The Google Cloud Platform Terms of Service (section 1.4(d), "Discontinuation of Services") defines the deprecation policy that applies to Google Security Operations. The deprecation policy only applies to the services, features, or products listed therein.
After a service, feature, or product is officially deprecated, it continues to be available for at least the period of time defined in the Terms of Service. After this period of time, the service is scheduled for shutdown.
The following table lists feature deprecations and their related shutdown schedules for Google Security Operations.
Feature | Deprecated date | Shutdown date | Details |
---|---|---|---|
SOAR infrastructure migration to Google APIs | June, 2025 | September 30, 2025 | Starting June 2025, the SOAR APIs will be hosted as part of the Google API service (chronicle/docs/reference/rest).
|
SOAR API | 6 months from migration period (June-September 2025) | March 31, 2026 | At the end of SOAR migration to the Google API service (chronicle/docs/reference/rest), the SOAR APIs will be decommissioned. You will be required to change your own scripts and tools to refer to the new Google SOAR APIs. |
UDM alert metadata fields | July 22, 2024 | June 22, 2025 | The Google SecOps alert metadata fields for UDM idm.is_significant and idm.is_alert have been deprecated. Use YARA-L detection rule alerts for alert metadata. |
Incident Manager | July 22, 2024 | July 22, 2025 | The Incident Manager in Google Security Operations will be fully decommissioned in July 22, 2025. We will provide support and maintenance until July 22, 2025 but no new features will be released. |
BigQuery data lake | December 31, 2024 | March 31, 2025 | On December 31, 2024, the managed BigQuery data lake for export won't be accessible to Google SecOps customers except for customers in the Enterprise Plus Tier. Enterprise Plus Tier customers will retain access until a replacement is available. Other customers can use their own BigQuery instance to export telemetry data, a feature currently in preview. For more information, see Configure a data export to BigQuery in a self-managed Google Cloud project. The managed BigQuery resources and API keys associated with the chronicle-tla Google Cloud project will be fully decommissioned by March 31, 2025. |
Python 2.7 | July 14, 2024 | October 13, 2024 | Support for Python 2.7 is being decommissioned from the Google SecOps platform and Marketplace. Users will no longer be able to use integrations that run Python 2.7 in the Google SecOps platform after October 13, 2024. For more details, see Upgrade the Python Versions. |
Symantec Event Export API feed |
July 11, 2024 | October 01, 2024 | The third-party API feed Symantec Event Export has been discontinued due to the deprecation of Symantec Event Export API. To ingest data, use a Cloud Storage bucket. For more information, see Add a feed and Adding a Data Bucket event stream type. |
Ingestion alerting method | April 18, 2024 | September 01, 2024 | The ingestion alerting system using Google Security Operations has been deprecated. This system will no longer be updated, and no alerts will be sent from this system after September 01, 2024. Use the Cloud Monitoring integration which provides more flexibility in alert logic, alert workflow, and integration with third-party ticketing systems. |
Google Security Operations ingestion_stats table in BigQuery |
April 18, 2024 | May 15, 2024 | The ingestion_stats table in BigQuery has been deprecated and will no longer be updated after May 15, 2024. Use the Google Security Operations ingestion_metrics table in BigQuery, which provides more accurate ingestion metrics. Additionally, real-time alerting on ingestion metrics is also available in Google Security Operations Cloud Monitoring integration. |
Google Security Operations CBN alerts | July 22, 2024 | July 22, 2025 | The Enterprise Insights page and the CBN alerts will no longer be available after July 2025. Use the Alerts and IOCs page to view the alerts. We recommend that you migrate the existing CBN alerts to the YARA-L detection engine. Google Security Operations's YARA-L detection engine is the preferred option for detection alerts because it offers enhanced transparency in detection logic and robust tuning capabilities. For more information see Overview of the YARA-L 2.0 language. |
labels fields for UDM nouns |
November 29, 2023 | November 29, 2024 | On or after November 29, 2023, the following Google Security Operations labels fields for UDM nouns are deprecated: about.labels , intermediary.labels , observer.labels , principal.labels , src.labels , security_result.about.labels , and target.labels . For existing parsers, in addition to these UDM fields, the logs fields are also mapped to key/value additional.fields UDM fields. For new parsers, the key/value settings in additional.fields UDM fields are used instead of the deprecated labels UDM fields. We recommend that you update the existing rules to use the key/value settings in the additional.fields UDM fields instead of the deprecated labels UDM fields. |
Google Security Operations forwarder executable for Windows | April 04, 2023 | March 31, 2024 | On or after March 31, 2024, existing Google Security Operations forwarder executable for Windows will be removed. For information about Google Security Operations forwarder for Windows on Docker, see Google Security Operations forwarder for Windows on Docker. |
Chronicle BigQuery udm_events table |
July 01, 2023 | August 01, 2023 | On or after July 1, 2023, the existing udm_events table in Chronicle-managed BigQuery projects will be fully replaced with a new table named events . This new table is currently available for all Customers. Chronicle will handle all changes in-product for this new table. Customers issuing queries against the udm_events table through Cloud Console, API, or directly connecting to BQ should fully migrate queries to the new table by July 1 to avoid interruption. When migrating SQL queries to use the new Event table, also replace the _PARTITIONTIME field with the new hour_time_bucket field. |
MICROSOFT_SECURITY_CENTER_ALERT log type |
May 03, 2022 | May 03, 2022 | As of May 03, 2022, the MICROSOFT_SECURITY_CENTER_ALERT log type has been removed. Logs previously fetched by the MICROSOFT_SECURITY_CENTER_ALERT feed are now a part of the MICROSOFT_GRAPH_ALERT feed. If you have a feed configured using the MICROSOFT_SECURITY_CENTER_ALERT log type, you can create a new feed using the MICROSOFT_GRAPH_ALERT log type. For more information about the MICROSOFT_GRAPH_ALERT log type, see Microsoft Graph Security API Alerts. |