Google Security Operations release notes

This page documents production updates to Google Security Operations. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/chronicle-security-operations-release-notes.xml

April 25, 2024

Chronicle Security Operations (Chronicle SecOps) has been rebranded to Google Security Operations (Google SecOps). Both the logo and the platform name have been rebranded as part of this change. This rebranding reflects our commitment to bringing you the best of Google security operations features. There is no change to functionality in the platform.

April 22, 2024

The ingestion_stats table in BigQuery is deprecated and will no longer be updated after May 15, 2024. We recommend that you use the Chronicle ingestion_metrics table in BigQuery, which provides more accurate ingestion metrics.

The ingestion alerting system using Chronicle has been deprecated. This system will no longer be updated, and no alerts will be sent from this system after September 01, 2024. We recommend that you use the Cloud Monitoring integration which provides more flexibility in alert logic, alert workflow, and integration with third-party ticketing systems.

April 15, 2024

The following labels fields for UDM nouns are deprecated and these fields will not appear in the search results after November 29, 2024: about.labels, intermediary.labels, observer.labels, principal.labels, src.labels, security_result.about.labels, and target.labels. For existing parsers, in addition to these UDM fields, the logs fields are also mapped to key and value additional.fields UDM fields. For new parsers, the key and value settings in additional.fields UDM fields are used instead of the deprecated labels UDM fields. We recommend that you update the existing rules to use the key and value settings in the additional.fields UDM fields instead of the deprecated labels UDM fields.

April 03, 2024

On or after May 1, 2024, in an effort to improve enrichment quality, the enrichment process using telemetry events and entities will prioritize values set by parsers over values from aliases in unenriched events. If a parser does not set the value, the enrichment process will set the enriched value to using aliases.

Curated Detections rule packs covering AWS threats are generally available to Chronicle Enterprise and Enterprise Plus customers.

March 26, 2024

Gemini in Security Operations

Duet AI in Google Cloud is now Gemini for Google Cloud. See our blog post for more information.

March 25, 2024

Chronicle Applied Threat Intelligence helps you identify and respond to threats. When enabled, it ingests IOCs curated by Mandiant Threat Intelligence with an IC-Score greater than 80 and generates an error when a match is found. The following are some of the features of Applied Threat Intelligence.

  • Event-level enrichment: All telemetry in Chronicle is enriched with Google Threat Intelligence which is a combination of Mandiant and Virus Total, including all threat intelligence associations like campaigns and actors.

  • Sophisticated indicator matching: Curated out-of-the-box detections that deliver sophisticated indicator matching using augmented prioritization logic, noise reduction based on customer environment context, and other correlation techniques to maximize signal to noise.

  • Active breach alerting: Uses Mandiant's incident response intelligence to alert on potential active breaches delivering on our no patient 1 vision.

  • Curated behavioral detections for emerging threats: To protect against newly emerging risks and tactics, techniques, and procedures (TTPs), Applied Threat Intelligence uses real-time insights.

  • DIY detection engineering and response automation: Access to Fusion intelligence (formerly known as Mandiant Fusion) for the following.

    • Customer authoring of rules
    • Customer development of response playbooks

  • Curated views for Investigation and triage Insights: Applied Threat Intelligence provides curated views that show valuable associations between an indicator and threat actor, threat campaign, or malware, statistics about a threat observed in customer environments. These views are invaluable for all security operations workflows.

For more information about Applied Threat Intelligence, see Applied Threat Intelligence overview.

March 22, 2024

Chronicle now supports direct ingestion and parsing of reCAPTCHA Enterprise logs from Google Cloud.

There is no longer a limit on the number of feeds you can create for the same log type in Feed Management.

Chronicle has added a new rule set to Cloud Threat Detections , called Serverless Threats, that detects activity associated with potential compromise or abuse of server-less resources in Google Cloud, such as Cloud Run and Cloud Functions.

March 20, 2024

Chronicle has expanded Cloud Threat Detections to create a detection when findings from Security Command Center Event Threat Detections, Cloud Armor, Sensitive Actions Service, and Custom modules for Event Threat Detection are identified. These detections are available through the following rule sets: CDIR SCC Cloud IDS, CDIR SCC Cloud Armor, CDIR SCC Impact, CDIR SCC Enhanced Persistence, CDIR SCC Enhanced Defense Evasion, and CDIR SCC Custom Module.

Case filter and URL now in a reciprocal relationship

In the Cases page, the filter and the URL now directly affect each other. Changing the filter changes the URL, and conversely, changing the URL changes the filter. You can take advantage of this feature by setting a filter for cases and putting the newly created URL in an external dashboard. Clicking on this link would then take you directly to the filtered case queue.

March 14, 2024

Forwarder troubleshooting guide is now available to help you diagnose and resolve common issues that may arise while using the Chronicle Linux forwarder.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

  • Akamai WAF (AKAMAI_WAF)
  • Alcatel Switch (ALCATEL_SWITCH)
  • Arcsight CEF (ARCSIGHT_CEF)
  • Auth0 (AUTH_ZERO)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS Config (AWS_CONFIG)
  • AWS GuardDuty (GUARDDUTY)
  • Azure AD (AZURE_AD)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure App Service (AZURE_APP_SERVICE)
  • Azure Key Vault logging (AZURE_KEYVAULT_AUDIT)
  • BIND (BIND_DNS)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Box (BOX)
  • Chrome Management (N/A)
  • Cisco AMP (CISCO_AMP)
  • Cisco Umbrella DNS (UMBRELLA_DNS)
  • Cisco VPN (CISCO_VPN)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Cloud Audit Logs (N/A)
  • Cloudflare (CLOUDFLARE)
  • Cofense (COFENSE_TRIAGE)
  • Corelight (CORELIGHT)
  • CrowdStrike Falcon (CS_EDR)
  • CSV Custom IOC (CSV_CUSTOM_IOC)
  • Custom Application Access Logs (CUSTOM_APPLICATION_ACCESS)
  • Cybergatekeeper NAC (CYBERGATEKEEPER_NAC)
  • Extreme Wireless (EXTREME_WIRELESS)
  • F5 ASM (F5_ASM)
  • F5 BIGIP LTM (F5_BIGIP_LTM)
  • Falco IDS (FALCO_IDS)
  • FireEye (FIREEYE_ALERT)
  • FireEye ETP (FIREEYE_ETP)
  • ForgeRock Identity Cloud (FORGEROCK_IDENTITY_CLOUD)
  • FortiGate (FORTINET_FIREWALL)
  • GCP_APP_ENGINE (GCP_APP_ENGINE)
  • HP Procurve Switch (HP_PROCURVE)
  • IAM Context (N/A)
  • IBM DB2 (DB2_DB)
  • IBM Mainframe Storage (IBM_MAINFRAME_STORAGE)
  • IBM Security Access Manager (IBM_SAM)
  • Illumio Core (ILLUMIO_CORE)
  • Imperva (IMPERVA_WAF)
  • Infoblox (INFOBLOX)
  • JAMF CMDB (JAMF)
  • KerioControl Firewall (KERIOCONTROL)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • Microsoft Graph Activity Logs (MICROSOFT_GRAPH_ACTIVITY_LOGS)
  • Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
  • Microsoft IIS (IIS)
  • Microsoft System Center Endpoint Protection (MICROSOFT_SCEP)
  • Mobile Endpoint Security (LOOKOUT_MOBILE_ENDPOINT_SECURITY)
  • Mongo Database (MONGO_DB)
  • Netscout OCI (NETSCOUT_OCI)
  • Netskope (NETSKOPE_ALERT)
  • Netskope Web Proxy (NETSKOPE_WEBPROXY)
  • Network Policy Server (MICROSOFT_NPS)
  • Nutanix Prism (NUTANIX_PRISM)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • OpenCanary (OPENCANARY)
  • Ordr IoT (ORDR_IOT)
  • Palo Alto Cortex XDR Alerts (CORTEX_XDR)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Palo Alto Prisma Cloud (PAN_PRISMA_CLOUD)
  • PerimeterX Bot Protection (PERIMETERX_BOT_PROTECTION)
  • Phishlabs (PHISHLABS)
  • Proofpoint Sendmail Sentrion (PROOFPOINT_SENDMAIL_SENTRION)
  • Pulse Secure (PULSE_SECURE_VPN)
  • RH-ISAC (RH_ISAC_IOC)
  • SailPoint IAM (SAILPOINT_IAM)
  • Salesforce (SALESFORCE)
  • Sap Business Technology Platform (SAP_BTP)
  • Security Command Center Threat (N/A)
  • Sentinelone Alerts (SENTINELONE_ALERT)
  • Shibboleth IDP (SHIBBOLETH_IDP)
  • Sourcefire (SOURCEFIRE_IDS)
  • Splunk Attack Analyzer (SPLUNK_ATTACK_ANALYZER)
  • STIX Threat Intelligence (STIX)
  • Symantec CloudSOC CASB (SYMANTEC_CASB)
  • Symantec DLP (SYMANTEC_DLP)
  • Tanium Asset (TANIUM_ASSET)
  • Thinkst Canary (THINKST_CANARY)
  • Trend Micro Deep Security (TRENDMICRO_DEEP_SECURITY)
  • Vectra Detect (VECTRA_DETECT)
  • Vectra Stream (VECTRA_STREAM)
  • VeridiumID by Veridium (VERIDIUM_ID)
  • Wazuh (WAZUH)
  • Windows Defender ATP (WINDOWS_DEFENDER_ATP)
  • Windows DNS (WINDOWS_DNS)
  • Windows Event (WINEVTLOG)
  • Windows Event (XML) (WINEVTLOG_XML)
  • Windows Local Administrator Password Solution (MICROSOFT_LAPS)
  • wiz.io (WIZ_IO)
  • Workspace Activities (WORKSPACE_ACTIVITY)
  • XAMS by Xiting (XITING_XAMS)
  • Zscaler CASB (ZSCALER_CASB)
  • Zscaler DLP (ZSCALER_DLP)
  • Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

  • Aruba Switch (ARUBA_SWITCH)
  • Azure AD Password Protection (AZURE_AD_PASSWORD_PROTECTION)
  • Azure Front Door (AZURE_FRONT_DOOR)
  • Babelforce (BABELFORCE)
  • Cloudaware (CLOUDAWARE)
  • Coalition Control API (COALITION)
  • Crowdstrike Identity Protection Services (CS_IDP)
  • Cymulate (CYMULATE)
  • Dell ECS Enterprise Object Storage (DELL_ECS)
  • Google Cloud NGFW Enterprise (GCP_NGFW_ENTERPRISE)
  • Google Cloud Secure Web Proxy (GCP_SWP)
  • HaveIBeenPwned (HIBP)
  • HPE BladeSystem C7000 (HPE_BLADESYSTEM_C7000)
  • HP OpenView (HP_OPENVIEW)
  • IBM DS8000 Storage (IBM_DS8000)
  • IBM-i Operating System (IBM_I)
  • Multicom Switch (MULTICOM_SWITCH)
  • Nextthink Finder (NEXTTHINK_FINDER)
  • Palo Alto Cortex XDR Management Audit (PAN_XDR_MGMT_AUDIT)
  • PingIdentity Directory Server Logs (PING_DIRECTORY)
  • Prisma SD-WAN (PRISMA_SD_WAN)
  • Redhat Jboss (REDHAT_JBOSS)
  • SafeBreach (SAFEBREACH)
  • Scality Ring Audit (SCALITY_RING_AUDIT)
  • Sendsafely (SENDSAFELY)
  • Solace Pub Sub Cloud (SOLACE_AUDIT)
  • Sonicwall Secure Mobile Access (SONICWALL_SMA)
  • Sonrai Enterprise Cloud Security Solution (SONRAI)
  • Tenemos Journey Manager System Event Publisher (TENEMOS_MANAGER_SYSTEMEVENT)
  • TrueFort Platform (TRUEFORT)
  • Ubiquiti Accesspoint (UBIQUITI_ACCESSPOINT)
  • WithSecure Cloud Protection (WITHSECURE_CLOUD)
  • WithSecure Elements Connector (WITHSECURE_ELEMENTS)
  • YAMAHA ROUTER RTX1200 (YAMAHA_ROUTER)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

March 13, 2024

In the Entity Explorer page, Case Distribution has been renamed to Alert Distribution.

Jobs Enhancement

When updating an integration, the jobs will now be updated automatically. This does not apply to any legacy jobs that were created before October 2023.

The Marketplace integration will clearly identify the legacy jobs that are affected and provide instructions on how to proceed.

In addition, legacy jobs are now marked as such in the Jobs Scheduler page so that you can take action and resolve issues beforehand.

February 22, 2024

The following APIs have been deprecated and will be deleted in 6 months.

  • GET /api/external/v1/connectors/GetConnectorsData
  • POST /api/external/v1/connectors/DeleteConnector
  • POST /api/external/v1/connectors/AddOrUpdateConnector
  • POST /api/external/v1/connectors/UpdateConnectorFromIde
  • POST /api/external/v1/connectors/GetConnectorStatus

For each API above, there are one or more alternative endpoints that you can use as shown below:

Instead of
GET /api/external/v1/connectors/GetConnectorsData

Use one of the following:

  • GET /api/external/v1/connectors/template-cards
    Provides basic information per each accessible connector definition.

  • POST /api/external/v1/connectors/template
    Retrieves detailed information regarding a specific connector definition.

  • GET /api/external/v1/connectors/cards
    Provides basic information per each accessible connector.

  • GET /api/external/v1/connectors/{identifier}
    Retrieves detailed information regarding a specific connector instance.

Instead of
POST /api/external/v1/connectors/DeleteConnector
Use
DELETE /api/external/v1/connectors/{identifier}

Instead of
POST /api/external/v1/connectors/AddOrUpdateConnector
Use
POST /api/external/v1/connectors

Instead of
POST /api/external/v1/connectors/UpdateConnectorFromIde
Use
POST /api/external/v1/connectors/update-from-ide

Instead of
POST /api/external/v1/connectors/GetConnectorStatus
Use
GET /api/external/v1/connectors/{identifier}/statistics

February 20, 2024

Google has added Tokyo (Japan) as a new region for Chronicle customers. Chronicle can now store customer data in this region. This also adds a new regional endpoint for Chronicle APIs at https://asia-northeast1-backstory.googleapis.com.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

  • A10 Load Balancer (A10_LOAD_BALANCER)
  • Anomali (ANOMALI_IOC)
  • Apache (APACHE)
  • Arcsight CEF (ARCSIGHT_CEF)
  • AWS CloudWatch (AWS_CLOUDWATCH)
  • AWS EC2 Hosts (AWS_EC2_HOSTS)
  • AWS EC2 Instances (AWS_EC2_INSTANCES)
  • AWS EC2 VPCs (AWS_EC2_VPCS)
  • Azure AD (AZURE_AD)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure DevOps Audit (AZURE_DEVOPS)
  • Azure Firewall (AZURE_FIREWALL)
  • BIND (BIND_DNS)
  • BloxOne Threat Defense (BLOXONE)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Carbon Black (CB_EDR)
  • Cato Networks (CATO_NETWORKS)
  • CENSYS (CENSYS)
  • Check Point (CHECKPOINT_FIREWALL)
  • Chrome Management (N/A)
  • Cisco IronPort (CISCO_IRONPORT)
  • Cisco Meraki (CISCO_MERAKI)
  • Cisco Prime (CISCO_PRIME)
  • Cisco Secure Workload (CISCO_SECURE_WORKLOAD)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Cloud Audit Logs (N/A)
  • Cloud Load Balancing (GCP_LOADBALANCING)
  • Cloud Run (GCP_RUN)
  • Cloudflare (CLOUDFLARE)
  • CommVault Commcell (COMMVAULT_COMMCELL)
  • Compute Context (N/A)
  • Corelight (CORELIGHT)
  • CrowdStrike Detection Monitoring (CS_DETECTS)
  • CSV Custom IOC (CSV_CUSTOM_IOC)
  • Cybereason EDR (CYBEREASON_EDR)
  • Dataminr Alerts (DATAMINR_ALERT)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • F5 BIGIP LTM (F5_BIGIP_LTM)
  • FireEye ETP (FIREEYE_ETP)
  • Forescout NAC (FORESCOUT_NAC)
  • ForgeRock OpenAM (OPENAM)
  • IBM WebSEAL (IBM_WEBSEAL)
  • Imperva (IMPERVA_WAF)
  • Imperva Database (IMPERVA_DB)
  • Infoblox RPZ (INFOBLOX_RPZ)
  • ISC DHCP (ISC_DHCP)
  • Juniper (JUNIPER_FIREWALL)
  • Linux Sysmon (LINUX_SYSMON)
  • LogonBox (LOGONBOX)
  • ManageEngine ADAudit Plus (ADAUDIT_PLUS)
  • Micro Focus iManager (MICROFOCUS_IMANAGER)
  • Microsoft AD (WINDOWS_AD)
  • Microsoft ATA (MICROSOFT_ATA)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • Microsoft IIS (IIS)
  • Netskope (NETSKOPE_ALERT)
  • Netskope CASB (NETSKOPE_CASB)
  • Ntopng (NTOPNG)
  • Office 365 (OFFICE_365)
  • OpenCanary (OPENCANARY)
  • OpenSSH (OPENSSH)
  • OSSEC (OSSEC)
  • Palo Alto Cortex XDR Alerts (CORTEX_XDR)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Palo Alto Panorama (PAN_PANORAMA)
  • Quest Active Directory (QUEST_AD)
  • Recordia (RECORDIA)
  • Sangfor Next Generation Firewall (SANGFOR_NGAF)
  • SAP SM20 (SAP_SM20)
  • Security Command Center Threat (N/A)
  • SEPPmail Secure Email (SEPPMAIL)
  • ServiceNow CMDB (SERVICENOW_CMDB)
  • Snare System Diagnostic Logs (SNARE_SOLUTIONS)
  • Solaris system (SOLARIS_SYSTEM)
  • STIX Threat Intelligence (STIX)
  • Symantec CloudSOC CASB (SYMANTEC_CASB)
  • Symantec Web Security Service (SYMANTEC_WSS)
  • Trend Micro Deep Security (TRENDMICRO_DEEP_SECURITY)
  • Veritas NetBackup (VERITAS_NETBACKUP)
  • VMware ESXi (VMWARE_ESX)
  • Watchguard EDR (WATCHGUARD_EDR)
  • WindChill (WINDCHILL)
  • Windows Defender AV (WINDOWS_DEFENDER_AV)
  • Windows DNS (WINDOWS_DNS)
  • Windows Event (WINEVTLOG)
  • Windows Event (XML) (WINEVTLOG_XML)
  • wiz.io (WIZ_IO)
  • Zeek JSON (BRO_JSON)
  • Zscaler (ZSCALER_WEBPROXY)
  • Zscaler CASB (ZSCALER_CASB)
  • Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)
  • Zscaler Private Access (ZSCALER_ZPA)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

  • Arista Guardian For Network Identity (ARISTA_AGNI)
  • HPE Aruba Networking Central (ARUBA_CENTRAL)
  • Blackberry Workspaces (BLACKBERRY_WORKSPACES)
  • Barracuda CloudGen Firewall (BARRACUDA_CLOUDGEN_FIREWALL)
  • Blackberry Workspaces (BLACKBERRY_WORKSPACES)
  • Cisco EStreamer (CISCO_ESTREAMER)
  • Cyderes IOC (CYDERES_IOC)
  • Dataiku DSS Logging (DATAIKU_DSS_LOGS)
  • Edgecore Networks (EDGECORE_NETWORKS)
  • Fisglobal Quantum (FISGLOBAL_QUANTUM)
  • ForgeRock Identity Cloud (FORGEROCK_IDENTITY_CLOUD)
  • Forgerock OpenIdM (FORGEROCK_OPENIDM)
  • FS-ISAC IOC (FS_ISAC_IOC)
  • Genetec Audit (GENETEC_AUDIT)
  • HiBob (HIBOB)
  • Imperva Audit Trail (IMPERVA_AUDIT_TRAIL)
  • KerioControl Firewall (KERIOCONTROL)
  • Looker Audit (LOOKER_AUDIT)
  • Mobile Endpoint Security (LOOKOUT_MOBILE_ENDPOINT_SECURITY)
  • ManageEngine PAM360 (MANAGE_ENGINE_PAM360)
  • Melissa (MELISSA)
  • Microsoft CASB Files & Entities (MICROSOFT_CASB_CONTEXT)
  • Windows Local Administrator Password Solution (MICROSOFT_LAPS)
  • Network Policy Server (MICROSOFT_NPS)
  • Power BI Activity Log (MICROSOFT_POWERBI_ACTIVITY_LOG)
  • Nxlog Agent (NXLOG_AGENT)
  • Nxlog Fim (NXLOG_FIM)
  • Opus Codec (OPUS)
  • Oracle NetSuite (ORACLE_NETSUITE)
  • Pega Automation (PEGA)
  • Qualys Knowledgebase (QUALYS_KNOWLEDGEBASE)
  • RealiteQ (REALITEQ)
  • SAP Webdispatcher (SAP_WEBDISP)
  • Serpico (SERPICO)
  • Software House Ccure9000 (SOFTWARE_HOUSE_CCURE9000)
  • Spirion (SPIRION)
  • Spur data feeds (SPUR_FEEDS)
  • Swift (SWIFT)
  • Technitium DNS (TECHNITIUM_DNS)
  • Tetragon Ebpf Audit Logs (TETRAGON_EBPF_AUDIT_LOGS)
  • Trend Micro Email Security Advanced (TRENDMICRO_EMAIL_SECURITY)
  • Tridium Niagara Framework (TRIDIUM_NIAGARA_FRAMEWORK)
  • VeridiumID by Veridium (VERIDIUM_ID)
  • Wallarm Webhook Notifications (WALLARM_NOTIFICATIONS)
  • Winscp (WINSCP)
  • XAMS by Xiting (XITING_XAMS)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

Chronicle now supports the timestamp.get_date() function. For more information and example usage, see YARA-L 2.0 language syntax.

February 19, 2024

The AI Investigation widget is now available in Europe. For more information, refer to AI Investigation widget.

February 12, 2024

Risk Analytics

Google has introduced Risk Analytics to Chronicle. Risk Analytics looks for patterns of risk across your enterprise, assigning risk scores to all entities and activities. These scores are surfaced in the Risk Analytics dashboard which lets you better understand risk in your environment by visualizing entity risk trends. The dashboard helps you to identify unusual behavior and the potential risk that entities pose to your enterprise. You can specify watchlists of entities you suspect of having greater risk. The watchlists let you more easily monitor risk within your environment.

Risk Analytics also provides both predefined curated detections and YARA-L metric functions for authoring custom rules.

Risk Analytics is available with Enterprise and Enterprise Plus licenses.

Chronicle requires a minimum Transport Layer Security (TLS) version of 1.2 to maintain security compliance. Ingestion routing connections that use lower TLS versions are automatically blocked. Upgrade any custom ingestion mechanisms to adhere to TLS 1.2 or higher.

When the data ingestion rate for a tenant reaches a certain threshold, Chronicle controls the rate of ingestion for new data feeds to prevent a source with a high ingestion rate from affecting the ingestion rate of another data source. The ingestion volume and tenant's usage history determine the threshold. If the rate of ingestion does not deviate greatly then there is no effect on the ingestion rate.

February 08, 2024

Email settings: customer configuration change

In order to help with safe and secure communication, the Trust Certificate checkbox is scheduled to be deleted in April 2024 as it will be enabled automatically by default.

Customers who currently do not have this checkbox enabled are advised to carry out the following procedure.

  • In the Email Settings > Customer Configuration tab, enable the Trust Certificate checkbox.
  • Save the settings.
  • Click Test to ensure the configuration works.
  • Perform an action which will trigger a test email notification.
  • If errors are shown, follow the instructions in the error message.

New audit logs

The platform now captures audit logs when a playbook folder is deleted.

January 31, 2024

The Detection Engine added support for event variable joins on or expressions and function calls. For examples, see Event variable join requirements.

The following log types were added to the Chronicle feed management API to create AWS data feeds. These feeds can be used to get context on AWS resources such as EC2 instances and users in identity and access management (IAM). Each is listed by product name and log_type value, if applicable.

  • AWS EC2 Hosts (AWS_EC2_HOSTS)
  • AWS EC2 Instances (AWS_EC2_INSTANCES)
  • AWS EC2 VPCs (AWS_EC2_VPCS)
  • AWS Identity and Access Management (AWS_IAM)

To view a list of log types that Chronicle supports for third-party APIs, see Configuration by log type.

January 24, 2024

Chronicle has expanded Cloud Threat Detections to alert on findings from GCP Security Command Center Event Threat Detections, Virtual Machine Threat Detections, and Container Threat Detections. These passthrough detections are available through the following packs: CDIR SCC Enhanced Exfiltration, CDIR SCC Enhanced Defense Evasion, CDIR SCC Enhanced Malware, CDIR SCC Enhanced Persistence, CDIR SCC Enhanced Privilege Escalation, CDIR SCC Credential Access, CDIR SCC Enhanced Discovery, CDIR SCC Brute Force, CDIR SCC Data Destruction, CDIR SCC Inhibit System Recovery, CDIR SCC Execution, CDIR SCC Initial Access, CDIR SCC Impair Defenses.

Chronicle Curated Detections has been enhanced with new detection content for Linux Threats. These new rule sets help identify malware and suspicious activity in Linux environments.

January 17, 2024

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

  • ADVA Fiber Service Platform (ADVA_FSP)
  • Anomali (ANOMALI_IOC)
  • Apache (APACHE)
  • AWS EMR (AWS_EMR)
  • AWS Route 53 DNS (AWS_ROUTE_53)
  • AWS WAF (AWS_WAF)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure Application Gateway (AZURE_GATEWAY)
  • BIND (BIND_DNS)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Carbon Black (CB_EDR)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco ASA (CISCO_ASA_FIREWALL)
  • Cisco DNA Center Platform (CISCO_DNAC)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • CrowdStrike Falcon (CS_EDR)
  • Darktrace (DARKTRACE)
  • Deep Instinct EDR (DEEP_INSTINCT_EDR)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • Extreme Networks Switch (EXTREME_SWITCH)
  • F5 ASM (F5_ASM)
  • F5 BIGIP LTM (F5_BIGIP_LTM)
  • Forescout NAC (FORESCOUT_NAC)
  • Fortinet FortiClient (FORTINET_FORTICLIENT)
  • GitHub (GITHUB)
  • GMAIL Logs (GMAIL_LOGS)
  • IBM DB2 (DB2_DB)
  • IBM Guardium (GUARDIUM)
  • Jamf Protect Alerts (JAMF_PROTECT)
  • Juniper (JUNIPER_FIREWALL)
  • Kubernetes Node (KUBERNETES_NODE)
  • Mandiant Custom IOC (MANDIANT_CUSTOM_IOC)
  • Mattermost (MATTERMOST)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • Microsoft IIS (IIS)
  • Microsoft SQL Server (MICROSOFT_SQL)
  • Nutanix Prism (NUTANIX_PRISM)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • Palo Alto Cortex XDR Events (PAN_CORTEX_XDR_EVENTS)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Proofpoint Observeit (OBSERVEIT)
  • RH-ISAC (RH_ISAC_IOC)
  • SAP SAST Suite (SAP_SAST)
  • Security Command Center Threat (N/A)
  • SentinelOne Singularity Cloud Funnel (SENTINELONE_CF)
  • Symantec DLP (SYMANTEC_DLP)
  • Talon (TALON)
  • Tanium Stream (TANIUM_TH)
  • Trend Micro Apex one (TRENDMICRO_APEX_ONE)
  • Windows Event (WINEVTLOG)
  • Windows Event (XML) (WINEVTLOG_XML)
  • wiz.io (WIZ_IO)
  • Zscaler (ZSCALER_WEBPROXY)
  • Zscaler CASB (ZSCALER_CASB)
  • Zscaler Tunnel (ZSCALER_TUNNEL)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

  • Asimily (ASIMILY)
  • Checkpoint Gaia (CHECKPOINT_GAIA)
  • Cisco Cyber Vision (CISCO_CYBER_VISION)
  • Cisco IronPort (CISCO_IRONPORT)
  • Cyber 2.0 IDS (CYBER_2_IDS)
  • CypherTrust Manager (CYPHERTRUST_MANAGER)
  • Duo Trust Monitor (DUO_TRUST_MONITOR)
  • Extreme Wireless (EXTREME_WIRELESS)
  • FireEye PX (FIREEYE_PX)
  • Harfanglab EDR (HARFANGLAB_EDR)
  • ImageNow (IMAGENOW)
  • INFINICO NetWyvern Series Appliance (INFINICO_NETWYVERN)
  • Quest CA Audit (QUEST_CA_AUDIT)
  • Quest Change Auditor for EMC (QUEST_CHANGE_AUDITOR_EMC)
  • Quest File Access Audit (QUEST_FILE_AUDIT)
  • RadiFlow IDS (RADIFLOW_IDS) rigo (SENTRIGO)
  • SEPPmail Secure Email (SEPPMAIL)
  • SpecterX (SPECTERX)
  • ViaControl Server Application (VIACONTROL)
  • WindChill (WINDCHILL)
  • WS Ftp (WS_FTP)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

The following changes are available in the Unified Data Model.

  • New objects were added:

    • DNSRecord
    • Favicon
    • ThreatVerdict
    • PopularityRank
    • SSLCertificate
    • SSLCertificate.AuthorityKeyId
    • SSLCertificate.CertSignature
    • SSLCertificate.DSA
    • SSLCertificate.EC
    • SSLCertificate.Extension
    • SSLCertificate.PublicKey
    • SSLCertificate.RSA
    • SSLCertificate.Subject
    • SSLCertificate.Validity
    • Tracker
    • Url
    • SecurityResult.AnalyticsMetadata

  • A new field was added to Noun: url_metadata.

  • New fields were added to SecurityResult:

    • ruleset_category_display_name
    • confidence_score
    • analytics_metadata
    • threat_verdict
    • last_discovered_time

  • New fields were added to Domain:

    • last_dns_records
    • categories
    • favicon
    • jarm
    • last_dns_records
    • last_dns_records_time
    • last_https_certificate
    • last_https_certificate_time
    • popularity_ranks
    • tags
    • whois_time

  • New fields were added to File: security_result and main_icon.

  • New fields were added to SecurityResult.Association: sponsor_region, targeted_regions, and tags.

  • New values were added to File.FileType:

    FILE_TYPE_DWG FILE_TYPE_DXF
    FILE_TYPE_THREEDS FILE_TYPE_WEBM
    FILE_TYPE_MKV FILE_TYPE_ONE_NOTE
    FILE_TYPE_OOXML FILE_TYPE_ZST
    FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL
    FILE_TYPE_PYTHON_PKG FILE_TYPE_M4
    FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD
    FILE_TYPE_MAKEFILE FILE_TYPE_INI
    FILE_TYPE_CLJ FILE_TYPE_PDB
    FILE_TYPE_SQL FILE_TYPE_NEKO
    FILE_TYPE_WER FILE_TYPE_GOLANG
    FILE_TYPE_SGML FILE_TYPE_JSON
    FILE_TYPE_CSV FILE_TYPE_SQUASHFS
    FILE_TYPE_VHD FILE_TYPE_IPS
    FILE_TYPE_PEM FILE_TYPE_PGP
    FILE_TYPE_CRT FILE_TYPE_PYC

  • New values were added to Metric.Dimension:

    • PRINCIPAL_PROCESS_FILE_PATH
    • PRINCIPAL_PROCESS_FILE_HASH
    • SECURITY_RESULT_RULE_NAME

  • A new value was added to Metric.MetricName: ALERT_EVENT_NAME_COUNT.

  • A new value was added to SecurityResult.ProductSeverity: NONE.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

January 16, 2024

UDM Search for entity investigation

UDM Search now includes a feature that lets you investigate entities (for example, an IP address, user, or asset) in addition to the events and alerts that match the search query terms. UDM Search query conditions can include both UDM fields (for example, principal.hostname="alice") and grouped fields (for example, hostname="alice"). When a search query includes a condition that identifies a specific entity, the search results include details about that entity in addition to UDM events that match the entire search query.

January 04, 2024

Additional support for trimming large alerts

In order to prevent performance issues, when an alert contains over 500 entities, the alert is ingested with the key entities retained and the additional entities are removed.

This trimming support works in parallel with the current trimming mechanism as defined in Handle large alerts .

New placeholders added

A new category of placeholders have been added to the SOAR side of the platform which focus on the current state of the session, such as logged-in user and the platform. These can be used in a variety of scenarios. For example, you can use them in an HTML widget to create customized information specifically for logged-in users as opposed to the users assigned to the case.

A new section called General has been added to the placeholders. It contains the following placeholders

  • HostUrl
  • CurrentUserEmail
  • CurrentUserID
  • CurrentUserFullName
  • CurrentUserRole

Note that the Current User placeholders cannot be used in playbooks or jobs.

December 13, 2023

Duet AI in Security Operations

The following Duet AI features are now available to Chronicle Security Operations customers:

  • You can now use Duet AI to search your event data using natural language. Duet AI can translate natural language into Chronicle's unified data model, letting you search your event data without having to know YARA-L to craft custom queries.

  • You can now use the AI Investigation widget to look at the whole case (alerts, events, and entities). The AI Investigation widget also provides an AI-generated case summary of how much attention the case might require, summarizes the alerts data to better understand the threat, and recommends next steps to be taken for effective remediation. The AI Investigation widget is available in the United States only.

September 19, 2023

Welcome to Chronicle Security Operations (SecOps), a Google Cloud service built as a specialized layer on top of Google's core infrastructure, designed for enterprises to privately retain, analyze, and search petabytes of security and network telemetry.

The SecOps platform provides instant context about suspicious and malicious activity. It can be used to detect threats, investigate the scope and cause of those threats, and provide remediation using pre-built integrations with enterprise workflow, response, and orchestration platforms.

The SecOps platform fuses key capabilities of Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR) and Threat Intelligence from Google Cloud, VirusTotal, and Mandiant.

The Chronicle SecOps platform enables security analysts to analyze and mitigate a security threat throughout its lifecycle by employing the following capabilities:

Collection: Data is ingested into the platform using software forwarders, parsers, connectors, and webhooks.

Detection: This data is aggregated, normalized using the Universal Data Model (UDM), and linked to detections and threat intelligence.

Investigation: Threats are investigated through case management, search, collaboration, and contextual mapping.

Response: Security analysts can respond quickly and provide resolutions using automated playbooks, incident management, and closed-loop feedback.