Emerging Threats Center general availability

The Emerging Threats Center is now in General Availability (GA) and includes the following new features and enhancements:

• Expanded campaign filtering: Filter the Emerging Threats feed by new categories, including associated malware, tools, and threat actors.
• MITRE ATT&CK matrix visualization: Evaluate your detection rule coverage for specific tactics, techniques, and procedures (TTPs) using the new visualization matrix in the Associated Rules panel. You can customize heat map metrics, filter the matrix by rule or alerting status, and view detailed context for specific sub-techniques.
• Enhanced Entity context panel: Investigate an indicator of compromise (IoC) using the Entity context panel to view its point-in-time state and related cases.
• GTI-associated IoC categories: Filter GTI-associated IoCs by specific categories, including Files, URLs, Domains, and IPs.

For more information, see Emerging Threats Center overview and Emerging Threats Center detail view.

Search query editor enhancements

Google SecOps has enhanced the search query editor to provide intelligent auto-suggestions and improved error handling.

• Auto-suggestions: The query editor now provides context-aware auto-suggestions for fields, operators, and valid values as you type.
• Error handling: The editor now highlights syntax errors with a red squiggly line and displays a tooltip with the specific error description when you hover over it. Additionally, runtime errors now display persistently in the Results panel to assist with troubleshooting.

For more information, see Use auto-suggestions to build queries.

Feature

Health Hub

This feature is currently in Preview.

The Health Hub is the central location in Google Security Operations for you to monitor the status and health of all configured data sources. The Health Hub provides crucial information on data sources and log types, offering the context needed to diagnose and remediate data pipeline issues.

The Health Hub includes information about the following:

• Ingestion volumes and ingestion health.
• Parsing volumes from raw logs to Unified Data Model (UDM) events.
• Context and links to interfaces with additional relevant information and functionality.
• Irregular and failed sources and log types.

For more information, see Use the Health Hub.

Updates to search query limits and error messaging

Google SecOps has updated search query limits for programmatic and web interface access:

• Increased Queries Per Hour (QPH) limits of up to 2,000 for APIs and 1,000 for the web interface.
• New concurrency limits for both simple and complex queries.
• More descriptive error messages for quota failures in the API and web interface.

For more information, see Search limits and quotas

Deprecated

v1 Cloud Storage Feed Types (GCS, S3, SQS, Azure)

The v1 feed types for GOOGLE_CLOUD_STORAGE, AMAZON_S3, AMAZON_SQS, and AZURE_BLOBSTORE are deprecated and will be discontinued on March 15, 2027. The new v2 feed types uses the Google Cloud Storage Transfer Service (STS) to provide improved performance, scalability, and reliability.

To ensure continued ingestion, transition your feeds before the March 15, 2027 shutdown date:

• Google SecOps will automatically migrate your feeds using v1 feed types to v2 in waves starting from April 6, 2026. To facilitate this, some feeds may require additional IP allowlist or service account permission updates. You can also self-migrate by replacing your existing data feeds with new feeds using v2 feed types.

You can also self-migrate by creating new feeds using v2 feed types to substitute your existing feeds using v1 feed types by following the steps documented in our feed configuration guides before March 15, 2027.

Key Dates:

• April 6, 2026: Transition begins; auto-migration available.
• September 15, 2026: Support for v1 feeds is discontinued.
• March 15, 2027: v1 feeds reach End of Life (EOL) and will stop returning data.

For more information, see Feature deprecations.

Playbook Condition and Multi-Choice Question Flows

The maximum number of branches supported in Playbook Conditions and Multiple Choice Questions has been increased from 6 to 20. This allows for more complex branching logic within a single step.

For more information, see Use flows in playbooks.

Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.

The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.

• Abnormal Security (ABNORMAL_SECURITY)
• Active Countermeasures (AI_HUNTER)
• AIX system (AIX_SYSTEM)
• Apache (APACHE)
• Apache Cassandra (CASSANDRA)
• Aruba (ARUBA_WIRELESS)
• Aruba EdgeConnect SD-WAN (ARUBA_EDGECONNECT_SDWAN)
• Auth0 (AUTH_ZERO)
• AWS Aurora (AWS_AURORA)
• AWS CloudFront (AWS_CLOUDFRONT)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS CloudWatch (AWS_CLOUDWATCH)
• AWS VPC Flow (AWS_VPC_FLOW)
• AWS WAF (AWS_WAF)
• Azure AD (AZURE_AD)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure Front Door (AZURE_FRONT_DOOR)
• Azure SQL (AZURE_SQL)
• BeyondTrust (BOMGAR)
• BeyondTrust BeyondInsight (BEYONDTRUST_BEYONDINSIGHT)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Broadcom Support Portal Audit Logs (BROADCOM_SUPPORT_PORTAL)
• Check Point Harmony (CHECKPOINT_HARMONY)
• Chronicle SOAR Audit (CHRONICLE_SOAR_AUDIT)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• Cisco Secure Access (CISCO_SECURE_ACCESS)
• Cisco Switch (CISCO_SWITCH)
• Cisco Umbrella Audit (CISCO_UMBRELLA_AUDIT)
• Cisco Umbrella DNS (UMBRELLA_DNS)
• Cisco WSA (CISCO_WSA)
• Cloud DNS (GCP_DNS)
• Cloud SQL (GCP_CLOUDSQL)
• Cloudflare (CLOUDFLARE)
• Cloudflare Warp (CLOUDFLARE_WARP)
• Code42 Incydr (CODE42_INCYDR)
• CrowdStrike Alerts API (CS_ALERTS)
• CrowdStrike Falcon (CS_EDR)
• CrowdStrike Falcon Stream (CS_STREAM)
• CyberArk Privileged Access Manager (PAM) (CYBERARK_PAM)
• Cybereason EDR (CYBEREASON_EDR)
• CYJAX Threat Intelligence (CYJAX_THREAT_INTELLIGENCE)
• Cyware Threat Intelligence Exchange (CTIX)
• Databricks (DATABRICKS)
• Duo Auth (DUO_AUTH)
• Elastic Defend (ELASTIC_DEFEND)
• ESET AV (ESET_AV)
• F5 ASM (F5_ASM)
• F5 BIGIP Access Policy Manager (F5_BIGIP_APM)
• FireEye eMPS (FIREEYE_EMPS)
• FireEye ETP (FIREEYE_ETP)
• FireEye NX (FIREEYE_NX)
• Forescout NAC (FORESCOUT_NAC)
• ForgeRock Identity Cloud (FORGEROCK_IDENTITY_CLOUD)
• Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
• GitHub (GITHUB)
• Google Threat Intelligence IOC (GTI_IOC)
• HP Aruba (ClearPass) (CLEARPASS)
• Huawei Switches (HUAWEI_SWITCH)
• IBM DataPower Gateway (IBM_DATAPOWER)
• IBM Safenet (IBM_SAFENET)
• IBM Websphere Application Server (IBM_WEBSPHERE_APP_SERVER)
• Imperva Advanced Bot Protection (IMPERVA_ABP)
• Imperva SecureSphere Management (IMPERVA_SECURESPHERE)
• Juniper (JUNIPER_FIREWALL)
• Kolide Endpoint Security (KOLIDE)
• Kubernetes Audit (KUBERNETES_AUDIT)
• Kubernetes Node (KUBERNETES_NODE)
• Linux Auditing System (AuditD) (AUDITD)
• Maria Database (MARIA_DB)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• McAfee Skyhigh CASB (MCAFEE_SKYHIGH_CASB)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft IIS (IIS)
• Microsoft SQL Server (MICROSOFT_SQL)
• Mimecast Mail V2 (MIMECAST_MAIL_V2)
• Mobile Endpoint Security (LOOKOUT_MOBILE_ENDPOINT_SECURITY)
• Mobileiron (MOBILEIRON)
• NetApp ONTAP (NETAPP_ONTAP)
• Netskope V2 (NETSKOPE_ALERT_V2)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Obsidian (OBSIDIAN)
• Office 365 (OFFICE_365)
• Oort Security Tool (OORT)
• Oracle (ORACLE_DB)
• Orca Cloud Security Platform (ORCA)
• Palo Alto Cortex XDR Events (PAN_CORTEX_XDR_EVENTS)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Palo Alto Prisma Cloud Alert payload (PAN_PRISMA_CA)
• PostFix Mail (POSTFIX_MAIL)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Proofpoint Tap Alerts (PROOFPOINT_MAIL)
• Proofpoint Threat Response (PROOFPOINT_TRAP)
• Radware Web Application Firewall (RADWARE_FIREWALL)
• Red Hat OpenShift (REDHAT_OPENSHIFT)
• Salesforce (SALESFORCE)
• SAP Change Document (SAP_CHANGE_DOCUMENT)
• SAP Gateway (SAP_GATEWAY)
• SAP Hana Audit (SAP_HANA_AUDIT)
• SAP Security Audit (SAP_SECURITY_AUDIT)
• Security Command Center Posture Violation (GCP_SECURITYCENTER_POSTURE_VIOLATION)
• Security Command Center Sensitive Data Risk (GCP_SECURITYCENTER_SENSITIVE_DATA_RISK)
• Security Command Center Threat (GCP_SECURITYCENTER_THREAT)
• Security Command Center Toxic Combination (GCP_SECURITYCENTER_TOXIC_COMBINATION)
• Snyk Group level audit Logs (SNYK_SDLC)
• Suricata EVE (SURICATA_EVE)
• Symantec EDR (SYMANTEC_EDR)
• Sysdig (SYSDIG)
• Tenable Active Directory Security (TENABLE_ADS)
• ThreatConnect IOC V3 (THREATCONNECT_IOC_V3)
• Trellix HX Alerts (TRELLIX_HX_ALERTS)
• Trellix HX Audit Events (TRELLIX_HX_AUDIT)
• Trellix HX Event Streamer (TRELLIX_HX_ES)
• Trellix HX Hosts (TRELLIX_HX_HOSTS)
• Trend Micro Vision One Endpoint Vulnerabilities (TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES)
• Trend Micro Vision One Observerd Attack Techniques (TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)
• Trend Micro Vision One Workbench (TRENDMICRO_VISION_ONE_WORKBENCH)
• TrendMicro Apex Central (TRENDMICRO_APEX_CENTRAL)
• TXOne Stellar (TRENDMICRO_STELLAR)
• Ubika Waf (UBIKA_WAF)
• Unix system (NIX_SYSTEM)
• Varonis (VARONIS)
• Vmware Avinetworks iWAF (VMWARE_AVINETWORKS_IWAF)
• VMware ESXi (VMWARE_ESX)
• VMware Horizon (VMWARE_HORIZON)
• Wallix Bastion (WALLIX_BASTION)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• wiz.io (WIZ_IO)
• Zeek JSON (BRO_JSON)
• Zscaler (ZSCALER_WEBPROXY)

The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.

• Action1 (ACTION1)
• CDNetworks Cloud Security (CDNETWORKS_CLOUD_SECURITY)
• Claude Compliance Logs (CLAUDE_COMPLIANCE_LOGS)
• Dell RecoverPoint (DELL_RECOVERPOINT)
• IBM Storwize (IBM_STORWIZE)
• LeapXpert Audit Logs (LEAPXPERT_AUDIT)
• Oracle Key Vault Audit Logs (ORACLE_KEY_VAULT_AUDIT_LOGS)
• RSA Cloud (RSA_CLOUD)
• ServiceNow Antivirus Activity (SERVICENOW_ANTIVIRUS_ACTIVITY)
• ServiceNow Attachment (SERVICENOW_ATTACHMENT)
• ServiceNow Email (SERVICENOW_EMAIL)
• Versa Director (VERSA_DIRECTOR)
• ZPE Systems NodeGrid (ZPE_SYSTEMS_NODEGRID)

Chrome Enterprise Premium Integration general availability

The Chrome Enterprise Premium integration is now GA. This release includes the following new features and updates:

• New Chrome Enterprise Connector which configures recommended data export settings and sends data through Google Cloud to Google Security Operations. Chrome Enterprise Premium customers can export data with additional security context provided by Google Safe Browsing.

• Updates to the CHROME_MANAGEMENT parser documentation in Collect Chrome Enterprise data and Chrome Enterprise Premium Threats.

• Curated Detections for Chrome Enterprise Premium.

• Curated Dashboards for Chrome Enterprise Premium.

• Response actions to block and remove malicious extensions or to delete blocked extensions from the extension policy ExtensionInstallBlocklist.

Multi-stage queries in YARA-L

The Multi-stage queries feature is now GA. This feature lets you feed the output of one query stage into the input of another, providing more granular data transformation than a single, monolithic query.

You can use multi-stage queries in both Dashboards and Search to build sophisticated detection and visualization logic. No action is required to enable this feature.

Learn more about how to create multi-stage queries with YARA-L 2.0.

Credential validation for third-party API feed types

Credential validation is now available for all 49 third-party API connectors.

When you create a feed using a third-party API feed type, Google SecOps now automatically validates the provided credentials. This ensures that if credentials are incorrect:

• Immediate feedback: The web interface displays an error message explaining the configuration failure.
• Prevention of broken feeds: The system blocks the creation of the feed until valid credentials are provided, preventing the creation of broken feeds that fail to ingest data later.

New parser documentation now available

New parser documentation is available to help you ingest and normalize logs from the following sources:

• Collect Cisco Umbrella Cloud Firewall logs
• Collect Cisco Umbrella IP logs
• Collect Claroty xDome for Healthcare logs
• Collect CloudM logs
• Collect Digital Guardian EDR logs
• Collect DNSFilter logs
• Collect Dope Security SWG logs
• Collect Druva Backup logs
• Collect EfficientIP DDI logs
• Collect Elastic Defend logs
• Collect Elastic Windows Event Log Beats logs
• Collect Ergon Informatik Airlock IAM logs
• Collect ESET Threat Intelligence logs
• Collect F5 Distributed Cloud Services logs
• Collect F5 Shape logs
• Collect F5 Silverline logs
• Collect Falco IDS logs
• Collect Fastly CDN logs
• Collect File Scanning Framework logs
• Collect FireEye ETP logs
• Collect FireEye HX Audit logs
• Collect FireEye NX Audit logs
• Collect Fivetran logs
• Collect Forcepoint Mail Relay logs
• Collect GitGuardian Enterprise logs
• Collect Google Cloud Looker audit logs
• Collect Guardicore Centra logs
• Collect HCL BigFix logs
• Collect HID DigitalPersona logs
• Collect IBM AS/400 logs
• Collect IBM Informix logs
• Collect IBM MaaS360 logs
• Collect IBM Mainframe Storage logs
• Collect IBM OpenPages logs
• Collect IBM Security Access Manager logs
• Collect IBM Security Identity Manager logs
• Collect iBoss Web Proxy logs
• Collect Intel 471 Watcher Alerts logs
• Collect Intel Endpoint Management Assistant logs
• Collect IONIX Attack Surface Management logs
• Collect Island Enterprise Browser logs
• Collect Jamf Protect Telemetry V2 logs
• Collect Keycloak logs
• Collect Kong Gateway logs
• Collect LenelS2 OnGuard logs
• Collect Lookout Mobile Endpoint Security logs
• Collect Lucid audit logs
• Collect ManageEngine Exchange Reporter Plus logs
• Collect Mandiant Threat Intelligence Custom IOC logs
• Collect Menlo Security Isolation Platform (MSIP) logs
• Collect Metabase logs
• Collect Microsoft Defender for Endpoint on iOS logs
• Collect Microsoft Dynamics 365 User Activity logs
• Collect Microsoft IAS / Network Policy Server (NPS) logs
• Collect Microsoft Network Policy Server (NPS) logs
• Collect OAuth2 Proxy logs
• Collect Office 365 Message Trace logs
• Collect Progress MOVEit Transfer logs
• Collect Netscout Arbor Sightline logs
• Collect Skyhigh Secure Web Gateway (On-Premises) logs
• Collect ThreatDown EDR logs
• Collect Trellix Endpoint Security (HX) alert logs
• Collect Trellix Endpoint Security (HX) audit event logs
• Collect Trellix Endpoint Security (HX) host inventory logs

View Triage and Investigation Agent (TIN) results in the Case Summary

This feature is currently in Preview and is part of a gradual rollout.

You can now view TIN results and verdict summaries directly within the Case Summary view. This integration provides real-time progress updates and automated verdicts for true or false positives without leaving the case.

For more information, see Use Triage and Investigation Agent (TIN) to investigate alerts.

Feature

Agentic Automation

This feature is in Public Preview.

You can now use Agentic Automation to embed AI Agents directly into your workflows. This feature lets you integrate AI-driven capabilities into your existing playbooks while staying in charge of critical actions by combining agents with deterministic automation steps.

For more information, see Agentic Automation.

Bindplane features for Google SecOps general availability

The following Bindplane features that relate to Google SecOps are now in General Availability (GA):

• Single sign-on with custom claims role mapping: gives a production-ready way to manage Bindplane access through your identity provider. For more information, see Single Sign-On (Cloud).

• SecOps parser validator: validates that your logs will be parsed correctly by Google SecOps directly from the snapshot view. Get immediate feedback on parsed events or validation errors without waiting for data to appear in Google SecOps. For more information, see Validate SecOps Parser.

• Forwarder migration tool: provides production-ready paths to migrate existing forwarder configurations into Bindplane-managed pipelines. For more information, see Migrate Configurations.

Unified Feature Role-based Access Control (RBAC) is now in General Availability (GA). This enables administrators to manage feature access control for Google SecOps including SOAR by leveraging Google Cloud IAM instead of managing it separately for SIEM and SOAR.

You can enable it by migrating the legacy SOAR permission groups and permissions to Google Cloud IAM through a self-service migration available from January 26, 2026. Please check the documentation and video for full instructions.

This update is available to all customers who have completed Stage 1 of the SOAR migration to Google Cloud.

Stage 2 of the SOAR migration to Google Cloud deadline has been extended from June 30th to September 30th, 2026.

Manage parser versions

The Manage parser versions feature is in Public Preview for all customers.

Set up and manage data processing pipelines

This feature is currently in Preview.

You can now use the Data Processing pipelines to filter, transform, and redact Google SecOps data before ingestion. This feature provides more control over ingested data, letting you reduce costs by filtering out unwanted events, transform data for better compatibility, and protect sensitive information by redacting or masking values before storage.

You can configure data processing pipelines using the Bindplane console or the Google SecOps Data Pipeline APIs.

For more information, see Set up and manage data processing pipelines.

Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region. For more information, see Supported log types and default parsers.

The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.

• Acalvio (ACALVIO)
• AIX system (AIX_SYSTEM)
• Akamai WAF (AKAMAI_WAF)
• Apache (APACHE)
• Apache Cassandra (CASSANDRA)
• Apache Hadoop (HADOOP)
• Arcsight CEF (ARCSIGHT_CEF)
• Aruba EdgeConnect SD-WAN (ARUBA_EDGECONNECT_SDWAN)
• Attivo Networks (ATTIVO)
• AWS Aurora (AWS_AURORA)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS CloudWatch (AWS_CLOUDWATCH)
• AWS GuardDuty (GUARDDUTY)
• AWS Network Firewall (AWS_NETWORK_FIREWALL)
• AWS Security Hub (AWS_SECURITY_HUB)
• AWS WAF (AWS_WAF)
• Azure AD (AZURE_AD)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure AD Sign-In (AZURE_AD_SIGNIN)
• Azure Firewall (AZURE_FIREWALL)
• Azure Front Door (AZURE_FRONT_DOOR)
• Barracuda Email (BARRACUDA_EMAIL)
• Barracuda Firewall (BARRACUDA_FIREWALL)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Check Point (CHECKPOINT_FIREWALL)
• Check Point Harmony (CHECKPOINT_HARMONY)
• Cisco Application Centric Infrastructure (CISCO_ACI)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Internetwork Operating System (CISCO_IOS)
• Cisco ISE (CISCO_ISE)
• Cisco Router (CISCO_ROUTER)
• Cisco Secure Access (CISCO_SECURE_ACCESS)
• Cisco Switch (CISCO_SWITCH)
• Cisco TACACS+ (CISCO_TACACS)
• Cisco UCM (CISCO_UCM)
• Cisco Umbrella Audit (CISCO_UMBRELLA_AUDIT)
• Citrix Netscaler (CITRIX_NETSCALER)
• Claroty Continuous Threat Detection (CLAROTY_CTD)
• Claroty Enterprise Management Console (CLAROTY_EMC)
• Claroty Xdome (CLAROTY_XDOME)
• Cloud SQL (GCP_CLOUDSQL)
• Cloudflare (CLOUDFLARE)
• Cloudflare Audit (CLOUDFLARE_AUDIT)
• Cloudflare WAF (CLOUDFLARE_WAF)
• Cloudflare Warp (CLOUDFLARE_WARP)
• Corelight (CORELIGHT)
• CrowdStrike Alerts API (CS_ALERTS)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• CrowdStrike Falcon (CS_EDR)
• CrowdStrike Falcon Stream (CS_STREAM)
• CyberArk (CYBERARK)
• CyberArk Endpoint Privilege Manager (EPM) (CYBERARK_EPM)
• CyberArk Privileged Access Manager (PAM) (CYBERARK_PAM)
• Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
• Dell Switch (DELL_SWITCH)
• Duo Auth (DUO_AUTH)
• F5 ASM (F5_ASM)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• F5 Distributed Cloud Services (F5_DCS)
• F5 DNS (F5_DNS)
• FireEye NX (FIREEYE_NX)
• Forcepoint NGFW (FORCEPOINT_FIREWALL)
• Forcepoint Proxy (FORCEPOINT_WEBPROXY)
• FortiGate (FORTINET_FIREWALL)
• Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
• Google Cloud (GCP_SECURITYCENTER_THREAT)
• Google Cloud (GCP_MONITORING_ALERTS)
• Google Threat Intelligence IOC (GTI_IOC)
• GreyNoise (GREYNOISE)
• Halcyon Anti Ransomware (HALCYON)
• HP Aruba (ClearPass) (CLEARPASS)
• Huawei Switches (HUAWEI_SWITCH)
• Infoblox DNS (INFOBLOX_DNS)
• Island Browser logs (ISLAND_BROWSER)
• Kubernetes Node (KUBERNETES_NODE)
• Linux Auditing System (AuditD) (AUDITD)
• Linux Sysmon (LINUX_SYSMON)
• ManageEngine ADAudit Plus (ADAUDIT_PLUS)
• Maria Database (MARIA_DB)
• McAfee IPS (MCAFEE_IPS)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft IIS (IIS)
• Microsoft SQL Server (MICROSOFT_SQL)
• MISP Threat Intelligence (MISP_IOC)
• Mobileiron (MOBILEIRON)
• MySQL (MYSQL)
• NetApp ONTAP (NETAPP_ONTAP)
• Netskope V2 (NETSKOPE_ALERT_V2)
• NGINX (NGINX)
• Nozomi Networks Scada Guardian (NOZOMI_GUARDIAN)
• Office 365 (OFFICE_365)
• Open Cybersecurity Schema Framework (OCSF) (OCSF)
• Orca Cloud Security Platform (ORCA)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Palo Alto Panorama (PAN_PANORAMA)
• Palo Alto Prisma Cloud Alert payload (PAN_PRISMA_CA)
• Ping One (PING_ONE)
• PingIdentity Directory Server Logs (PING_DIRECTORY)
• PostFix Mail (POSTFIX_MAIL)
• PostgreSQL (POSTGRESQL)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Proofpoint Tap Alerts (PROOFPOINT_MAIL)
• Proofpoint Threat Response (PROOFPOINT_TRAP)
• Radware Web Application Firewall (RADWARE_FIREWALL)
• Red Hat OpenShift (REDHAT_OPENSHIFT)
• Rubrik Security Cloud (RUBRIK_SECURITY_CLOUD)
• SailPoint IdentityIQ (SAILPOINT_IIQ)
• Salesforce (SALESFORCE)
• SAP Change Document (SAP_CHANGE_DOCUMENT)
• SAP Gateway (SAP_GATEWAY)
• SAP HANA (SAP_HANA)
• SAP Hana Audit (SAP_HANA_AUDIT)
• SAP Identity and Authentication Data (SAP_IDENTITY_AND_AUTH_DATA)
• SAP Internet Communication Manager (SAP_ICM)
• SAP Security Audit (SAP_SECURITY_AUDIT)
• SAP Webdispatcher (SAP_WEBDISP)
• Security Command Center Posture Violation (GCP_SECURITYCENTER_POSTURE_VIOLATION)
• Security Command Center Toxic Combination (GCP_SECURITYCENTER_TOXIC_COMBINATION)
• Sophos Central (SOPHOS_CENTRAL)
• STIX Threat Intelligence (STIX)
• Stormshield Firewall (STORMSHIELD_FIREWALL)
• Suricata EVE (SURICATA_EVE)
• Symantec Endpoint Protection (SEP)
• Sysdig (SYSDIG)
• Tableau (TABLEAU)
• Teleport Access Plane (TELEPORT_ACCESS_PLANE)
• Trend Micro (TIPPING_POINT)
• Tripwire (TRIPWIRE_FIM)
• TXOne Stellar (TRENDMICRO_STELLAR)
• Ubika Waf (UBIKA_WAF)
• Unix system (NIX_SYSTEM)
• Velo Firewall (VELO_FIREWALL)
• Veritas NetBackup (VERITAS_NETBACKUP)
• Versa Firewall (VERSA_FIREWALL)
• Vmware Avinetworks iWAF (VMWARE_AVINETWORKS_IWAF)
• VMware ESXi (VMWARE_ESX)
• VMware vCenter (VMWARE_VCENTER)
• WatchGuard (WATCHGUARD)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• wiz.io (WIZ_IO)
• Workday Audit Logs (WORKDAY_AUDIT)
• Zscaler (ZSCALER_WEBPROXY)
• ZScaler VPN (ZSCALER_VPN)

The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.

• Alibaba Security Center (ALIBABA_SECURITY_CENTER)
• Apache Airflow (APACHE_AIRFLOW)
• Baramundi (BARAMUNDI)
• Bravura Security (BRAVURA)
• Buildkite Audit (BUILDKITE_AUDIT)
• Palo Alto Cortex Xpanse (CORTEX_XPANSE)
• Cyfirma DeCYFIR ServiceNow (CYFIRMA_DECYFIR)
• DATEV (DATEV)
• ELO (ELO)
• Forcepoint Secure Web Gateway (FORCEPOINT_SWG)
• JumpServer PAM (JUMPSERVER_PAM)
• Keep Aware (KEEP_AWARE)
• Lark Suite (LARK_SUITE)
• Macmon (MACMON)
• Mamori Database Activity Monitoring (MAMORI_DAM)
• N8N Security Audit Logs (N8N_SECURITY_AUDIT_LOGS)
• Oracle Cloud Infrastructure LoadBalancer (OCI_LOADBALANCER)
• OpenText Self Service Password Reset (OPENTEXT_SSPR)
• Rackspace (RACKSPACE)
• Secui Bluemax NGF (SECUI_BLUEMAX_NGF)
• Symantec Advanced Threat Protection (SYMANTEC_ATP)
• Tenable Vulnerabilities Management (TENABLE_VMGNT)
• Trellix EDRF Trace Data and Telemetry (TRELLIX_EDRF)
• Trend Micro Vision One Endpoint Vulnerabilities (TRENDMICRO_VISION_ONE_ENDPOINT_VULNERABILITIES)
• Zafran (ZAFRAN)

Announcement

Google Agentic SOC Trial

There will be a no-cost trial for the Google SecOps Triage Investigative Agent (TIN) from April 1, 2026 to June 30, 2026. TIN is an agentic AI feature for Google SecOps that helps automate security investigations. For more information about the trial, see Google Agentic SOC Trial details. For more information about TIN, see Use Triage and Investigation Agent to investigate alerts.

Chronicle.soarAnalyst, chronicle.soarViewer, chronicle.soarEngineer roles in Cloud IAM are being deprecated and will be fully removed in six months. Although these roles were accessible and can historically be assigned to users in Cloud IAM, they were non-operational. SOAR roles were managed through Permission Groups and with its migration to Cloud IAM as part of the SOAR Migration to Google Cloud, the preceding roles are being deprecated.

To maintain seamless access and adhere to the principle of least privilege, transition your SOAR users to the following options:

• Automatically convert your SOAR Permission Groups to custom roles in IAM through self-service migration.
• Pre-defined roles: Utilize the enhanced Google SecOps pre-defined roles now available in Cloud IAM.
• Custom Roles: Create tailored roles with specific permissions to meet your organization's unique security requirements.

Feature

New Unified rules interface

This feature is currently in Preview.

Google Secops has launched a unified rules interface that brings custom and curated rule management into a single, cohesive workflow. This update optimizes detection engineering with a redesigned dashboard, an advanced rule editor, and expanded API capabilities to streamline rule deployment and troubleshooting.

Key enhancements

Developer and IDE enhancements:

• Centralized management: A unified, single dashboard lets you browse, filter, and manage both custom and curated rules from one location. You can also update configurations for multiple rules simultaneously.

• Curated rule transparency: You can now view the YARA-L text of curated rules, search directly within their logic, and independently toggle individual rule statuses without needing to alter the parent rule pack deployment.

• Integrated IDE experience: The rule editor now features an enhanced IDE experience with inline error highlights, UDM field definitions on hover.

Expanded API and structured search:

The Rules API and dashboard have been upgraded to support deeper programmatic access and complex filtering:

• Robust search syntax: Both the UI and API now support AIP-160 compliant structured search. You can filter rules by text, tags, author, and execution state.

• Batch modifications: The rules.modifyRules method now supports non-atomic batch updates, letting you change live status, alerting status, tags, and archive status across multiple rules in a single API request.

• Advanced resource views: The rules.list method introduces CONFIG_ONLY and TRENDS views. These views provide expanded deployment information, access to curated rule resources, and larger page sizes (up to 5000 results) for efficient querying.

For details, see Manage unified rules.

Added support for Google Cloud VPC Service Controls

This feature is currently in Preview.

VPC Service Controls helps protect against accidental or targeted action by external entities or insider entities, which helps to minimize unwarranted data exfiltration risks from Google Cloud services. You can use VPC Service Controls to create perimeters that protect the resources and data of services that you explicitly specify. For more information, see Overview of VPC Service Controls.

New: cross joins in multi-stage queries

You can now use cross joins in YARA-L 2.0 multi-stage queries let you compare individual UDM event data against aggregated statistics calculated in previous YARA-L stages. They are supported in:

• Search
• Dashboards

For more information, see Cross joins in multi-stage queries.

Feature

RBAC for ingestion metrics

Administrators can now use RBAC for ingestion metrics to restrict visibility of system health data, such as ingestion volume, errors, and throughput, based on a user's business scope.

The Data Ingestion and Health dashboard now uses Data Access scopes. When a scoped user loads the dashboard, the system automatically filters metrics to show only data that matches their assigned labels: Namespace, Log Type, and Ingestion Source.

For more information, see Ingestion metrics.

New parser documentation now available

New parser documentation is available to help you ingest and normalize logs from the following sources:

• Collect Big Switch BigCloudFabric logs
• Collect BMC AMI Defender logs
• Collect Broadcom Support Portal Audit logs
• Collect CA ACF2 logs
• Collect CA LDAP logs
• Collect ChromeOS XDR logs
• Collect Chronicle SOAR Audit logs
• Collect Cisco CTS logs
• Collect Cisco FireSIGHT Management Center logs
• Collect Cisco Vision Dynamic Signage Director logs
• Collect ClamAV logs
• Collect Cofense logs
• Collect Crowdstrike IOC logs
• Collect Custom Application Access logs
• Collect Custom Security Data Analytics logs
• Collect Cyber 2.0 IDS logs
• Collect CyberArk logs
• Collect Cybereason EDR logs
• Collect Dataminr Alerts logs
• Collect Digital Shadows Indicators logs
• Collect Mimecast Mail V2 logs
• Collect Okta User Context logs
• Collect RH-ISAC IOC logs
• Collect ServiceNow CMDB data

Publisher Agent Version 2.6.4 removes support for Python 3.7 from the remote agent.

New capabilities in Feeds page

The following options have been added to the Feeds page:

• Search
• Filtering (using feed attributes)
• Pagination
• Last Refreshed Time
• Feed Metadata Export to CSV

Control of MCP use with organization policies is deprecated. After March 17, 2026, organization policies that use the gcp.managed.allowedMCPServices constraint won't work, and you can control MCP use with IAM deny policies. For more information about controlling MCP use, see Control MCP use with IAM.

Change

After March 17, 2026, when you enable Google SecOps, the Google SecOps MCP server is automatically enabled.

Advanced Joins in Search

Google SecOps now supports expanded capabilities for correlating data across multiple sources. These join operations are also supported in multistage queries.

Joins without a match section: You can now use join operations to correlate and combine data from multiple sources based on common field values without requiring a match section (unlike statistical joins). Results are displayed in a Joins table, which you can download as a CSV, or for event-to-event joins, exported to a datatable for further analysis.

For more information, see Implement joins without a match section.

Outer joins: Search now supports left and right outer joins. Unlike standard inner joins, these operations let you retrieve all records from a primary data source even if no matching entry exists in the secondary source (unmatched fields are returned as null). This action lets you correlate data without losing unmatched events.

For more information, see Correlate data with outer joins.

Enhanced rule observability: New metadata, visual indicators, and dashboards

Google Security Operations has introduced updates to how detection and alert data is processed and visualized. These changes help Google SecOps teams distinguish between primary rule runs and rule replays, which provides clarity on detection delays and the impact of late-arriving enrichment data.

• Key improvements

  • Enhanced metadata: Detection and alert objects now include specific metadata that identifies whether they were produced during a primary rule run, or as part of a rule replay or retrohunt.
  • Improved troubleshooting: This data lets Google SecOps teams definitively answer critical operational questions, such as the cause of perceived detection delays or the specific impact of late-arriving enrichment data on active rules.
  • Rule replay insights: Learn more about the distinction between primary runs and replays to manage the re-enrichment of Unified Data Model (UDM) events. For detailed definitions and technical workflows, see Understand rule replay and Understand rule detection delays.
  • New detection dashboard: To support these backend metadata changes, a new Detection Health dashboard is now available. This interface provides a visual representation of rule performance and replay status, letting teams monitor detection health more effectively.
  • Custom reporting: There are new fields available in the Detections schema, letting you build custom dashboards.

• New metadata and third-party integration: Detections and alerts now emit specific metadata to help customers track timing and latency. This data is available for integration with third-party systems using the following fields:

  • detectionTimingDetails: An enum identifying the run type:
  • DETECTION_TIMING_DETAILS_REPROCESSING
  • DETECTION_TIMING_DETAILS_RETROHUNT
  • DETECTION_TIMING_DETAILS_UNSPECIFIED
  • latencyMetrics: Includes timestamps for oldestIngestionTime, newestIngestionTime, oldestEventTime, and newestEventTime.

• Enhanced platform and visual indicators:

  • Alerts and rule details: A new visual indicator in the Detection Type column provides granular details on hover.
  • Filter facets: The Alerts lister page now includes detection timing details as a filterable facet.
  • SOAR integration: In the Case Overview, the Composite Detections table now carries through the same iconography for a consistent investigation experience.

The re.capture_all function is now available

The new re.capture_all YARA-L 2.0 function is available in Rules, Search, and Dashboards.

Use the re.capture_all() function to extract every non-overlapping match of a regular expression from a string. While the standard re.capture function stops after the first match it finds, the re.capture_all() function continues through the entire string to identify every instance that matches your pattern.

Announcement

New parser documentation now available

New parser documentation is available to help you ingest and normalize logs from the following sources:

• Collect ForgeRock OpenIDM logs
• Collect Forseti Open Source logs
• Collect Fortinet FortiClient logs
• Collect Fortinet FortiDDoS logs
• Collect Fortinet FortiEDR logs
• Collect Fortinet FortiManager logs
• Collect Fortinet Switch logs
• Collect Fortra Powertech SIEM Agent logs
• Collect Google App Engine logs
• Collect Google Cloud DNS Threat Detector logs
• Collect Google Cloud Monitoring alerting activity logs
• Collect Google Cloud Network Connectivity Center logs
• Collect Google Cloud Secure Web Proxy logs
• Collect Gmail logs
• Collect H3C Comware Platform Switch logs
• Collect HackerOne logs
• Collect Hillstone Firewall logs
• Collect Hitachi Content Platform logs
• Collect HYPR MFA logs
• Collect IBM Guardium logs

Share custom column sets

Google SecOps now lets you share custom sets of columns in the Events table for consistent analysis across teams.

For more details, see Search for events and alerts

Announcement

Data RBAC global scope changes for ATI

To enhance data security, several features related to Indicators of Compromise (IOCs) and Emerging Threats now require global scope data RBAC permissions. Users without global scope will see restricted information in the following areas:

• Emerging threats page: IOC match counts per campaign are no longer visible.

• Entity widget overlay: The Indicators table is hidden or appears empty.

• Threat details page: The related entities, IOC matches, and GTI IOC tables are no longer visible.

• Entity summary widget: GTI scores are excluded from the overlay.

• IOC details page: The Indicator Details tab doesn't populate.

API impact: API calls to IocService and ThreatCollectionService now require global scope. Direct calls made with the CLI or client libraries fail without this permission.

Required: Google SecOps administrators should review user roles and grant global scope to those who require continued access to these threat intelligence features.

Deprecated

Mute an IoC deprecated

The Mute an IoC feature is deprecated, and the IOC details page no longer displays the Mute indicator.

Google SecOps has updated the list of supported default parsers. Updates propagate gradually; changes typically appear in your region within one to four business days. For more information, see Supported log types and default parsers.

The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.

• A10 Load Balancer (A10_LOAD_BALANCER)
• AIX system (AIX_SYSTEM)
• Akamai Cloud Monitor (AKAMAI_CLOUD_MONITOR)
• AlgoSec Security Management (ALGOSEC)
• Amazon API Gateway (AWS_API_GATEWAY)
• Apache (APACHE)
• Apple macOS (MACOS)
• AppOmni (APPOMNI)
• Arcsight CEF (ARCSIGHT_CEF)
• Arista Switch (ARISTA_SWITCH)
• Aruba (ARUBA_WIRELESS)
• Aruba Airwave (ARUBA_AIRWAVE)
• Aruba EdgeConnect SD-WAN (ARUBA_EDGECONNECT_SDWAN)
• Aruba Switch (ARUBA_SWITCH)
• Attivo Networks (ATTIVO)
• Auth0 (AUTH_ZERO)
• Automation Anywhere (AUTOMATION_ANYWHERE)
• Avanan Email Security (AVANAN_EMAIL)
• AWS Aurora (AWS_AURORA)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS CloudWatch (AWS_CLOUDWATCH)
• AWS Elastic Load Balancer (AWS_ELB)
• AWS GuardDuty (GUARDDUTY)
• AWS RDS (AWS_RDS)
• AWS Security Hub (AWS_SECURITY_HUB)
• AWS WAF (AWS_WAF)
• Azure AD (AZURE_AD)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure AD Sign-In (AZURE_AD_SIGNIN)
• Azure Front Door (AZURE_FRONT_DOOR)
• Barracuda Email (BARRACUDA_EMAIL)
• Barracuda WAF (BARRACUDA_WAF)
• BeyondTrust (BOMGAR)
• BeyondTrust BeyondInsight (BEYONDTRUST_BEYONDINSIGHT)
• BeyondTrust Endpoint Privilege Management (BEYONDTRUST_ENDPOINT)
• BeyondTrust Secure Remote Access (BEYONDTRUST_REMOTE_ACCESS)
• BIND (BIND_DNS)
• Bindplane Agent (BINDPLANE_AGENT)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Box (BOX)
• Carbon Black (CB_EDR)
• Cato Networks (CATO_NETWORKS)
• Check Point (CHECKPOINT_FIREWALL)
• CipherTrust Manager (CIPHERTRUST_MANAGER)
• Cisco Application Centric Infrastructure (CISCO_ACI)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Internetwork Operating System (CISCO_IOS)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• Cisco PIX Firewall (CISCO_PIX_FIREWALL)
• Cisco Router (CISCO_ROUTER)
• Cisco Stealthwatch (CISCO_STEALTHWATCH)
• Cisco Switch (CISCO_SWITCH)
• Cisco Umbrella Audit (CISCO_UMBRELLA_AUDIT)
• Cisco Umbrella DNS (UMBRELLA_DNS)
• Cisco vManage SD-WAN (CISCO_SDWAN)
• Cisco WLC/WCS (CISCO_WIRELESS)
• Cisco WSA (CISCO_WSA)
• Citrix Netscaler (CITRIX_NETSCALER)
• Claroty Continuous Threat Detection (CLAROTY_CTD)
• Claroty Xdome (CLAROTY_XDOME)
• Cloud SQL (GCP_CLOUDSQL)
• Cloudflare (CLOUDFLARE)
• Cloudflare Audit (CLOUDFLARE_AUDIT)
• Compute Engine (GCP_COMPUTE)
• Corelight (CORELIGHT)
• CrowdStrike Alerts API (CS_ALERTS)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• CrowdStrike Falcon (CS_EDR)
• CrowdStrike Falcon Stream (CS_STREAM)
• CyberArk (CYBERARK)
• CyberArk Endpoint Privilege Manager (EPM) (CYBERARK_EPM)
• CyberArk Privileged Access Manager (PAM) (CYBERARK_PAM)
• Cyolo Secure Remote Access for OT (CYOLO_OT)
• Darktrace (DARKTRACE)
• Delinea Secret Server (DELINEA_SECRET_SERVER)
• Dell ECS Enterprise Object Storage (DELL_ECS)
• Dell Switch (DELL_SWITCH)
• Duo Auth (DUO_AUTH)
• ExtraHop RevealX (EXTRAHOP)
• Extreme Wireless (EXTREME_WIRELESS)
• F5 Advanced Firewall Management (F5_AFM)
• F5 ASM (F5_ASM)
• F5 BIGIP Access Policy Manager (F5_BIGIP_APM)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• F5 Distributed Cloud Services (F5_DCS)
• Fastly CDN (FASTLY_CDN)
• FireEye ETP (FIREEYE_ETP)
• FireEye NX (FIREEYE_NX)
• Forcepoint Email Security (FORCEPOINT_EMAILSECURITY)
• Forescout eyeInspect (FORESCOUT_EYEINSPECT)
• FortiGate (FORTINET_FIREWALL)
• Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
• Fortinet Fortimanager (FORTINET_FORTIMANAGER)
• Fortinet Web Application Firewall (FORTINET_FORTIWEB)
• GCP_APP_ENGINE (GCP_APP_ENGINE)
• GCP_MODEL_ARMOR (GCP_MODEL_ARMOR)
• GitHub (GITHUB)
• GitHub Dependabot (GITHUB_DEPENDABOT)
• Google Cloud Audit (GCP_CLOUDAUDIT)
• Google Threat Intelligence (GCP_THREATINTEL)
• H3C Comware Platform Switch (H3C_SWITCH)
• Hashicorp Vault (HASHICORP)
• HP Aruba (ClearPass) (CLEARPASS)
• Huawei Switches (HUAWEI_SWITCH)
• IBM DataPower Gateway (IBM_DATAPOWER)
• IBM DB2 (DB2_DB)
• Illumio Core (ILLUMIO_CORE)
• Imperva (IMPERVA_WAF)
• Imperva DRA (IMPERVA_DRA)
• Island Browser logs (ISLAND_BROWSER)
• Jamf pro context (JAMF_PRO_CONTEXT)
• JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
• Juniper MX Router (JUNIPER_MX)
• Keycloak (KEYCLOAK)
• KnowBe4 PhishER (KNOWBE4_PHISHER)
• Kolide Endpoint Security (KOLIDE)
• Kubernetes Node (KUBERNETES_NODE)
• Linux Auditing System (AuditD) (AUDITD)
• McAfee DLP (MCAFEE_DLP)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• Microsoft AD FS (ADFS)
• Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft IIS (IIS)
• Microsoft Intune (AZURE_MDM_INTUNE)
• Microsoft PowerShell (POWERSHELL)
• Microsoft SQL Server (MICROSOFT_SQL)
• Mimecast Mail V2 (MIMECAST_MAIL_V2)
• MISP Threat Intelligence (MISP_IOC)
• Mobileiron (MOBILEIRON)
• MySQL (MYSQL)
• NetApp ONTAP (NETAPP_ONTAP)
• Netfilter IPtables (NETFILTER_IPTABLES)
• NetIQ Access Manager (NETIQ_ACCESS_MANAGER)
• Netskope V2 (NETSKOPE_ALERT_V2)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Network Policy Server (MICROSOFT_NPS)
• NGINX (NGINX)
• Nozomi Networks Scada Guardian (NOZOMI_GUARDIAN)
• Nutanix Prism (NUTANIX_PRISM)
• Obsidian (OBSIDIAN)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Onapsis (ONAPSIS)
• One Identity TPAM (ONEIDENTITY_TPAM)
• OneLogin (ONELOGIN_SSO)
• Open Cybersecurity Schema Framework (OCSF) (OCSF)
• Oracle (ORACLE_DB)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Palo Alto Panorama (PAN_PANORAMA)
• Ping Identity (PING)
• PostFix Mail (POSTFIX_MAIL)
• PostgreSQL (POSTGRESQL)
• Proofpoint CASB (PROOFPOINT_CASB)
• Proofpoint Email Filter (PROOFPOINT_MAIL_FILTER)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Proofpoint Tap Alerts (PROOFPOINT_MAIL)
• Pulse Secure (PULSE_SECURE_VPN)
• QNAP Systems NAS (QNAP_NAS)
• Radware Web Application Firewall (RADWARE_FIREWALL)
• Recorded Future (RECORDED_FUTURE_IOC)
• Red Hat OpenShift (REDHAT_OPENSHIFT)
• Salesforce (SALESFORCE)
• SAP Sybase Adaptive Server Enterprise Database (SAP_ASE)
• Security Command Center Chokepoint (GCP_SECURITYCENTER_CHOKEPOINT)
• Security Command Center Posture Violation (GCP_SECURITYCENTER_POSTURE_VIOLATION)
• Security Command Center Threat (GCP_SECURITYCENTER_THREAT)
• Security Command Center Toxic Combination (GCP_SECURITYCENTER_TOXIC_COMBINATION)
• ServiceNow Audit (SERVICENOW_AUDIT)
• Snare System Diagnostic Logs (SNARE_SOLUTIONS)
• Snyk Group level audit/issues logs (SNYK_ISSUES)
• Solaris system (SOLARIS_SYSTEM)
• Sophos Central (SOPHOS_CENTRAL)
• STIX Threat Intelligence (STIX)
• Stormshield Firewall (STORMSHIELD_FIREWALL)
• Sublime Security (SUBLIMESECURITY)
• Suricata EVE (SURICATA_EVE)
• Swift Alliance Messaging Hub (SWIFT_AMH)
• Symantec DLP (SYMANTEC_DLP)
• Symantec Endpoint Protection (SEP)
• Symantec Messaging Gateway (SYMANTEC_MAIL)
• Tableau (TABLEAU)
• TCPWave DDI (TCPWAVE_DDI)
• TeamViewer (TEAMVIEWER)
• Tenable Active Directory Security (TENABLE_ADS)
• Tenable OT (TENABLE_OT)
• Tenable.io (TENABLE_IO)
• Thinkst Canary (THINKST_CANARY)
• ThreatConnect IOC V3 (THREATCONNECT_IOC_V3)
• Trellix HX Event Streamer (TRELLIX_HX_ES)
• Trend Micro (TIPPING_POINT)
• Trend Micro Vision One (TRENDMICRO_VISION_ONE)
• Trend Micro Vision One Workbench (TRENDMICRO_VISION_ONE_WORKBENCH)
• TrendMicro Deep Discovery Inspector (TRENDMICRO_DDI)
• TXOne Stellar (TRENDMICRO_STELLAR)
• Unifi AP (UNIFI_AP)
• Unix system (NIX_SYSTEM)
• Vectra Detect (VECTRA_DETECT)
• Vectra XDR (VECTRA_XDR)
• Veritas NetBackup (VERITAS_NETBACKUP)
• Versa Firewall (VERSA_FIREWALL)
• VMware ESXi (VMWARE_ESX)
• VMware NSX (VMWARE_NSX)
• VMware vCenter (VMWARE_VCENTER)
• WatchGuard (WATCHGUARD)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• Wiz.io (WIZ_IO)
• Workday Audit Logs (WORKDAY_AUDIT)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Workspace Alerts (WORKSPACE_ALERTS)
• Zimperium (ZIMPERIUM)
• Zscaler (ZSCALER_WEBPROXY)
• Zscaler CASB (ZSCALER_CASB)
• Zscaler DLP (ZSCALER_DLP)
• ZScaler DNS (ZSCALER_DNS)
• Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)
• ZScaler NGFW (ZSCALER_FIREWALL)
• Zscaler Private Access (ZSCALER_ZPA)
• Zscaler Secure Private Access Audit Logs (ZSCALER_ZPA_AUDIT)
• Zscaler Tunnel (ZSCALER_TUNNEL)
• Zywall (ZYWALL)

The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.

• Aikido (AIKIDO)
• Akamai API Security (AKAMAI_API_SECURITY)
• Alkira IP Flow (ALKIRA_IP_FLOW)
• Atlassian Guard Detect (ATLASSIAN_GUARD_DETECT)
• BlinkOps (BLINKOPS)
• Canvas LMS (CANVAS_LMS)
• Cisco Secure Email Threat Defense (CISCO_SECURE_EMAIL_THREAT_DEFENSE)
• Cisco StarOS (CISCO_STAR_OS)
• Citadel Identity360 (CITADEL_IDENTITY360)
• Cyware Threat Intelligence Exchange (CTIX)
• Cyberark Identity Audit (CYBERARK_IDENTITY_AUDIT)
• CyCognito ASM (CYCOGNITO_ASM)
• Dell VxRail (DELL_VXRAIL)
• Gene6 FTP Server (GENE6_FTP)
• IBM Copy Services Manager (IBM_CSM)
• LangSmith Audit (LANGSMITH_AUDIT)
• Mellanox Switch (MELLANOX_SWITCH)
• Microsoft Entra ID Protection (MICROSOFT_ENTRA_ID_PROTECTION)
• NSFOCUS Next Generation Intrusion Prevention System (NSFOCUS_NGIPS)
• Perplexity (PERPLEXITY)
• Pleasant Password Server (PLEASANT_PASSWORD_SERVER)
• Prompt Security (PROMPT_SECURITY)
• Qualtrics Audit (QUALTRICS_AUDIT)
• Rancher API Audit Log (RANCHER_API_AUDIT_LOG)
• Rubrik Security Cloud (RUBRIK_SECURITY_CLOUD)
• SAP Business Warehouse (SAP_BW)
• SAP Change Document (SAP_CHANGE_DOCUMENT)
• SAP Gateway (SAP_GATEWAY)
• SAP Hana Audit (SAP_HANA_AUDIT)
• Scale Computing (SCALE_COMPUTING)
• Slack API (SLACK_API)
• Snowplow (SNOWPLOW)
• Sterling Order Management System Data (STERLING_OMS_DATA)
• Strivacity (STRIVACITY)
• Tencent CloudAudit (TENCENT_CLOUD_AUDIT)
• Trellix EX (TRELLIX_EX)
• Unifi System (UNIFI_SYSTEM)
• Windows Bindplane (WINDOWS_BINDPLANE)
• Witness AI Control (WITNESS_AI_CONTROL)
• Zendesk Advanced Data Privacy and Protection (ZENDESK_ADPP)

The Case Federation feature is no longer dependent on the Case Federation integration in the primary platform.

The primary platform sync job is now disabled. Do not attempt to re-enable it.

For more information, see Set up federated case access for SecOps.

The following v2 connectors, which utilize Google Storage Transfer Service (STS), are now in General Availability:

• Google Cloud Storage v2
• Amazon S3 v2
• Google Cloud Storage (Event Driven)
• Amazon SQS v2
• Azure Blobstore v2