Transport-layer migration for third-party API feeds
Google SecOps is migrating the transport layer for third-party API feeds to a new platform to improve performance and reliability. This migration will be completed in phases and is expected to finish by the end of October 2025. The migration should not impact any existing or new, third-party API feeds. If you experience any unexpected issues with your feeds during the migration, contact your Google SecOps representative.
]]>SentinelOneV2: Version 41.0
The following new action has been added:
The following new connector has been added:
A new predefined widget has been added to the following action:
Google Threat Intelligence: Version 4.0
The following new action has been added:
Palo Alto Cortex XDR: Version 18.0
The following new actions have been added:
Add Comment To Incident
Execute XQL Search
Get Incident Details
Google Threat Intelligence: Version 4.0
Updated the processing of the threat actor entity in the following action:
Updated the predefined widget in the following actions:
(REGRESSIVE) The widget now works with GTI information. To see the changes, the widget must be re-added to the existing views in playbooks.
Enrich Entities
Enrich IOCs
Added JSON samples to the following action:
Trend Vision One: Version 6.0
Added support for Agent UUID in the following actions:
Enrich Entities
Execute Custom Script
Isolate Endpoint
Unisolate Endpoint
Splunk: Version 58.0
Updated the alert processing logic in the following connector:
Jira: Version 48.0
Added the ability to modify the API Root and Login API Root in the following integrations:
Azure Active Directory: Version 18.0
Azure AD Identity Protection: Version 7.0
Microsoft Teams: Version 28.0
Vertex AI: Version 4.0
Microsoft Azure Sentinel: Version 56.0
Updated mapping for the ScheduledAlert event types in the following connector:
Migrate SOAR to Google Cloud
We're actively migrating all SOAR customers and partners to their respective Google Cloud projects. This migration unifies your SOAR experience with your existing cloud environment. For more information, see SOAR migration overview and FAQ.
Migrate SOAR to Google Cloud
All customers and partners are being migrated from SOAR to Google Cloud. For more information, see SOAR migration overview and FAQ.
Release 6.3.62 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Release 6.3.61 is now available for all regions.
]]>SecOps Labs
This feature is in preview.
You can now configure and run Google SecOps Gemini and other intelligence experiments without disrupting your existing production systems—and benefit from their output. The experiments comply with the Role-Based Access Control (RBAC) configuration of your environment, and they have streamlined configurations with clear actionable results and output.
For details, see Use Gemini and other experiments in Google SecOps.
]]>View data retention start date
You can now view the start date for your account's data retention period. A new, read-only page, Data Retention, is available under SIEM Settings. This page also shows the start date for your Google SecOps account's data retention period.
For more information, see View data retention in your Google SecOps account.
View data retention start date
You can now view the start date for your account's data retention period. A new, read-only page, Data Retention, is available under SIEM Settings. This page also shows the start date for your Google SecOps account's data retention period.
For more information, see View data retention in your Google SecOps account.
]]>New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Collect Akamai Cloud Monitor logs
Collect Akamai DataStream 2 logs
Collect Aware audit logs
Collect AWS API Gateway access logs
Collect AWS VPC Transit Gateway flow logs
Collect Bitwarden Enterprise event logs
Collect Box Collaboration JSON logs
Collect Censys logs
Collect Code42 Incydr core datasets
Collect CSV Custom IOC files
Collect Deep Instinct EDR logs
Collect DigiCert audit logs
Collect DomainTools Iris Investigate results
Collect Duo administrator logs
Collect Duo authentication logs
Collect Duo entity context logs
Collect Google Cloud Abuse Events logs
Collect Harness IO audit logs
Collect HPE Aruba Networking Central logs
Collect Jamf Pro context logs
Collect PingOne Advanced Identity Cloud logs
Collect Slack audit logs
Collect Snyk group-level audit logs
Collect Snyk group-level audit and issues logs
Collect Venafi Zero Touch PKI logs
Collect Veritas NetBackup logs
Collect VMware AirWatch logs
Collect VMware Avi Load Balancer WAF logs
Collect VMware Horizon logs
Collect VMware VeloCloud SD-WAN logs
Collect Zoom operation logs
New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Collect Akamai Cloud Monitor logs
Collect Akamai DataStream 2 logs
Collect Aware audit logs
Collect AWS API Gateway access logs
Collect AWS VPC Transit Gateway flow logs
Collect Bitwarden Enterprise event logs
Collect Box Collaboration JSON logs
Collect Censys logs
Collect Code42 Incydr core datasets
Collect CSV Custom IOC files
Collect Deep Instinct EDR logs
Collect DigiCert audit logs
Collect DomainTools Iris Investigate results
Collect Duo administrator logs
Collect Duo authentication logs
Collect Duo entity context logs
Collect Google Cloud Abuse Events logs
Collect Harness IO audit logs
Collect HPE Aruba Networking Central logs
Collect Jamf Pro context logs
Collect PingOne Advanced Identity Cloud logs
Collect Slack audit logs
Collect Snyk group-level audit logs
Collect Snyk group-level audit and issues logs
Collect Venafi Zero Touch PKI logs
Collect Veritas NetBackup logs
Collect VMware AirWatch logs
Collect VMware Avi Load Balancer WAF logs
Collect VMware Horizon logs
Collect VMware VeloCloud SD-WAN logs
Collect Zoom operation logs
Advanced job scheduling
The job scheduling functionality has been enhanced with advanced options. This functionality provides more precise control and flexible, calendar-like scheduling for your scripts.
For more information, see Configure a new job with advanced scheduling.
Use custom fields in the Close Case dialog
Administrators can now add custom fields to the Close Case dialog. This new functionality provides a more streamlined workflow and replaces the Dynamic Fields feature.
For more information, see Use custom fields in the Close Case dialog.
Release 6.3.61 is being rolled out to the first phase of regions, as outlined in our Google SecOps release plan.
This release contains the following features:
Advanced job scheduling
The job scheduling functionality has been enhanced with advanced options. This functionality provides more precise control and flexible, calendar-like scheduling for your scripts.
For more information, see Configure a new job with advanced scheduling.
Use custom fields in the Close Case dialog
Administrators can now add custom fields to the Close Case dialog. This new functionality provides a more streamlined workflow and replaces the Dynamic Fields feature.
For more information, see Use custom fields in the Close Case dialog.
]]>Release 6.3.60 is now available for all regions.
]]>Advanced filtering in alerts and search results
You can now filter alerts and search results by any field in the detection object. This update provides more granular control over your queries, letting you filter by nested fields from events and entities within a detection.
Advanced filtering in alerts and search results
You can now filter alerts and search results by any field in the detection object. This update provides more granular control over your queries, letting you filter by nested fields from events and entities within a detection.
]]>Time zone override for forwarder logs
Google SecOps now lets you override the default time zone for your logs when you create or configure a forwarder.
For details, see Add collector configuration.
Improved Okta and Symantec Endpoint Protection parsers
These changes are currently in Preview.
The Okta and Symantec Endpoint Protection parsers are now more efficient, with increased log-field coverage and more-accurate log-field mappings. These changes include new UDM fields and updated field mappings. We advise you to opt-in and get these new versions.
For details on the Okta parser, see UDM mapping table and UDM mapping delta reference.
For details on the Symantec Endpoint Protection parser, see Collect Symantec Endpoint Protection logs and UDM mapping delta reference.
CBN alerts functionality removed from all prebuilt parsers
As part of deprecating the Configuration Based Normalization (CBN) alerts functionality, all prebuilt parsers that included the CBN alerts functionality were updated, and the functionality was removed.
Time zone override for forwarder logs
Google SecOps now lets you override the default time zone for your logs when you create or configure a forwarder.
For details, see Add collector configuration.
Improved Okta and Symantec Endpoint Protection parsers
These changes are currently in Preview.
The Okta and Symantec Endpoint Protection parsers are now more efficient, with increased log-field coverage and more-accurate log-field mappings. These changes include new UDM fields and updated field mappings. We advise you to opt-in and get these new versions.
For details on the Okta parser, see UDM mapping table and UDM mapping delta reference.
For details on the Symantec Endpoint Protection parser, see Collect Symantec Endpoint Protection logs and UDM mapping delta reference.
CBN alerts functionality removed from all prebuilt parsers
As part of deprecating the Configuration Based Normalization (CBN) alerts functionality, all prebuilt parsers that included the CBN alerts functionality were updated, and the functionality was removed.
]]>Extended match window for multi-event rules
You can now configure rules to analyze data over a longer period. The maximum match window for these rules has been extended to 14 days. The run frequency for multi-event rules is automatically set based on the rule's match window:
For a window size of 1 to 48 hours, the run frequency is 1 hour.
For a window size greater than 48 hours, the run frequency is 24 hours.
Extended match window for multi-event rules
You can now configure rules to analyze data over a longer period. The maximum match window for these rules has been extended to 14 days. The run frequency for multi-event rules is automatically set based on the rule's match window:
For a window size of 1 to 48 hours, the run frequency is 1 hour.
For a window size greater than 48 hours, the run frequency is 24 hours.
Google Threat Intelligence: Version 3.0
Extended supported filters in the following connector:
Release 6.3.60 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Release 6.3.59 is now available for all regions.
]]>MITRE ATT&CK coverage dashboard is now available
This feature is currently in Preview.
The new MITRE ATT&CK coverage dashboard lets you measure your security posture against the MITRE ATT&CK framework, helping you:
MITRE ATT&CK coverage dashboard is now available
This feature is currently in Preview.
The new MITRE ATT&CK coverage dashboard lets you measure your security posture against the MITRE ATT&CK framework, helping you:
Composite detections for MITRE ATT&CK
The Curated Detections feature has been enhanced with new composite rules that define chains of MITRE ATT&CK tactics and techniques.
These powerful new rule packs are now in public preview for customers with a Google SecOps Enterprise or Enterprise Plus license.
To learn more, a companion blog post will be published on the Google Security Cloud Community on September 9, 2025.
Composite detections for MITRE ATT&CK
The Curated Detections feature has been enhanced with new composite rules that define chains of MITRE ATT&CK tactics and techniques.
These powerful new rule packs are now in public preview for customers with a Google SecOps Enterprise or Enterprise Plus license.
To learn more, a companion blog post will be published on the Google Security Cloud Community on September 9, 2025.
]]>Google Workspace: Version 20.0
The following new actions have been added:
Block Extension
Delete Extension
Get Extension Details
Get Host Browser Details
Search User Activity Events
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
A10_LOAD_BALANCER)AIX_SYSTEM)APACHE)ARCSIGHT_CEF)ARUBA_SWITCH)ARUBA_WIRELESS)ATTIVO)AUTH_ZERO)AWS_VPC_TRANSIT_GATEWAY)AWS_WAF)AZURE_AD)AZURE_AD_CONTEXT)AZURE_FIREWALL)AZURE_FRONT_DOOR)CB_APP_CONTROL)CHROME_MANAGEMENT)CISCO_ASA_FIREWALL)CISCO_DNAC)CISCO_EMAIL_SECURITY)CISCO_FIREPOWER_FIREWALL)CISCO_IOS)CISCO_IRONPORT)CISCO_ISE)CISCO_ROUTER)CISCO_SDWAN)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CISCO_VCS)CISCO_WSA)CITRIX_NETSCALER)CLAROTY_XDOME)CLEARPASS)CLOUDFLARE)CLOUDFLARE_WAF)CORELIGHT)CORTEX_XDR)CS_ALERTS)CS_DETECTS)CS_EDR)CS_STREAM)CYBERARK_PRIVILEGE_CLOUD)DARKTRACE)DATADOG)ELASTIC_DEFEND)F5_ASM)F5_DCS)F5_SILVERLINE)FIDELIS_NETWORK)FIREEYE_ALERT)FIREEYE_NX)FORCEPOINT_DLP)FORGEROCK_IDENTITY_CLOUD)FORTINET_FIREWALL)GCP_CLOUDSQL)GCP_DNS_ATD)GCP_LOADBALANCING)GCP_SECURITYCENTER_THREAT)GCP_VPC_FLOW)GUARDDUTY)IBM_I)IMPERVA_WAF)INFOBLOX_DHCP)JAMF_TELEMETRY_V2)KEMP_LOADBALANCER)KUBERNETES_NODE)MANAGE_ENGINE_AD360)MCAFEE_EPO)MCAFEE_IPS)MEDIGATE_IOT)MICROSOFT_DEFENDER_ENDPOINT)MICROSOFT_GRAPH_ALERT)MICROSOFT_SENTINEL)MICROSOFT_SQL)MIKROTIK_ROUTER)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)NIX_SYSTEM)OCI_FLOW)OFFICE_365)OFFICE_365_MESSAGETRACE)OKTA)OKTA_SCALEFT)ORACLE_DB)ORCA)PROOFPOINT_TRAP)QUEST_AD)RADWARE_FIREWALL)REDHAT_OPENSHIFT)SEP)SILVERFORT)SQUID_WEBPROXY)STIX)SYMANTEC_DLP)SYSDIG)TENABLE_SC)TIPPING_POINT)TRELLIX_HX_ES)TRENDMICRO_APEX_ONE)TRENDMICRO_VISION_ONE_ACTIVITY)TRENDMICRO_VISION_ONE)TRENDMICRO_VISION_ONE_WORKBENCH)UBIQUITI_SWITCH)UMBRELLA_DNS)UMBRELLA_IP)VARONIS)VECTRA_XDR)VMWARE_VCENTER)VMWARE_VREALIZE)WINEVTLOG)WINEVTLOG_XML)ZSCALER_CASB)ZSCALER_DECEPTION)ZSCALER_DLP)ZSCALER_DNS)ZSCALER_FIREWALL)ZSCALER_INTERNET_ACCESS)ZSCALER_TUNNEL)ZSCALER_WEBPROXY)ZSCALER_ZPA_AUDIT)ZSCALER_ZPA)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ALICLOUD_APSARADB)ALICLOUD_FIREWALL)AUTHMIND)MS_ENTRA_RECOMMENDATIONS)PAN_PRISMA_ACCESS)TRELLIX_AX)ULTRA)ZSCALER_NSS_VM)Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
A10_LOAD_BALANCER)AIX_SYSTEM)APACHE)ARCSIGHT_CEF)ARUBA_SWITCH)ARUBA_WIRELESS)ATTIVO)AUTH_ZERO)AWS_VPC_TRANSIT_GATEWAY)AWS_WAF)AZURE_AD)AZURE_AD_CONTEXT)AZURE_FIREWALL)AZURE_FRONT_DOOR)CB_APP_CONTROL)CHROME_MANAGEMENT)CISCO_ASA_FIREWALL)CISCO_DNAC)CISCO_EMAIL_SECURITY)CISCO_FIREPOWER_FIREWALL)CISCO_IOS)CISCO_IRONPORT)CISCO_ISE)CISCO_ROUTER)CISCO_SDWAN)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CISCO_VCS)CISCO_WSA)CITRIX_NETSCALER)CLAROTY_XDOME)CLEARPASS)CLOUDFLARE)CLOUDFLARE_WAF)CORELIGHT)CORTEX_XDR)CS_ALERTS)CS_DETECTS)CS_EDR)CS_STREAM)CYBERARK_PRIVILEGE_CLOUD)DARKTRACE)DATADOG)ELASTIC_DEFEND)F5_ASM)F5_DCS)F5_SILVERLINE)FIDELIS_NETWORK)FIREEYE_ALERT)FIREEYE_NX)FORCEPOINT_DLP)FORGEROCK_IDENTITY_CLOUD)FORTINET_FIREWALL)GCP_CLOUDSQL)GCP_DNS_ATD)GCP_LOADBALANCING)GCP_SECURITYCENTER_THREAT)GCP_VPC_FLOW)GUARDDUTY)IBM_I)IMPERVA_WAF)INFOBLOX_DHCP)JAMF_TELEMETRY_V2)KEMP_LOADBALANCER)KUBERNETES_NODE)MANAGE_ENGINE_AD360)MCAFEE_EPO)MCAFEE_IPS)MEDIGATE_IOT)MICROSOFT_DEFENDER_ENDPOINT)MICROSOFT_GRAPH_ALERT)MICROSOFT_SENTINEL)MICROSOFT_SQL)MIKROTIK_ROUTER)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)NIX_SYSTEM)OCI_FLOW)OFFICE_365)OFFICE_365_MESSAGETRACE)OKTA)OKTA_SCALEFT)ORACLE_DB)ORCA)PROOFPOINT_TRAP)QUEST_AD)RADWARE_FIREWALL)REDHAT_OPENSHIFT)SEP)SILVERFORT)SQUID_WEBPROXY)STIX)SYMANTEC_DLP)SYSDIG)TENABLE_SC)TIPPING_POINT)TRELLIX_HX_ES)TRENDMICRO_APEX_ONE)TRENDMICRO_VISION_ONE_ACTIVITY)TRENDMICRO_VISION_ONE)TRENDMICRO_VISION_ONE_WORKBENCH)UBIQUITI_SWITCH)UMBRELLA_DNS)UMBRELLA_IP)VARONIS)VECTRA_XDR)VMWARE_VCENTER)VMWARE_VREALIZE)WINEVTLOG)WINEVTLOG_XML)ZSCALER_CASB)ZSCALER_DECEPTION)ZSCALER_DLP)ZSCALER_DNS)ZSCALER_FIREWALL)ZSCALER_INTERNET_ACCESS)ZSCALER_TUNNEL)ZSCALER_WEBPROXY)ZSCALER_ZPA_AUDIT)ZSCALER_ZPA)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
ALICLOUD_APSARADB)ALICLOUD_FIREWALL)AUTHMIND)MS_ENTRA_RECOMMENDATIONS)PAN_PRISMA_ACCESS)TRELLIX_AX)ULTRA)ZSCALER_NSS_VM)Google Threat Intelligence: Version 3.0
Release 6.3.59 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Release 6.3.58 is now available for all regions.
]]>Enhanced curated detections has been enhanced with composite detection content for Mandiant Hunt Cloud Classification, including AWS, GCP, and Azure. This rule pack is available for Mandiant Threat Defense (MTD) customers with a Google Security Operations Enterprise or Enterprise Plus license.
Enhanced curated detections has been enhanced with composite detection content for Mandiant Hunt Cloud Classification, including AWS, GCP, and Azure. This rule pack is available for Mandiant Threat Defense (MTD) customers with a Google Security Operations Enterprise or Enterprise Plus license.
]]>New rules added to rule pack
Curated Detections has been enhanced with additional Chrome Enterprise Premium Browser Threat detections. The following rules have been added to the rule pack:
Dangerous Download with Matching Hashes by multiple users in Chrome Management
GTI High Severity File Download Event in Chrome Management
GTI Medium Severity File Download Event in Chrome Management
GTI Low Severity File Download Event in Chrome Management
Safe-browsing High Severity File Download Event in Chrome Management
Multiple Dangerous Download Events by same user in Chrome Management
Url Event to Newly Created Domain in Chrome Management
New rules added to rule pack
Curated Detections has been enhanced with additional Chrome Enterprise Premium Browser Threat detections. The following rules have been added to the rule pack:
Dangerous Download with Matching Hashes by multiple users in Chrome Management
GTI High Severity File Download Event in Chrome Management
GTI Medium Severity File Download Event in Chrome Management
GTI Low Severity File Download Event in Chrome Management
Safe-browsing High Severity File Download Event in Chrome Management
Multiple Dangerous Download Events by same user in Chrome Management
Url Event to Newly Created Domain in Chrome Management
Composite detections are now generally available
The composite detections feature is now in General Availability. Composite detections lets you link multiple YARA-L rules to detect complex, multistage threats. This capability enhances detection by correlating alerts that individual rules might not detect.
For more information, see Overview of composite detections.
Composite detections are now generally available
The composite detections feature is now in General Availability. Composite detections lets you link multiple YARA-L rules to detect complex, multistage threats. This capability enhances detection by correlating alerts that individual rules might not detect.
For more information, see Overview of composite detections.
CrowdStrike Falcon: Version 63.0
Updated processing of On-Demand Scan alerts in the following connector:
Google Chronicle: Version 64.0
Added support for aggregated searches in the following action:
Microsoft Graph Mail: Version 30.0
Improved handling of Case Name Template in the following connector:
Microsoft Graph Mail Delegated: Version 6.0
Improved handling of Case Name Template in the following connector:
Reference lists retiring
The reference list functionality is being phased out of the Google SecOps platform.
October 2025: You'll no longer be able to create new reference lists. Instead, use data tables to provide expanded functionality.
Migration period: All existing reference lists will be automatically migrated to data tables. During this migration period, you can continue to use your existing reference lists without changes.
September 2026: The legacy reference list functionality will be fully retired from the platform. After that date, all data will be available only through the data table interface.
Reference lists retiring
The reference list functionality is being phased out of the Google SecOps platform.
October 2025: You'll no longer be able to create new reference lists. Instead, use data tables to provide expanded functionality.
Migration period: All existing reference lists will be automatically migrated to data tables. During this migration period, you can continue to use your existing reference lists without changes.
September 2026: The legacy reference list functionality will be fully retired from the platform. After that date, all data will be available only through the data table interface.
Release 6.3.58 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Release 6.3.57 is now available for all regions.
]]>New CyberArk Credential Provider integration
New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
New parser documentation now available
New parser documentation is available to help you ingest and normalize logs from the following sources:
Jira: Version 47.0
Updated timestamp processing logic in the following jobs:
Sync Comments
Sync Closure
Updated logic for processing closed tickets in the following job:
Microsoft Graph Mail: Version 29.0
Data RBAC self-service enablement
Data RBAC now includes a self-service option for direct enablement. This makes the initial onboarding process faster and simpler. For details, see Configure data RBAC for users.
Data RBAC self-service enablement
Data RBAC now includes a self-service option for direct enablement. This makes the initial onboarding process faster and simpler. For details, see Configure data RBAC for users.
]]>New permissions for Content Hub
To access all modules in the Content Hub, you must set the correct IAM role permissions.
For full details, see Google SecOps Content Hub overview.
Updated permissions for accessing product-centric feeds
If you have assigned Custom IAM Roles, you can now grant access to the product-centric feeds by adding the following permissions to the role:
chronicle.feedPacks.getchronicle.feedPacks.listTo learn more about how to configure feeds using the product-centric feeds UI, see Configure feeds by product.
Updated permissions for accessing product-centric feeds
If you have assigned Custom IAM Roles, you can now grant access to the product-centric feeds by adding the following permissions to the role:
chronicle.feedPacks.getchronicle.feedPacks.listTo learn more about how to configure feeds using the product-centric feeds UI, see Configure feeds by product.
Expression Builder enhancements
The Expression Builder has been enhanced with a new set of pre-built filters to help streamline query creation.
We've improved the information within the platform for all filters, both new and existing. The supporting documentation provides clearer descriptions and practical examples for each transformer, making it easier to understand their purpose and syntax.
For details, see Use the Expression Builder.
Remote agent notifications
Agent notifications will alert you to new remote agent version releases and agent downtime based on your permissions and associated environments. Agent notifications are now enabled by default. You can opt out of these notifications at any time from your user preferences.
For details, see Agent notifications.
Release 6.3.57 is being rolled out to the first phase of regions, as outlined in our Google SecOps release plan.
This release contains the following features:
Expression Builder enhancements
The Expression Builder has been enhanced with a new set of pre-built filters to help streamline query creation.
We've improved the information within the platform for all filters, both new and existing. The supporting documentation provides clearer descriptions and practical examples for each transformer, making it easier to understand their purpose and syntax.
For details, see Use the Expression Builder.
Remote agent notifications
Agent notifications will alert you to new remote agent version releases and agent downtime based on your permissions and associated environments. Agent notifications are now enabled by default. You can opt out of these notifications at any time from your user preferences.
For details, see Agent notifications.
]]>Release 6.3.56 is now available for all regions.
]]>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ONEPASSWORD)A10_LOAD_BALANCER)AIX_SYSTEM)AKAMAI_EAA)AKAMAI_WAF)APACHE)AQUA_SECURITY)ARUBA_WIRELESS)ATTIVO)AUTH_ZERO)AWS_CONFIG)GUARDDUTY)AWS_LAMBDA_FUNCTION)AWS_RDS)AWS_VPC_FLOW)AZURE_AD)AZURE_AD_AUDIT)AZURE_AD_SIGNIN)AZURE_KEYVAULT_AUDIT)AZURE_VNET_FLOW)BARRACUDA_EMAIL)BARRACUDA_WAF)BEYONDTRUST_BEYONDINSIGHT)BITDEFENDER)BLUECOAT_WEBPROXY)CHECKPOINT_FIREWALL)CHECKPOINT_EDR)N/A)CISCO_EMAIL_SECURITY)CISCO_FIREPOWER_FIREWALL)CISCO_IOS)CISCO_IRONPORT)CISCO_ISE)CISCO_MERAKI)CISCO_NX_OS)CISCO_ROUTER)CISCO_STEALTHWATCH)CISCO_UMBRELLA_SWG_DLP)CISCO_SDWAN)CISCO_WIRELESS)CISCO_WSA)CITRIX_NETSCALER)N/A)N/A)GCP_LOADBALANCING)CLOUDFLARE)CORELIGHT)CS_ALERTS)CS_DETECTS)CS_EDR)CS_STREAM)CSV_CUSTOM_IOC)CYBERARK)CYBEREASON_EDR)DARKTRACE)EFFICIENTIP_DDI)ELASTIC_DEFEND)EPIC)EXTRAHOP)F5_AFM)F5_ASM)F5_BIGIP_APM)F5_BIGIP_LTM)F5_DNS)F5_SILVERLINE)FIDELIS_NETWORK)FIREEYE_ETP)FORGEROCK_IDENTITY_CLOUD)FORTINET_FIREWALL)FORTINET_FORTIANALYZER)FORTINET_WEBPROXY)FORTINET_FORTIWEB)GITHUB)HALCYON)HAPROXY)CLEARPASS)IBM_DATAPOWER)IMPERVA_WAF)IMPERVA_SECURESPHERE)INFOBLOX_DHCP)JAMF_PRO_CONTEXT)KUBERNETES_NODE)LACEWORK)AUDITD)LINUX_SYSMON)MCAFEE_IPS)MENLO_SECURITY)WINDOWS_AD)AZURE_ACTIVITY)MICROSOFT_DEFENDER_IDENTITY)IIS)MIMECAST_MAIL)MIMECAST_MAIL_V2)MISP_IOC)NETAPP_ONTAP)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)NGINX)ONE_IDENTITY_IDENTITY_MANAGER)OPNSENSE)ORCA)PAN_CORTEX_XDR_EVENTS)PAN_FIREWALL)PAN_PANORAMA)PAN_CASB)PFSENSE)PING_FEDERATE)OBSERVEIT)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)QUALYS_VM)REMEDIANT_SECUREONE)SAP_SM20)SECUREAUTH_SSO)SENTINEL_EDR)SILVERFORT)SOPHOS_CENTRAL)SOPHOS_UTM)SQUID_WEBPROXY)SYMANTEC_DLP)SYMANTEC_WSS)TENABLE_ADS)TENABLE_SC)THINKST_CANARY)TRELLIX_HX_ES)TRENDMICRO_APEX_ONE)TRENDMICRO_CLOUDONE)TRENDMICRO_VISION_ONE_ACTIVITY)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)TRENDMICRO_VISION_ONE_WORKBENCH)TRIPWIRE_FIM)NIX_SYSTEM)VMWARE_HORIZON)VMWARE_VCENTER)VMWARE_VREALIZE)WATCHGUARD)WINEVTLOG)WINEVTLOG_XML)WORKDAY_AUDIT)WORKSPACE_ACTIVITY)WORKSPACE_USERS)ZSCALER_DECEPTION)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
AKAMAI_MFA)AZURE_ORG_CONTEXT)CISCO_RAVPN)COREVIEW)FORTINET_FORTINDR)GCP_SECURITYCENTER_CHOKEPOINT)IMPERVA_CLOUD_WAF)LUMU)MICROSOFT_DATABRICKS_WORKSPACES)MICROSOFT_INSIGHTS_COMPONENTS)MICROSOFT_SERVICEBUS_NAMESPACES)MICROSOFT_SQL_MANAGED_INSTANCES)MOVEWORKS)NETWORKBOX_UTM)OCI_IDENTITY_CLOUD_SERVICE)SAP_HAC)SONATYPE_LIFECYCLE)TEAMVIEWER_TENSOR)TORQ_AUDIT_LOGS)VELOCIRAPTOR)ZOOM_ACTIVITY)For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ONEPASSWORD)A10_LOAD_BALANCER)AIX_SYSTEM)AKAMAI_EAA)AKAMAI_WAF)APACHE)AQUA_SECURITY)ARUBA_WIRELESS)ATTIVO)AUTH_ZERO)AWS_CONFIG)GUARDDUTY)AWS_LAMBDA_FUNCTION)AWS_RDS)AWS_VPC_FLOW)AZURE_AD)AZURE_AD_AUDIT)AZURE_AD_SIGNIN)AZURE_KEYVAULT_AUDIT)AZURE_VNET_FLOW)BARRACUDA_EMAIL)BARRACUDA_WAF)BEYONDTRUST_BEYONDINSIGHT)BITDEFENDER)BLUECOAT_WEBPROXY)CHECKPOINT_FIREWALL)CHECKPOINT_EDR)N/A)CISCO_EMAIL_SECURITY)CISCO_FIREPOWER_FIREWALL)CISCO_IOS)CISCO_IRONPORT)CISCO_ISE)CISCO_MERAKI)CISCO_NX_OS)CISCO_ROUTER)CISCO_STEALTHWATCH)CISCO_UMBRELLA_SWG_DLP)CISCO_SDWAN)CISCO_WIRELESS)CISCO_WSA)CITRIX_NETSCALER)N/A)N/A)GCP_LOADBALANCING)CLOUDFLARE)CORELIGHT)CS_ALERTS)CS_DETECTS)CS_EDR)CS_STREAM)CSV_CUSTOM_IOC)CYBERARK)CYBEREASON_EDR)DARKTRACE)EFFICIENTIP_DDI)ELASTIC_DEFEND)EPIC)EXTRAHOP)F5_AFM)F5_ASM)F5_BIGIP_APM)F5_BIGIP_LTM)F5_DNS)F5_SILVERLINE)FIDELIS_NETWORK)FIREEYE_ETP)FORGEROCK_IDENTITY_CLOUD)FORTINET_FIREWALL)FORTINET_FORTIANALYZER)FORTINET_WEBPROXY)FORTINET_FORTIWEB)GITHUB)HALCYON)HAPROXY)CLEARPASS)IBM_DATAPOWER)IMPERVA_WAF)IMPERVA_SECURESPHERE)INFOBLOX_DHCP)JAMF_PRO_CONTEXT)KUBERNETES_NODE)LACEWORK)AUDITD)LINUX_SYSMON)MCAFEE_IPS)MENLO_SECURITY)WINDOWS_AD)AZURE_ACTIVITY)MICROSOFT_DEFENDER_IDENTITY)IIS)MIMECAST_MAIL)MIMECAST_MAIL_V2)MISP_IOC)NETAPP_ONTAP)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)NGINX)ONE_IDENTITY_IDENTITY_MANAGER)OPNSENSE)ORCA)PAN_CORTEX_XDR_EVENTS)PAN_FIREWALL)PAN_PANORAMA)PAN_CASB)PFSENSE)PING_FEDERATE)OBSERVEIT)PROOFPOINT_ON_DEMAND)PROOFPOINT_MAIL)QUALYS_VM)REMEDIANT_SECUREONE)SAP_SM20)SECUREAUTH_SSO)SENTINEL_EDR)SILVERFORT)SOPHOS_CENTRAL)SOPHOS_UTM)SQUID_WEBPROXY)SYMANTEC_DLP)SYMANTEC_WSS)TENABLE_ADS)TENABLE_SC)THINKST_CANARY)TRELLIX_HX_ES)TRENDMICRO_APEX_ONE)TRENDMICRO_CLOUDONE)TRENDMICRO_VISION_ONE_ACTIVITY)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)TRENDMICRO_VISION_ONE_WORKBENCH)TRIPWIRE_FIM)NIX_SYSTEM)VMWARE_HORIZON)VMWARE_VCENTER)VMWARE_VREALIZE)WATCHGUARD)WINEVTLOG)WINEVTLOG_XML)WORKDAY_AUDIT)WORKSPACE_ACTIVITY)WORKSPACE_USERS)ZSCALER_DECEPTION)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
AKAMAI_MFA)AZURE_ORG_CONTEXT)CISCO_RAVPN)COREVIEW)FORTINET_FORTINDR)GCP_SECURITYCENTER_CHOKEPOINT)IMPERVA_CLOUD_WAF)LUMU)MICROSOFT_DATABRICKS_WORKSPACES)MICROSOFT_INSIGHTS_COMPONENTS)MICROSOFT_SERVICEBUS_NAMESPACES)MICROSOFT_SQL_MANAGED_INSTANCES)MOVEWORKS)NETWORKBOX_UTM)OCI_IDENTITY_CLOUD_SERVICE)SAP_HAC)SONATYPE_LIFECYCLE)TEAMVIEWER_TENSOR)TORQ_AUDIT_LOGS)VELOCIRAPTOR)ZOOM_ACTIVITY)For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
]]>New YARA-L features
The following capabilities have been added to YARA-L 2.0 to enhance search precision, data analysis, and investigative workflows:
Conditions in UDM search and dashboards
You can now filter aggregates defined in the outcome section using the new condition clause. This gives you more precise control over your results and supports more targeted investigations.
New functionality includes support for OR and n of [a, b, c.. z] expressions.
General availability for search and dashboards.
Deduplicate events in searches and dashboards
The new dedup section lets you remove duplicate events after the match clause in both standard UDM searches and YARA-L 2.0 queries.
General availability for search and dashboards.
Use metrics functions in UDM searches
You can now apply metrics functions in the outcome section of your search to access aggregated historical data directly in your search queries.
metrics in rules.Increased limits for array and array_distinct
The element limit for array and array_distinct aggregation functions in YARA-L has increased from 25 to 1,000.
Restrict search results using limit
The limit keyword now lets you restrict the number of results returned by a search. Use this to quickly preview data, optimize performance, or focus on a subset of results.
General availability for search and dashboards.
earliest and latest timestamps
New earliest and latest timestamps let you extract the time range of your data (within microseconds) during aggregation.
General availability for search.
Layer aggregations and analytics across multi-stage queries
Recent updates to multi-stage queries let you:
Layer aggregations and data statistical functions. Calculate baselines, deviations, and trends across multiple stages of data processing.
Conduct joins both within and across stages.
Private preview for search and dashboards. Contact your Google SecOps representative to enroll.
Join events, the entity graph, and data tables
You can now perform Inner joins between events, the entity graph, and data tables. These queries require a match clause for these joins and return results as statistics.
Private preview for search and dashboards. Contact your Google SecOps representative to enroll.
New YARA-L features
The following capabilities have been added to YARA-L 2.0 to enhance search precision, data analysis, and investigative workflows:
Conditions in UDM search and dashboards
You can now filter aggregates defined in the outcome section using the new condition clause. This gives you more precise control over your results and supports more targeted investigations.
New functionality includes support for OR and n of [a, b, c.. z] expressions.
General availability for search and dashboards.
Deduplicate events in searches and dashboards
The new dedup section lets you remove duplicate events after the match clause in both standard UDM searches and YARA-L 2.0 queries.
General availability for search and dashboards.
Use metrics functions in UDM searches
You can now apply metrics functions in the outcome section of your search to access aggregated historical data directly in your search queries.
metrics in rules.Increased limits for array and array_distinct
The element limit for array and array_distinct aggregation functions in YARA-L has increased from 25 to 1,000.
Restrict search results using limit
The limit keyword now lets you restrict the number of results returned by a search. Use this to quickly preview data, optimize performance, or focus on a subset of results.
General availability for search and dashboards.
earliest and latest timestamps
New earliest and latest timestamps let you extract the time range of your data (within microseconds) during aggregation.
General availability for search.
Layer aggregations and analytics across multi-stage queries
Recent updates to multi-stage queries let you:
Layer aggregations and data statistical functions. Calculate baselines, deviations, and trends across multiple stages of data processing.
Conduct joins both within and across stages.
Private preview for search and dashboards. Contact your Google SecOps representative to enroll.
Join events, the entity graph, and data tables
You can now perform Inner joins between events, the entity graph, and data tables. These queries require a match clause for these joins and return results as statistics.
Private preview for search and dashboards. Contact your Google SecOps representative to enroll.