 18, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_18_2026</id>
    <updated>2026-05-18T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_18_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>[Spotlight Feature] Enhanced Data Export API general availability and improvements</strong></p>
<p>The Data Export API is now GA and introduces significant security and capability improvements. This feature facilitates the bulk export of your security data from Google SecOps to a Google Cloud Storage bucket that you control, and it provides a more secure and scalable data archival experience than the legacy Data Export API feature.</p>
<p>Here's what's new:</p>
<ul>
<li><strong>Advanced data filtering</strong>: the API now lets you additionally scope export jobs using namespaces and ingestion labels.</li>
<li><strong>Zero-trust security (customer-managed encryption keys)</strong>: full integration with Google Cloud Key Management Service (KMS) ensures that all exported data is encrypted with customer-managed keys.</li>
<li><strong>Identity-aware extraction (RBAC)</strong>: export jobs now inherit the data RBAC scope of users creating an export job, preventing unauthorized data extraction.</li>
</ul>
<aside class="note"><strong>Note:</strong><span> It might take one to six days before you see the changes reflected in your region. </span></aside><aside class="special"><strong>Important:</strong><span> You need to update your API settings to call the new <code>v1</code> endpoint instead of the <code>v1alpha</code> endpoint. For example, to create a new data export job, you need to update the existing endpoint <code>POST https://chronicle.{region}.rep.googleapis.com/v1alpha/{parent}/dataExports</code> to the new endpoint <code>POST https://chronicle.{region}.rep.googleapis.com/v1/{parent}/dataExports</code>.</span></aside>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/reference/data-export-api-enhanced">Data Export API (enhanced)</a>.</p>
<h3>Deprecated</h3>
<p>The legacy Data Export API is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a> in favor of the <a href="https://docs.cloud.google.com/chronicle/docs/reference/data-export-api-enhanced">enhanced Data Export API</a>, which provides a more secure and scalable data archival experience. After June 18, 2026, legacy Data Export API won't work.</p>
<h3>Deprecated</h3>
<p>The <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.dataExports/fetchavailablelogtypes"><code>fetchavailablelogtypes</code></a> API endpoint is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a> in favor of the <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.logTypes/list"><code>list</code> endpoint</a>. After June 18, 2026, the <code>fetchavailablelogtypes</code> API endpoint won't work.</p>
<h3>Deprecated</h3>
<p>The <code>updateDataExport</code> endpoint in the enhanced Data Export API is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a>. The reduction in job queue times using the <a href="https://docs.cloud.google.com/chronicle/docs/reference/data-export-api-enhanced">enhanced Data Export API</a> has eliminated the need for the update functionality of the <code>updateDataExport</code> API endpoint. The <code>updateDataExport</code> endpoint was present in v1alpha only; it wasn't present in in v1beta or v1. After June 18, 2026, the <code>updateDataExport</code> API endpoint won't work. You can still cancel queued export jobs.</p>
<h3>Deprecated</h3>
<p>The <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.dataExports#DataExport:%7E:text=05%3A30%22.-,logType,to%20export.%20Format%3A%20projects/%7Bproject%7D/locations/%7Blocation%7D/instances/%7Binstance%7D/logTypes/%7BlogType%7D,-gcsBucket"><code>logType</code></a> field in the enhanced Data Export API is <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">deprecated</a> in favor of the new (optional)<code>includeLogTypes</code> field, which supports an array of log types for data filtering. If left blank, the export job includes all log types by default. The <code>logType</code> field was present in v1alpha only; it wasn't present in in v1beta or v1. After June 18, 2026, the <code>logType</code> field is discontinued. </p>
]]>
    </content>
  </entry>

  <entry>
    <title>May 17, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_17_2026</id>
    <updated>2026-05-17T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_17_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>New parser documentation now available</strong></p>
<p>New parser documentation is available to help you ingest and normalize logs from the following sources:</p>
<ul>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/velo-firewall">Collect Arista VeloCloud SD-WAN logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/windows-defender-atp">Collect Microsoft Defender for Endpoint logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windchill">Collect PTC Windchill logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/steelhead">Collect Riverbed SteelHead logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sangfor-proxy">Collect Sangfor Proxy logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-btp">Collect SAP BTP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-netweaver">Collect SAP NetWeaver logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-sm20">Collect SAP SM20 logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-successfactors">Collect SAP SuccessFactors logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sap-ase">Collect SAP Sybase ASE logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/saviynt-eip">Collect Saviynt Enterprise Identity Cloud logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/securelink">Collect SecureLink logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/semperis-dsp">Collect Semperis DSP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/sonrai">Collect Sonrai Security logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/soti-mobicontrol">Collect SOTI MobiControl logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/splunk-attack-analyzer">Collect Splunk Attack Analyzer logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/spycloud">Collect SpyCloud logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/stealthbits-audit">Collect Stealthbits Audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/stealthbits-defend">Collect Stealthbits StealthDEFEND logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/stix">Collect STIX Threat Intelligence logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/swift-amh">Collect Swift Alliance Messaging Hub logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/symantec-mail">Collect Symantec Messaging Gateway logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/symantec-sa">Collect Symantec Security Analytics logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tableau">Collect Tableau logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/talon">Collect Talon logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tcpwave-ddi">Collect TCPWave DDI logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/teleport-access-plane">Collect Teleport Access Plane logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tenable-audit">Collect Tenable Audit logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/tenable-cspm">Collect Tenable CSPM logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/teradata-db">Collect Teradata Database logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/terraform-enterprise">Collect Terraform Enterprise logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/tetragon-ebpf-audit-logs">Collect Tetragon eBPF audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/threatlocker">Collect ThreatLocker Platform logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/threatx-waf">Collect ThreatX WAF logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/tintri">Collect Tintri logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/trendmicro-apex-central">Collect Trend Micro Apex Central logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/uberagent">Collect uberAgent logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ubika-waf">Collect Ubika WAF logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ukg">Collect UKG logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/upx-antiddos">Collect UPX AntiDDoS logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/verba-rec">Collect Verba Recording System logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/vercel-waf">Collect Vercel WAF logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/virtru-email-encryption">Collect Virtru Email Encryption logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/watchguard-edr">Collect WatchGuard EDR logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-applocker">Collect Windows AppLocker logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-defender-av">Collect Windows Defender Antivirus logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-firewall">Collect Windows Firewall logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-hyperv">Collect Windows Hyper-V logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/windows-net-policy-server">Collect Windows Network Policy Server logs</a></li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>May 05, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_05_2026</id>
    <updated>2026-05-05T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_05_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">supported default parsers</a>. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>Akeyless Vault Platform (<code>AKEYLESS_VAULT</code>)</li>
<li>Apache Cassandra (<code>CASSANDRA</code>)</li>
<li>Aruba (<code>ARUBA_WIRELESS</code>)</li>
<li>Aruba EdgeConnect SD-WAN (<code>ARUBA_EDGECONNECT_SDWAN</code>)</li>
<li>Auth0 (<code>AUTH_ZERO</code>)</li>
<li>AWS Aurora (<code>AWS_AURORA</code>)</li>
<li>AWS EC2 VPCs (<code>AWS_EC2_VPCS</code>)</li>
<li>AWS Security Hub (<code>AWS_SECURITY_HUB</code>)</li>
<li>Azure Firewall (<code>AZURE_FIREWALL</code>)</li>
<li>Azure Front Door (<code>AZURE_FRONT_DOOR</code>)</li>
<li>Barracuda CloudGen Firewall (<code>BARRACUDA_CLOUDGEN_FIREWALL</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Check Point (<code>CHECKPOINT_FIREWALL</code>)</li>
<li>Check Point Sandblast (<code>CHECKPOINT_EDR</code>)</li>
<li>Checkpoint SmartDefense (<code>CHECKPOINT_SMARTDEFENSE</code>)</li>
<li>Chronicle SOAR Audit (<code>CHRONICLE_SOAR_AUDIT</code>)</li>
<li>Cisco Application Centric Infrastructure (<code>CISCO_ACI</code>)</li>
<li>Cisco ASA (<code>CISCO_ASA_FIREWALL</code>)</li>
<li>Cisco FireSIGHT Management Center (<code>CISCO_FIRESIGHT</code>)</li>
<li>Cisco Internetwork Operating System (<code>CISCO_IOS</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Meraki (<code>CISCO_MERAKI</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Secure Workload (<code>CISCO_SECURE_WORKLOAD</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Cisco WLC/WCS (<code>CISCO_WIRELESS</code>)</li>
<li>Citrix Netscaler (<code>CITRIX_NETSCALER</code>)</li>
<li>Claroty Xdome (<code>CLAROTY_XDOME</code>)</li>
<li>Cloudflare Warp (<code>CLOUDFLARE_WARP</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CyberArk (<code>CYBERARK</code>)</li>
<li>CyberArk Privileged Access Manager (PAM) (<code>CYBERARK_PAM</code>)</li>
<li>EPIC Systems (<code>EPIC</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>F5 BIGIP Access Policy Manager (<code>F5_BIGIP_APM</code>)</li>
<li>F5 BIGIP LTM (<code>F5_BIGIP_LTM</code>)</li>
<li>F5 Distributed Cloud Services (<code>F5_DCS</code>)</li>
<li>FireEye eMPS (<code>FIREEYE_EMPS</code>)</li>
<li>FireEye NX (<code>FIREEYE_NX</code>)</li>
<li>FortiGate (<code>FORTINET_FIREWALL</code>)</li>
<li>Fortinet FortiEDR (<code>FORTINET_FORTIEDR</code>)</li>
<li>Fortinet Proxy (<code>FORTINET_WEBPROXY</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Cloud Audit (<code>GCP_CLOUDAUDIT</code>)</li>
<li>Google Threat Intelligence IOC (<code>GTI_IOC</code>)</li>
<li>Guardicore Centra (<code>GUARDICORE_CENTRA</code>)</li>
<li>HP Aruba (ClearPass) (<code>CLEARPASS</code>)</li>
<li>Huawei Switches (<code>HUAWEI_SWITCH</code>)</li>
<li>IBM Websphere Application Server (<code>IBM_WEBSPHERE_APP_SERVER</code>)</li>
<li>IBM z/OS (<code>IBM_ZOS</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Infoblox (<code>INFOBLOX</code>)</li>
<li>Juniper (<code>JUNIPER_FIREWALL</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>Linux Auditing System (AuditD) (<code>AUDITD</code>)</li>
<li>ManageEngine ADManager Plus (<code>ADMANAGER_PLUS</code>)</li>
<li>McAfee ePolicy Orchestrator (<code>MCAFEE_EPO</code>)</li>
<li>McAfee Web Gateway (<code>MCAFEE_WEBPROXY</code>)</li>
<li>Microsoft Defender For Cloud (<code>MICROSOFT_DEFENDER_CLOUD_ALERTS</code>)</li>
<li>Microsoft Defender for Endpoint (<code>MICROSOFT_DEFENDER_ENDPOINT</code>)</li>
<li>Microsoft Defender for Identity (<code>MICROSOFT_DEFENDER_IDENTITY</code>)</li>
<li>Microsoft Graph API Alerts (<code>MICROSOFT_GRAPH_ALERT</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Mobileiron (<code>MOBILEIRON</code>)</li>
<li>Model Armor (<code>GCP_MODEL_ARMOR</code>)</li>
<li>MySQL (<code>MYSQL</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>Noname API Security (<code>NONAME_API_SECURITY</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Okta (<code>OKTA</code>)</li>
<li>Oracle Cloud Infrastructure Audit Logs (<code>OCI_AUDIT</code>)</li>
<li>Oracle NetSuite (<code>ORACLE_NETSUITE</code>)</li>
<li>Palo Alto Networks Firewall (<code>PAN_FIREWALL</code>)</li>
<li>Palo Alto Panorama (<code>PAN_PANORAMA</code>)</li>
<li>Palo Alto Prisma Access (<code>PAN_CASB</code>)</li>
<li>Palo Alto Prisma Cloud Alert payload (<code>PAN_PRISMA_CA</code>)</li>
<li>Ping Identity (<code>PING</code>)</li>
<li>PostFix Mail (<code>POSTFIX_MAIL</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>Proofpoint Tap Alerts (<code>PROOFPOINT_MAIL</code>)</li>
<li>Proofpoint Threat Response (<code>PROOFPOINT_TRAP</code>)</li>
<li>Radware Web Application Firewall (<code>RADWARE_FIREWALL</code>)</li>
<li>Rapid7 Insight (<code>RAPID7_INSIGHT</code>)</li>
<li>SAP Hana Audit (<code>SAP_HANA_AUDIT</code>)</li>
<li>SecureAuth (<code>SECUREAUTH_SSO</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>SentinelOne Deep Visibility (<code>SENTINEL_DV</code>)</li>
<li>SentinelOne Singularity Cloud Funnel (<code>SENTINELONE_CF</code>)</li>
<li>Silverfort Authentication Platform (<code>SILVERFORT</code>)</li>
<li>SiteMinder Web Access Management (<code>CA_SSO_WEB</code>)</li>
<li>SonicWall (<code>SONIC_FIREWALL</code>)</li>
<li>Squid Web Proxy (<code>SQUID_WEBPROXY</code>)</li>
<li>STIX Threat Intelligence (<code>STIX</code>)</li>
<li>Suricata EVE (<code>SURICATA_EVE</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Tanium Threat Response (<code>TANIUM_THREAT_RESPONSE</code>)</li>
<li>Thinkst Canary (<code>THINKST_CANARY</code>)</li>
<li>Trend Micro Apex one (<code>TRENDMICRO_APEX_ONE</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Vectra XDR (<code>VECTRA_XDR</code>)</li>
<li>VMware ESXi (<code>VMWARE_ESX</code>)</li>
<li>Wallix Bastion (<code>WALLIX_BASTION</code>)</li>
<li>WatchGuard (<code>WATCHGUARD</code>)</li>
<li>Windows Defender AV (<code>WINDOWS_DEFENDER_AV</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Windows Event (XML) (<code>WINEVTLOG_XML</code>)</li>
<li>wiz.io (<code>WIZ_IO</code>)</li>
<li>Zscaler Email DLP (<code>ZSCALER_EMAIL_DLP</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Altiris Logs (<code>ALTIRIS_LOGS</code>)</li>
<li>Aruba Access Point (<code>ARUBA_AP</code>)</li>
<li>BloxOne Threat Defense DHCP (<code>BLOXONE_DHCP</code>)</li>
<li>Checkmarx One (<code>CHECKMARX_ONE</code>)</li>
<li>Cisco Nexus Dashboard Orchestrator (<code>CISCO_NDO</code>)</li>
<li>CrowdStrike Cloud Security (<code>CROWDSTRIKE_CSPM</code>)</li>
<li>F5 F5OS-A Logging (<code>F5_F5OS_A</code>)</li>
<li>GateWatcher NDR (<code>GATEWATCHER_NDR</code>)</li>
<li>Hashicorp Terraform (<code>HASHICORP_TERRAFORM</code>)</li>
<li>Jamf Protect Alerts V2 (<code>JAMF_PROTECT_V2</code>)</li>
<li>Oracle Cloud Infrastructure Web Application Firewall (<code>OCI_WAF</code>)</li>
<li>Qualys File Integrity Monitoring (<code>QUALYS_FIM</code>)</li>
<li>SailPoint IdentityNow (<code>SAILPOINT_IDENTITYNOW</code>)</li>
<li>ServiceNow Certificate Logs (<code>SERVICENOW_CERTIFICATE</code>)</li>
<li>ServiceNow User Logs (<code>SERVICENOW_USER</code>)</li>
<li>ServiceNow User Login History (<code>SERVICENOW_USER_LOGIN_HISTORY</code>)</li>
<li>SiteGuard Server (<code>SITEGUARD_SERVER</code>)</li>
<li>Tosi Hub (<code>TOSI_HUB</code>)</li>
<li>Trellix Network Detection and Response (<code>TRELLIX_NDR</code>)</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>May 03, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#May_03_2026</id>
    <updated>2026-05-03T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#May_03_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Enhanced "Time to respond" options for multi-choice questions</strong></p>
<p>Google SecOps now provides more granular control over playbook execution when the "time to respond" for a <strong>MultiChoiceQuestion</strong> step is exceeded. When configuring a multi-choice question, you can now choose to proceed with one of the predefined answer branches or to create a dedicated branch to handle this scenario.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-flows-in-playbooks#multi-choice">Add a multi-choice question flow</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 30, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_30_2026</id>
    <updated>2026-04-30T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_30_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>VPC Service Controls for Google SecOps general availability</strong></p>
<p>VPC Service Controls is now GA. This feature helps to create perimeters and protect resources and services data from accidental or targeted action by external or insider entities. This in turn can minimize unwarranted data exfiltration risks from Google Cloud services. For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/secops/vpcsc-for-secops">Configure VPC Service Controls for Google SecOps</a> and <a href="https://docs.cloud.google.com/vpc-service-controls/docs/overview">Overview of VPC Service Controls</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 27, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_27_2026</id>
    <updated>2026-04-27T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_27_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>New parser documentation now available</strong></p>
<p>New parser documentation is available to help you ingest and normalize logs from the following sources:</p>
<ul>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/group-ib">Collect Group-IB Threat Intelligence logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/microsoft-scep">Collect Microsoft System Center Endpoint Protection (SCEP) logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/nagios">Collect Nagios XI logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/neo4j">Collect Neo4j Aura logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/nucleus-vulnerability">Collect Nucleus Security - Nucleus Unified Vulnerability Management logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/nyansa-events">Collect Nyansa Voyance / VMware Edge Network Intelligence logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/okera-dap">Collect Okera Dynamic Access Platform (ODAP) audit logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/okta-scaleft">Collect Okta Advanced Server Access logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/onapsis">Collect Onapsis Platform logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/oneidentity-tpam">Collect One Identity TPAM logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/oci-cloudguard">Collect Oracle Cloud Infrastructure - Oracle Cloud Guard logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/oort">Collect Cisco Identity Intelligence logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/sharepoint">Collect Microsoft SharePoint (Office 365) logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/netapp-bluexp">Collect NetApp Console (formerly BlueXP) audit logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/netwrix">Collect Netwrix Auditor logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/vitalqip">Collect Nokia VitalQIP DDI logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/openai-auditlog">Collect OpenAI Audit logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/netflow-otel">Collect OpenTelemetry Netflow Receiver logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/oracle-fusion">Collect Oracle Fusion Cloud Applications logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/net-suite">Collect Oracle NetSuite - NetSuite Applications Suite logs</a></li>
<li><a href="https://clouddocs.devsite.corp.google.com/chronicle/docs/ingestion/default-parsers/oracle-netsuite">Collect Oracle NetSuite logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/vectra-alerts">Collect Vectra Alerts logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/vectra-xdr">Collect Vectra XDR logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/winevtlog-xml">Collect Windows Event logs (XML format)</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/winscp">Collect WinSCP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/workday-user-activity">Collect Workday User Activity logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/wpengine">Collect WP Engine logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/xiting-xams">Collect XAMS by Xiting logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/yubico-otp">Collect Yubico OTP logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zero-networks">Collect Zero Networks logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zix-email-encryption">Collect Zix Email Encryption logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zscaler-nss-feeds">Collect Zscaler NSS Feeds for Alerts logs</a></li>
<li><a href="https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zywall">Collect ZyXEL ZyWALL logs</a></li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>April 22, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_22_2026</id>
    <updated>2026-04-22T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_22_2026"/>
    <content type="html"><![CDATA[<h3>Deprecated</h3>
<p>Support for the legacy Google Security Operations SIEM infrastructure will end on April 30, 2027. After this date, you will no longer have access to your Google SecOps SIEM instance on the legacy infrastructure. You need to self-migrate Google Security Operations SIEM in legacy Infrastructure to Google Cloud to align with industry standards and improve your reliability, privacy, security, compliance, and granular access controls. Follow the <a href="https://docs.cloud.google.com/chronicle/docs/administration/migrate-legacy-siem-infra">Migration guide</a> and <a href="https://security.googlecloudcommunity.com/community-blog-42/elevate-your-defense-modernizing-google-secops-for-the-agentic-soc-7087">Community post</a> to begin your transition. </p>
<p>This migration applies to you <strong>only</strong> if your SIEM instance meets <strong>one of the conditions</strong> below:</p>
<ul>
<li>Not deployed in your Google Cloud Project</li>
<li>Not using Google Cloud Authentication (Workforce Identity Federation / Cloud Identity)</li>
<li>Not using Google Cloud IAM for Feature Role based access controls.</li>
</ul>
<p>This migration <strong>does not apply</strong> to you if your SIEM instance meets <strong>all the conditions</strong> below:</p>
<ul>
<li>Is deployed in your Google Cloud project</li>
<li>Uses Workforce Identity Federation or Cloud Identity for authentication</li>
<li>Uses Google Cloud IAM to manage granular access permissions</li>
</ul>
]]>
    </content>
  </entry>

  <entry>
    <title>April 15, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_15_2026</id>
    <updated>2026-04-15T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_15_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>[Spotlight Feature] Unified and upgraded Chronicle API</strong></p>
<p><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest?rep_location=africa-south1">Chronicle API</a> has been unified with API resources from <a href="https://docs.cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis">legacy SOAR API</a>. In addition, we've upgraded the following Chronicle API resources from alpha to beta. This upgrade signals <a href="https://google.aip.dev/181">API Stability</a> and functional completeness, enabling customer and partner adoption for production usage. We recommend customers use Chronicle API for a more robust, secure, and extensible experience.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest?rep_location=africa-south1">Chronicle API</a>.</p>
<table>
<tr>
<td><strong>Feature</strong>
</td>
<td><strong>Chronicle API Resources upgraded to v1 Beta</strong>
</td>
</tr>
<tr>
<td>Alerts and ATIs, UEBA
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.threatCollections">ThreatCollection</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.iocs">IoC</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.coverageDetails">CoverageDetail</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances/getRiskConfig?rep_location=africa-south1">EntityRisk</a>
</td>
</tr>
<tr>
<td>Dashboards
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.nativeDashboards">NativeDashboard</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.dashboardCharts">DashboardChart</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.dashboardQueries">DashboardQuery</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.contentHub.featuredContentNativeDashboards">FeaturedContentNativeDashboard</a>
</td>
</tr>
<tr>
<td>Data Tables
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.dataTables">DataTable</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.dataTables.dataTableRows">DataTableRow</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.dataTableOperationErrors">DataTableOperationError</a>
</td>
</tr>
<tr>
<td>Ingestion
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.logTypes.logs">Logs</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.feeds">Feed</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.feedSourceTypeSchemas.logTypeSchemas">LogTypeSchema</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.feedSourceTypeSchemas">FeedSourceSchema</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.feedPacks">FeedPack</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.forwarders">Forwarder</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.forwarders.collectors">Collector</a>
</td>
</tr>
<tr>
<td>Normalization
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.logTypes">Logtype</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.logTypes.parsers">Parser</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.ingestionLogLabels">IngestionLogLabel</a>
</td>
</tr>
<tr>
<td>Detections
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.findingsRefinements">FindingsRefinement</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances/verifyRuleText">VerifyRuleText</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.contentHub.featuredContentRules">FeaturedContentRule</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.ruleExecutionErrors">RuleExecutionError</a>
</td>
</tr>
<tr>
<td>Search &amp; Investigation
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.events">Event</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.entities">Entity</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.users.searchQueries">SearchQuery</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.savedColumnSets">SavedColumnSet</a>
</td>
</tr>
<tr>
<td>Exports
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.bigQueryExport">BigQueryExportService</a>
</td>
</tr>
<tr>
<td>Enrichment Controls
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.enrichmentControls">EnrichmentControl</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances/getEnrichmentCombination">EnrichmentCombination</a>
</td>
</tr>
<tr>
<td>SOAR
   </td>
<td><a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases">Case</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.caseAlerts">CaseAlert</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.caseStageDefinitions">CaseStageDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.caseTagDefinitions">CaseTagDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.caseQueueFilters">CaseQueueFilter</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.caseCloseDefinitions">CaseCloseDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.caseAlerts.connectorEvents">ConnectorEvent</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.alerts.customFieldValues">CustomFieldValue</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.caseAlerts.contextProperties">ContextProperty</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.caseAlerts.involvedEntities">InvolvedEntity</a>,  <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.tasks">Task</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.webhooks">Webhook</a>
<p>
<a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.caseComments">CaseComment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.caseWallRecords">CaseWallRecord</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.chatMessages">ChatMessage</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.views">View</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.ontologyRecords.visualFamilies">VisualFamily</a>,
<p>
<a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.chatMessages.attachments">ChatMessages.attachment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.cases.customFieldValues">CustomFieldValues</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.contentHub.contentPacks">ContentPack</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.socRoles">SocRole</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.emailTemplates">EmailTemplate</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.dynamicParameters">DynamicParameter</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.entitiesBlocklists">EntitiesBlocklist</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.environments">Environment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.environmentGroups">EnvironmentGroup</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations">Integration</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.actions">Integrationaction</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.legacySoarUsers.userNotifications">UserNotification</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.actions.revisions">Integrationactionrevision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.connectors">Connector</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.connectors.connectorInstances">ConnectorInstance</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.remoteAgents">RemoteAgent</a>,  <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.connectors.connectorInstances.logs">Connectorlog</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.connectors.revisions">Connectorrevision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.integrationInstances">IntegrationInstance</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.uniqueEntities">UniqueEntity</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.jobs">Integrationsjob</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.jobs.jobInstances">JobInstance</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.jobs.jobInstances.logs">JobInstances.log</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.jobs.revisions">Jobs.revision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.managers">Integrationmanager</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.integrations.managers.revisions">Integrationmanagerrevision</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.alertGroupingRules">AlertGroupingRule</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.announcements">Announcement</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.legacySoarUsers.attachments">Attachment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.customLists">CustomList</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.formDynamicParameters">FormDynamicParameter</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.labsExperiments">LabsExperiment</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.marketplaceIntegrations">MarketplaceIntegration</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.moduleSettings">ModuleSetting</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.slaDefinitions">SlaDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.legacySoarUsers/getNotificationSettings">NotificationSetting</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.propertySchemaDefinitions">PropertySchemaDefinition</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.requestTemplates">RequestTemplate</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.soarDomains">SoarDomain</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.soarNetworks">SoarNetwork</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.legacySoarUsers.workdeskLinks">WorkdeskLink</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.systemNotifications">SystemNotification</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.legacySoarUsers.workdeskContacts">WorkdeskContact</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.legacySoarUsers.workdeskNotes">WorkdeskNote</a>, <a href="https://docs.cloud.google.com/chronicle/docs/reference/rest/v1beta/projects.locations.instances.legacySoarUsers/getLocalization">LegacySoarUsers.localization</a>.
   </p></p></td>
</tr>
</table>
]]>
    </content>
  </entry>

  <entry>
    <title>April 08, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_08_2026</id>
    <updated>2026-04-08T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_08_2026"/>
    <content type="html"><![CDATA[<h3>Announcement</h3>
<p><strong>Emerging Threats Center general availability</strong></p>
<p>The <strong>Emerging Threats Center</strong> is now in General Availability (GA) and includes
the following new features and enhancements:</p>
<ul>
<li><strong>Expanded campaign filtering:</strong> Filter the Emerging Threats feed by new
categories, including associated malware, tools, and threat actors.</li>
<li><strong>MITRE ATT&amp;CK matrix visualization:</strong> Evaluate your detection rule coverage
for specific tactics, techniques, and procedures (TTPs) using the new
visualization matrix in the <strong>Associated Rules</strong> panel. You can customize
heat map metrics, filter the matrix by rule or alerting status, and view
detailed context for specific sub-techniques.</li>
<li><strong>Enhanced Entity context panel:</strong> Investigate an indicator of compromise (IoC)
using the <strong>Entity context</strong> panel to view its point-in-time state and related
cases.</li>
<li><strong>GTI-associated IoC categories:</strong> Filter GTI-associated IoCs by specific
categories, including <strong>Files</strong>, <strong>URLs</strong>, <strong>Domains</strong>, and <strong>IPs</strong>.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/detection/emerging-threats">Emerging Threats Center overview</a>
and <a href="https://docs.cloud.google.com/chronicle/docs/detection/emerging-threats-detailed-view">Emerging Threats Center detail view</a>. </p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 07, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_07_2026</id>
    <updated>2026-04-07T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_07_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p><strong>[Spotlight Feature] Search query editor enhancements</strong></p>
<p>Google SecOps has enhanced the search query editor to  provide intelligent
auto-suggestions and improved error handling. The query editor now provides context-aware auto-suggestions
  for fields, operators, and valid values as you type. The editor also highlights syntax errors with a red squiggly
  line and displays a tooltip with the specific error description when you hover
  over it. Additionally, runtime errors now display persistently in the <strong>Results panel</strong>
  to assist with troubleshooting.</p>
<p>For more information, see
<a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#search_autosuggestions">Use auto-suggestions to build queries</a>.</p>
<aside class="note"><strong>Note:</strong><span> This change follows a phased rollout from <strong>April 07, 2026</strong>, to <strong>April 10, 2026</strong>.
Reach out to support if you do not see the new limits applied to your environment
after <strong>April 10, 2026</strong>.</span></aside>
<h3>Feature</h3>
<p><strong>[Spotlight Feature] Health Hub</strong></p>
<p>This feature is currently in Preview. </p>
<p>The Health Hub is the central location in Google Security Operations for you to monitor the status and health of all configured data sources. The Health Hub provides crucial information on data sources and log types, offering the context needed to diagnose and remediate data pipeline issues.</p>
<p>The Health Hub includes information about the following:</p>
<ul>
<li>Ingestion volumes and ingestion health.</li>
<li>Parsing volumes from raw logs to <a href="https://docs.cloud.google.com/chronicle/docs/event-processing/udm-overview">Unified Data Model (UDM) events</a>.</li>
<li>Context and links to interfaces with additional relevant information and functionality.</li>
<li>Irregular and failed sources and log types. </li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/reports/data-health-monitoring-and-troubleshooting-dashboard">Use the Health Hub</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 06, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_06_2026</id>
    <updated>2026-04-06T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_06_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p><strong>Updates to search query limits and error messaging</strong></p>
<p>Google SecOps has updated search query limits for programmatic and web interface
access:</p>
<ul>
<li>Increased Queries Per Hour (QPH) limits of up to 2,000 for APIs and 1,000
for the web interface.</li>
<li>New concurrency limits for both simple and complex queries.</li>
<li>More descriptive error messages for quota failures in the API and web interface.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/investigation/udm-search#QPHlimits">Search limits and quotas</a></p>
<aside class="note"><strong>Note:</strong><span> This change follows a phased rollout from <strong>April 06, 2026</strong>, to
<strong>May 31, 2026</strong>. Contact Support if you don't see the new limits applied
to your environment after <strong>May 31, 2026</strong>.
<strong>May 31, 2026</strong>. Contact Support if you don't see the new limits applied
to your environment after <strong>May 31, 2026</strong>.</span></aside>
<h3>Deprecated</h3>
<p><strong>v1 Cloud Storage Feed Types (GCS, S3, SQS, Azure)</strong></p>
<p>The v1 feed types for <code>GOOGLE_CLOUD_STORAGE</code>, <code>AMAZON_S3</code>, <code>AMAZON_SQS</code>, and <code>AZURE_BLOBSTORE</code> are deprecated and will be discontinued on <strong>March 15, 2027</strong>. The new v2 feed types uses the Google Cloud Storage Transfer Service (STS) to provide improved performance, scalability, and reliability.</p>
<p>To ensure continued ingestion, transition your feeds before the March 15, 2027 shutdown date:</p>
<ul>
<li>Google SecOps will automatically migrate your feeds using v1 feed types to v2 in waves starting from April 6, 2026. To facilitate this, some feeds may require additional IP allowlist or service account permission updates. You can also self-migrate by replacing your existing data feeds with new feeds using v2 feed types.</li>
</ul>
<p>You can also self-migrate by creating new feeds using v2 feed types to substitute your existing feeds using v1 feed types by following the steps documented in our <a href="https://docs.cloud.google.com/chronicle/docs/reference/feed-management-api#source-types">feed configuration guides</a> before March 15, 2027.</p>
<p><strong>Key Dates:</strong></p>
<ul>
<li><strong>April 6, 2026:</strong> Transition begins; auto-migration available.</li>
<li><strong>September 15, 2026:</strong> Support for v1 feeds is discontinued.</li>
<li><strong>March 15, 2027:</strong> v1 feeds reach End of Life (EOL) and will stop returning data.</li>
</ul>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/deprecations">Feature deprecations</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 04, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_04_2026</id>
    <updated>2026-04-04T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_04_2026"/>
    <content type="html"><![CDATA[<h3>Feature</h3>
<p><strong>Playbook Condition and Multi-Choice Question Flows</strong></p>
<p>The maximum number of branches supported in Playbook <strong>Conditions</strong> and <strong>Multiple Choice Questions</strong> has been increased from 6 to 20. This allows for more complex branching logic within a single step.</p>
<p>For more information, see <a href="https://docs.cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-flows-in-playbooks">Use flows in playbooks</a>.</p>
]]>
    </content>
  </entry>

  <entry>
    <title>April 03, 2026</title>
    <id>tag:google.com,2016:chronicle-security-operations-release-notes#April_03_2026</id>
    <updated>2026-04-03T00:00:00-07:00</updated>
    <link rel="alternate" href="https://docs.cloud.google.com/chronicle/docs/secops/release-notes#April_03_2026"/>
    <content type="html"><![CDATA[<h3>Change</h3>
<p>Google SecOps has updated the list of <a href="https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">supported default parsers</a>. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.</p>
<p>The following supported default parsers have been updated. Each parser is listed by product name and <code>log_type</code> value, where applicable. This list includes both released default parsers and pending parser updates.</p>
<ul>
<li>Abnormal Security (<code>ABNORMAL_SECURITY</code>)</li>
<li>Active Countermeasures (<code>AI_HUNTER</code>)</li>
<li>AIX system (<code>AIX_SYSTEM</code>)</li>
<li>Apache (<code>APACHE</code>)</li>
<li>Apache Cassandra (<code>CASSANDRA</code>)</li>
<li>Aruba (<code>ARUBA_WIRELESS</code>)</li>
<li>Aruba EdgeConnect SD-WAN (<code>ARUBA_EDGECONNECT_SDWAN</code>)</li>
<li>Auth0 (<code>AUTH_ZERO</code>)</li>
<li>AWS Aurora (<code>AWS_AURORA</code>)</li>
<li>AWS CloudFront (<code>AWS_CLOUDFRONT</code>)</li>
<li>AWS Cloudtrail (<code>AWS_CLOUDTRAIL</code>)</li>
<li>AWS CloudWatch (<code>AWS_CLOUDWATCH</code>)</li>
<li>AWS VPC Flow (<code>AWS_VPC_FLOW</code>)</li>
<li>AWS WAF (<code>AWS_WAF</code>)</li>
<li>Azure AD (<code>AZURE_AD</code>)</li>
<li>Azure AD Directory Audit (<code>AZURE_AD_AUDIT</code>)</li>
<li>Azure Front Door (<code>AZURE_FRONT_DOOR</code>)</li>
<li>Azure SQL (<code>AZURE_SQL</code>)</li>
<li>BeyondTrust (<code>BOMGAR</code>)</li>
<li>BeyondTrust BeyondInsight (<code>BEYONDTRUST_BEYONDINSIGHT</code>)</li>
<li>Blue Coat Proxy (<code>BLUECOAT_WEBPROXY</code>)</li>
<li>Broadcom Support Portal Audit Logs (<code>BROADCOM_SUPPORT_PORTAL</code>)</li>
<li>Check Point Harmony (<code>CHECKPOINT_HARMONY</code>)</li>
<li>Chronicle SOAR Audit (<code>CHRONICLE_SOAR_AUDIT</code>)</li>
<li>Cisco ASA (<code>CISCO_ASA_FIREWALL</code>)</li>
<li>Cisco Email Security (<code>CISCO_EMAIL_SECURITY</code>)</li>
<li>Cisco ISE (<code>CISCO_ISE</code>)</li>
<li>Cisco Meraki (<code>CISCO_MERAKI</code>)</li>
<li>Cisco Secure Access (<code>CISCO_SECURE_ACCESS</code>)</li>
<li>Cisco Switch (<code>CISCO_SWITCH</code>)</li>
<li>Cisco Umbrella Audit (<code>CISCO_UMBRELLA_AUDIT</code>)</li>
<li>Cisco Umbrella DNS (<code>UMBRELLA_DNS</code>)</li>
<li>Cisco WSA (<code>CISCO_WSA</code>)</li>
<li>Cloud DNS (<code>GCP_DNS</code>)</li>
<li>Cloud SQL (<code>GCP_CLOUDSQL</code>)</li>
<li>Cloudflare (<code>CLOUDFLARE</code>)</li>
<li>Cloudflare Warp (<code>CLOUDFLARE_WARP</code>)</li>
<li>Code42 Incydr (<code>CODE42_INCYDR</code>)</li>
<li>CrowdStrike Alerts API (<code>CS_ALERTS</code>)</li>
<li>CrowdStrike Falcon (<code>CS_EDR</code>)</li>
<li>CrowdStrike Falcon Stream (<code>CS_STREAM</code>)</li>
<li>CyberArk Privileged Access Manager (PAM) (<code>CYBERARK_PAM</code>)</li>
<li>Cybereason EDR (<code>CYBEREASON_EDR</code>)</li>
<li>CYJAX Threat Intelligence (<code>CYJAX_THREAT_INTELLIGENCE</code>)</li>
<li>Cyware Threat Intelligence Exchange (<code>CTIX</code>)</li>
<li>Databricks (<code>DATABRICKS</code>)</li>
<li>Duo Auth (<code>DUO_AUTH</code>)</li>
<li>Elastic Defend (<code>ELASTIC_DEFEND</code>)</li>
<li>ESET AV (<code>ESET_AV</code>)</li>
<li>F5 ASM (<code>F5_ASM</code>)</li>
<li>F5 BIGIP Access Policy Manager (<code>F5_BIGIP_APM</code>)</li>
<li>FireEye eMPS (<code>FIREEYE_EMPS</code>)</li>
<li>FireEye ETP (<code>FIREEYE_ETP</code>)</li>
<li>FireEye NX (<code>FIREEYE_NX</code>)</li>
<li>Forescout NAC (<code>FORESCOUT_NAC</code>)</li>
<li>ForgeRock Identity Cloud (<code>FORGEROCK_IDENTITY_CLOUD</code>)</li>
<li>Fortinet FortiAnalyzer (<code>FORTINET_FORTIANALYZER</code>)</li>
<li>GitHub (<code>GITHUB</code>)</li>
<li>Google Threat Intelligence IOC (<code>GTI_IOC</code>)</li>
<li>HP Aruba (ClearPass) (<code>CLEARPASS</code>)</li>
<li>Huawei Switches (<code>HUAWEI_SWITCH</code>)</li>
<li>IBM DataPower Gateway (<code>IBM_DATAPOWER</code>)</li>
<li>IBM Safenet (<code>IBM_SAFENET</code>)</li>
<li>IBM Websphere Application Server (<code>IBM_WEBSPHERE_APP_SERVER</code>)</li>
<li>Imperva Advanced Bot Protection (<code>IMPERVA_ABP</code>)</li>
<li>Imperva SecureSphere Management (<code>IMPERVA_SECURESPHERE</code>)</li>
<li>Juniper (<code>JUNIPER_FIREWALL</code>)</li>
<li>Kolide Endpoint Security (<code>KOLIDE</code>)</li>
<li>Kubernetes Audit (<code>KUBERNETES_AUDIT</code>)</li>
<li>Kubernetes Node (<code>KUBERNETES_NODE</code>)</li>
<li>Linux Auditing System (AuditD) (<code>AUDITD</code>)</li>
<li>Maria Database (<code>MARIA_DB</code>)</li>
<li>McAfee ePolicy Orchestrator (<code>MCAFEE_EPO</code>)</li>
<li>McAfee Skyhigh CASB (<code>MCAFEE_SKYHIGH_CASB</code>)</li>
<li>McAfee Web Gateway (<code>MCAFEE_WEBPROXY</code>)</li>
<li>Microsoft Azure Activity (<code>AZURE_ACTIVITY</code>)</li>
<li>Microsoft Defender For Cloud (<code>MICROSOFT_DEFENDER_CLOUD_ALERTS</code>)</li>
<li>Microsoft Graph API Alerts (<code>MICROSOFT_GRAPH_ALERT</code>)</li>
<li>Microsoft IIS (<code>IIS</code>)</li>
<li>Microsoft SQL Server (<code>MICROSOFT_SQL</code>)</li>
<li>Mimecast Mail V2 (<code>MIMECAST_MAIL_V2</code>)</li>
<li>Mobile Endpoint Security (<code>LOOKOUT_MOBILE_ENDPOINT_SECURITY</code>)</li>
<li>Mobileiron (<code>MOBILEIRON</code>)</li>
<li>NetApp ONTAP (<code>NETAPP_ONTAP</code>)</li>
<li>Netskope V2 (<code>NETSKOPE_ALERT_V2</code>)</li>
<li>Netskope Web Proxy (<code>NETSKOPE_WEBPROXY</code>)</li>
<li>Obsidian (<code>OBSIDIAN</code>)</li>
<li>Office 365 (<code>OFFICE_365</code>)</li>
<li>Oort Security Tool (<code>OORT</code>)</li>
<li>Oracle (<code>ORACLE_DB</code>)</li>
<li>Orca Cloud Security Platform (<code>ORCA</code>)</li>
<li>Palo Alto Cortex XDR Events (<code>PAN_CORTEX_XDR_EVENTS</code>)</li>
<li>Palo Alto Networks Firewall (<code>PAN_FIREWALL</code>)</li>
<li>Palo Alto Prisma Cloud Alert payload (<code>PAN_PRISMA_CA</code>)</li>
<li>PostFix Mail (<code>POSTFIX_MAIL</code>)</li>
<li>Proofpoint On Demand (<code>PROOFPOINT_ON_DEMAND</code>)</li>
<li>Proofpoint Tap Alerts (<code>PROOFPOINT_MAIL</code>)</li>
<li>Proofpoint Threat Response (<code>PROOFPOINT_TRAP</code>)</li>
<li>Radware Web Application Firewall (<code>RADWARE_FIREWALL</code>)</li>
<li>Red Hat OpenShift (<code>REDHAT_OPENSHIFT</code>)</li>
<li>Salesforce (<code>SALESFORCE</code>)</li>
<li>SAP Change Document (<code>SAP_CHANGE_DOCUMENT</code>)</li>
<li>SAP Gateway (<code>SAP_GATEWAY</code>)</li>
<li>SAP Hana Audit (<code>SAP_HANA_AUDIT</code>)</li>
<li>SAP Security Audit (<code>SAP_SECURITY_AUDIT</code>)</li>
<li>Security Command Center Posture Violation (<code>GCP_SECURITYCENTER_POSTURE_VIOLATION</code>)</li>
<li>Security Command Center Sensitive Data Risk (<code>GCP_SECURITYCENTER_SENSITIVE_DATA_RISK</code>)</li>
<li>Security Command Center Threat (<code>GCP_SECURITYCENTER_THREAT</code>)</li>
<li>Security Command Center Toxic Combination (<code>GCP_SECURITYCENTER_TOXIC_COMBINATION</code>)</li>
<li>Snyk Group level audit Logs (<code>SNYK_SDLC</code>)</li>
<li>Suricata EVE (<code>SURICATA_EVE</code>)</li>
<li>Symantec EDR (<code>SYMANTEC_EDR</code>)</li>
<li>Sysdig (<code>SYSDIG</code>)</li>
<li>Tenable Active Directory Security (<code>TENABLE_ADS</code>)</li>
<li>ThreatConnect IOC V3 (<code>THREATCONNECT_IOC_V3</code>)</li>
<li>Trellix HX Alerts (<code>TRELLIX_HX_ALERTS</code>)</li>
<li>Trellix HX Audit Events (<code>TRELLIX_HX_AUDIT</code>)</li>
<li>Trellix HX Event Streamer (<code>TRELLIX_HX_ES</code>)</li>
<li>Trellix HX Hosts (<code>TRELLIX_HX_HOSTS</code>)</li>
<li>Trend Micro Vision One Endpoint Vulnerabilities (<code>TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES</code>)</li>
<li>Trend Micro Vision One Observerd Attack Techniques (<code>TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES</code>)</li>
<li>Trend Micro Vision One Workbench (<code>TRENDMICRO_VISION_ONE_WORKBENCH</code>)</li>
<li>TrendMicro Apex Central (<code>TRENDMICRO_APEX_CENTRAL</code>)</li>
<li>TXOne Stellar (<code>TRENDMICRO_STELLAR</code>)</li>
<li>Ubika Waf (<code>UBIKA_WAF</code>)</li>
<li>Unix system (<code>NIX_SYSTEM</code>)</li>
<li>Varonis (<code>VARONIS</code>)</li>
<li>Vmware Avinetworks iWAF (<code>VMWARE_AVINETWORKS_IWAF</code>)</li>
<li>VMware ESXi (<code>VMWARE_ESX</code>)</li>
<li>VMware Horizon (<code>VMWARE_HORIZON</code>)</li>
<li>Wallix Bastion (<code>WALLIX_BASTION</code>)</li>
<li>Windows DNS (<code>WINDOWS_DNS</code>)</li>
<li>Windows Event (<code>WINEVTLOG</code>)</li>
<li>Windows Event (XML) (<code>WINEVTLOG_XML</code>)</li>
<li>wiz.io (<code>WIZ_IO</code>)</li>
<li>Zeek JSON (<code>BRO_JSON</code>)</li>
<li>Zscaler (<code>ZSCALER_WEBPROXY</code>)</li>
</ul>
<p>The following log types were added without a default parser. Each parser is listed by product name and <code>log_type</code> value, where applicable.</p>
<ul>
<li>Action1 (<code>ACTION1</code>)</li>
<li>CDNetworks Cloud Security (<code>CDNETWORKS_CLOUD_SECURITY</code>)</li>
<li>Claude Compliance Logs (<code>CLAUDE_COMPLIANCE_LOGS</code>)</li>
<li>Dell RecoverPoint (<code>DELL_RECOVERPOINT</code>)</li>
<li>IBM Storwize (<code>IBM_STORWIZE</code>)</li>
<li>LeapXpert Audit Logs (<code>LEAPXPERT_AUDIT</code>)</li>
<li>Oracle Key Vault Audit Logs (<code>ORACLE_KEY_VAULT_AUDIT_LOGS</code>)</li>
<li>RSA Cloud (<code>RSA_CLOUD</code>)</li>
<li>ServiceNow Antivirus Activity (<code>SERVICENOW_ANTIVIRUS_ACTIVITY</code>)</li>
<li>ServiceNow Attachment (<code>SERVICENOW_ATTACHMENT</code>)</li>
<li>ServiceNow Email (<code>SERVICENOW_EMAIL</code>)</li>
<li>Versa Director (<code>VERSA_DIRECTOR</code>)</li>
<li>ZPE Systems NodeGrid (<code>ZPE_SYSTEMS_NODEGRID</code>)</li>
</ul>
]]>
    </content>
  </entry>

</feed>
