Migrate to Google Cloud

Supported in:

This document is for both Google Security Operations unified customers and Google Security Operations SOAR standalone users migrating to Google Cloud. This migration enables deeper integration with other Google services, including Google Cloud, IAM monitoring for access control, Cloud Monitoring, and Cloud Audit Logs.

Start the first migration stage

From July 2025, you will receive an email and an in-app notification with your expected migration date and a link to a Google form.

Perform the required migration steps

For Google SecOps customers, the first stage of the migration process happens automatically. During the first migration stage, you can expect the following:

  • Communication and support: You'll be notified at the start and end of the migration window.

  • Migration validation: The migration process includes a full backup and restore of the tenant environment, copying all secrets, and updating system metadata. A series of comprehensive end-to-end tests are performed to verify functionality. Infrastructure and application validations are monitored in real time using system metrics and alerting tools.

  • The expected downtime is as follows:

    • Up to 2 hours for Google SecOps SOAR standalone customers
    • Up to 1.5 hours for Google SecOps customers

  • During the first downtime of migration, system services, including ingestion and playbooks, are temporarily unavailable, and you can't sign in.

  • Once the system comes back online, all data is ingested and processed. No data loss is expected.

For Google SecOps SOAR standalone customers, complete the following steps to migrate your deployment.

Bind Google SecOps SOAR with a new Google Cloud project

To bind Google SecOps SOAR with your Google Cloud project, you must create a new Google Cloud project. For more information, see Configure a Google Cloud for Google SecOps.

  1. In your new Google Cloud project, enable the Chronicle API.

  2. Follow the link in the invitation email to the Get Google Security Operation page and enter your project details.

  3. On the Google form, enter your project ID and email address.

  4. After you enter your project details, set up the authentication method:

    • Workforce Identity Federation: Use this option if you're using external identity providers (IdPs). In your existing Google SecOps SOAR settings, create an IDP group mapping. The platform uses this mapping to authenticate users after migration.

    • Cloud Identity: Use this option if you have internal users.

Upcoming changes to Google SecOps SOAR access and authentication

  • Google SecOps SOAR URL updates
    • The existing Google SecOps SOAR-only platform URL will remain active through June 2026.
    • When you access the Google SecOps SOAR web application, you'll be automatically redirected to the new URL.
  • APIs and remote agents
    • The API and remote agents will continue to function using the old domain.
  • Authentication migration
    • Google SecOps SOAR is migrating the authentication flow to the Google Cloud authentication services and shifting to IDP-based authentication.

Expected downtime for initial migration

The expected downtime is as follows:

  • Up to 2 hours for SOAR standalone customers
  • Up to 1.5 hours for Google SecOps customers

During the first migration stage, core system services—including ingestion, playbooks, and jobs—will be temporarily unavailable, including user sign-in. Once the system is back online, all queued data will be processed with no expected data loss.

For Google SecOps customers, the SIEM services will remain fully functional. To access the SIEM modules during the downtime, add the following suffix to the Backstory URL /?app_mode=SIEM.

What to expect during the first migration stage

  • Communication and Support: We will notify you at the beginning of the migration window and once the process is complete.
  • Migration Validation: The migration process includes a full backup and restore of the tenant environment, copying all secrets, and updating system metadata. A series of comprehensive end-to-end tests are performed to verify functionality. Infrastructure and application validations are monitored in real time using system metrics and alerting tools.

Start second stage migration

The second stage applies to all customers and will take place between September 2025 and June 2026. This phase includes the following key steps.

Migrate permission groups

Use the UI script in your Google Cloud console to migrate your existing permission groups to IAM custom roles.

The script assigns these new custom roles to users for Cloud Identity customers or to IdP groups for Workforce Identity Federation customers.

Optional: Set up permissions using IAM

Set up permissions in the IAM console using the following predefined Google SecOps SOAR roles, or create custom roles:

  • SOAR Viewer
  • SOAR Analyst
  • SOAR Engineer
  • SOAR Admin

For more information about how to set up permissions, see Configure feature access

After the migration, the following occurs:

  • The SOAR Settings > Organization > Permissions page is unavailable.
  • The Permission Group column on mapping pages is removed.

Set the default landing page for Google SecOps

You can set the landing page using the User Preferences menu, accessible from your avatar.

Note key changes in this stage

The following key changes occur during this stage:

  • Restrictions actions: Moved from the Permissions page to the IDP Group Mapping page.
  • License type: Now determined by your IAM permissions.
  • Remote agents: Existing remote agents will continue to work during the transition period. You must:
    • Create a service account instead of an API key for the remote agent.
    • Perform a major version upgrade of the remote agent.
  • Collect Google SecOps SOAR logs: All Google SecOps SOAR logs are available in the Google Cloud. For more information, see Collect Google SecOps SOAR logs.

Use SOAR APIs on Google Cloud

The SOAR API is transitioning to the Chronicle API. You must update your scripts and integrations to use the new API endpoints. You must also use a service account for authentication instead of an API key.

The existing API and API keys will continue to work until June 2026, after which they'll no longer be available.

For more information, see Migrate endpoints to the Chronicle API.

Need more help? Get answers from Community members and Google SecOps professionals.