Google Security Operations SOAR release notes

This page documents production updates to Google Security Operations SOAR. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/chronicle-soar-release-notes.xml

April 19, 2024

Release 6.2.54 is now in General Availability.

April 18, 2024

Release 6.3.0 is currently in Preview.

Chronicle SOAR is being rebranded to Google Security Operations (Google SecOps). Both the logo and the platform name have been rebranded as part of this change. This rebranding reflects our commitment to bringing you the best of Google security operations features. There is no change to functionality in the platform.

Context-sensitive help added to the platform When you click the documentation link at the top of the platform, you will now be directed to the exact documentation page that relates to the screen you are on.

Custom List import error not propagated to the user (ID #1032784)

Advanced Text Editor text formatting not working (ID #00274952)

Issues with Login (ID #00283928)

Parse case wall email doesn't work in playbook simulator (ID #00260679)

Unable to create advanced reports when a specific environment is selected (ID #49898167)

Playbooks not visible due to missing categoryId and categoryName values (ID #00274872)

Events tab lists all artifacts even though they are part of different events (ID #49103838)

Tagged user is not highlighted or hyperlinked on the Case Wall page & Notification popup

April 12, 2024

Release 6.2.53 is now in General Availability.

Remote Agent Release 1.5.0 is now in General Availability.

April 11, 2024

Release 6.2.54 is currently in Preview.

In Release 6.2.45 the option to manually enter General placeholders was added. The General Placeholders section has now been added to the platform.

Error when adding or removing a tag on a closed case (ID #50195120)

Unable to import dynamic parameters (ID #00262571)

Playbooks re-running during platform update (ID 00282275)

Playbook block input can't be used to select dynamic instance (ID #00276416)

Refreshing dashboard changes displayed data (ID #49716319)

Playbooks not saving correctly (ID #49142793)

When logging in via SAML it doesn't show up in the SOAR Audit logs.

March 29, 2024

Release 6.2.52 is now in General Availability.

March 28, 2024

Release 6.2.53 is currently in Preview.

Issue when filtering Cases in Cases Page (ID #49689809)

Case filter is_not not working as expected (ID #00279039)

Unsupported providers causing playbooks not to run (ID #00262970)

Playbook block missing when trying to add it to a case (ID #00273133)

Report Scheduler not sending out reports as planned (ID #00277914)

March 27, 2024

Remote Agent Release 1.5.0 is currently in Preview.

Support for future major upgrades

Currently, Google supports minor upgrades which make changes to the remote agent code only.

We have now added support for the customer to carry out a major upgrade which requires changes to the entire OS or libraries in the machine.

You will receive clear instructions before a major upgrade. These must be followed very carefully in order to ensure the Remote Agent can continue to work with your machine.

Support for updating custom environment variables (ID #47675122)

You can now configure environment variables on the agent.

Remote connector logs are now written to the following path:

/opt/SiemplifyAgent/Integrations/<integration name>/Connectors/<connector instance>/remote_script.log

March 20, 2024

Release 6.2.52 is currently in Preview.

Case filter and URL now in a reciprocal relationship

In the Cases page, the filter and the URL now directly affect each other. Changing the filter changes the URL, and conversely, changing the URL changes the filter. You can take advantage of this feature by setting a filter for cases and putting the newly created URL in an external dashboard. Clicking on this link would then take you directly to the filtered case queue.

Incident Manager appearing in navigation even though user doesn"t have license (ID #49062139)

lastLoginTime returns wrong date for SAML users (ID #00278010)

Wrong error message returned for environment alias duplicates (ID #00271405)

Playbooks with async actions longer than 7 days can't be saved even though time set to 14 days in IDE (ID #00269032)

Clicking on events configuration opens the wrong mapping & modeling rules

March 15, 2024

Release 6.2.5.0 is now in General Availability.

March 13, 2024

Release 6.2.51 is currently in Preview.

Jobs Enhancement

When updating an integration, the jobs will now be updated automatically. This does not apply to any legacy jobs that were created before October 2023.

The Marketplace integration will clearly identify the legacy jobs that are affected and provide instructions on how to proceed.

In addition, legacy jobs are now marked as such in the Jobs Scheduler page so that you can take action and resolve issues beforehand.

APIs now documented

The following APIs are not new, but with this Release are now formally documented in Swagger:

AddOrUpdateEnvironmentRecords

RemoveEnvironmentRecords

Searching for cases from the last week doesn't produce results (ID #00269819)

Email HTML Templates > Show Email Template not rendering styles (ID #00249556)

SDK call for create entity failure displays the wrong error message (ID #48950075)

March 08, 2024

Release 6.2.49 is now in General Availability.

March 07, 2024

Release 6.2.50 is currently in Preview.

In the Entity Explorer page, Case Distribution has been renamed to Alert Distribution.

This change makes the information easier to understand. (ID #48941723)

Docker hub login is not needed and as such this instruction has been removed from the platform. (ID #49611790)

Users with a single character in their last name are unable to login (ID #49008785)

Alerts are being grouped into cases after the time specified in the platform.

Inline CSS with styles and classes are not supported in Insights. Note that Scripts are not supported for security reasons. (ID #00273271)

Custom integration settings: existing script dependencies don't show up (ID #49703871)

Unable to create new playbook blocks (ID #00275270)

February 22, 2024

Release 6.2.49 is currently in Preview.

In the IDE, using CrowdStrikeFalcon - Execute command and selecting scope as internal hosts and external hosts does not work (ID #00250316)

The following APIs have been deprecated and will be deleted in 6 months.

  • GET /api/external/v1/connectors/GetConnectorsData
  • POST /api/external/v1/connectors/DeleteConnector
  • POST /api/external/v1/connectors/AddOrUpdateConnector
  • POST /api/external/v1/connectors/UpdateConnectorFromIde
  • POST /api/external/v1/connectors/GetConnectorStatus

For each API above, there are one or more alternative endpoints that you can use as shown below:

Instead of
GET /api/external/v1/connectors/GetConnectorsData

Use one of the following:

  • GET /api/external/v1/connectors/template-cards
    Provides basic information per each accessible connector definition.

  • POST /api/external/v1/connectors/template
    Retrieves detailed information regarding a specific connector definition.

  • GET /api/external/v1/connectors/cards
    Provides basic information per each accessible connector.

  • GET /api/external/v1/connectors/{identifier}
    Retrieves detailed information regarding a specific connector instance.

Instead of
POST /api/external/v1/connectors/DeleteConnector
Use
DELETE /api/external/v1/connectors/{identifier}

Instead of
POST /api/external/v1/connectors/AddOrUpdateConnector
Use
POST /api/external/v1/connectors

Instead of
POST /api/external/v1/connectors/UpdateConnectorFromIde
Use
POST /api/external/v1/connectors/update-from-ide

Instead of
POST /api/external/v1/connectors/GetConnectorStatus
Use
GET /api/external/v1/connectors/{identifier}/statistics

February 21, 2024

Remote Agents Release 1.4.9 is currently in Preview.

The Docker image to pull for this release is 1.4.9.2

Upgrade agents from 1.3.8 on RHEL not working as expected (ID #00243884)

Publisher memory usage issue (ID #00273756)

February 19, 2024

The following items have been added to Release Notes 6.2.48.

The AI Investigation widget is now available in Europe. For more information, refer to AI Investigation widget.

Timeout for automatic and manual python-run operations failing after 5 minutes even though it's defined for a longer time in the platform (ID #00243596, #00213817, #45379045, #48348087, #00245583. #00227758, #00250153)

Automatic actions/operations now run for up to the time defined in the platform (maximum of 20 minutes).

The 5 minute timeout still applies for the following manual operations:

  • Run manual action
  • Run connector once
  • IDE - Play Item

February 16, 2024

Release 6.2.47 is now in General Availability.

February 15, 2024

Release 6.2.48 is currently in Preview.

Playbook condition branch name field can now hold up to 150 characters (ID #48159735)

Just-in-Time User Provisioning configuration not available in Okta configuration. (ID #49263630)

IDE - creating an integration or manager with the same name as an existing one results in the wrong error message (ID #47233004)

Save button not showing when adding lots of list items to the List type action parameter (ID #00266458)

February 09, 2024

Release 6.2.46 is now in General Availability.

February 08, 2024

Release 6.2.47 is currently in Preview.

Email settings: customer configuration change

In order to help with safe and secure communication, the Trust Certificate checkbox is scheduled to be deleted in April 2024 as it will be enabled automatically by default.

Customers who currently do not have this checkbox enabled are advised to carry out the following procedure.

  • In the Email Settings > Customer Configuration tab, enable the Trust Certificate checkbox.
  • Save the settings.
  • Click Test to ensure the configuration works.
  • Perform an action which will trigger a test email notification.
  • If errors are shown, follow the instructions in the error message.

Manual Action Menu - Group and Specific filters when chosen together lead to errors (ID #49013713)

Custom SAML provider configuration error (ID #49125693)

The placeholder CurrentUserRole that was removed from Release 6.2.45 is now supported.

February 04, 2024

In Release 6.2.45 we announced new placeholders. The placeholder CurrentUserRole has been removed and is not supported.

February 01, 2024

Release 6.2.46 is now in Preview.

New audit logs

The platform now captures audit logs when a playbook folder is deleted. (ID 48557086)

Mentioning users in a case is not working as expected. (ID #00180795)

January 31, 2024

Release 6.2.45 is scheduled to be in General Availability as of February 4th, 2024.

January 19, 2024

Remote Agents 1.4.8

Enhancement for Docker image upgrade.

Release 6.2.45 is now in General Availability.

January 18, 2024

Remote Agents 1.4.7

Bug Fix: Open SSL version on the remote agent is outdated. (ID #00250583)

January 17, 2024

Remote Agents 1.4.5

Bug Fix: Removed forced upgrade when enabling an agent. (ID #46257228)

Remote Agents 1.4.6

Bug Fix: Remote actions that use the API endpoint /api/external/v1/sdk/UpdateEntities fail with timeout. (ID #00265852)

January 11, 2024

Release 6.2.44 is now in General Availability.

January 10, 2024

Release 6.2.45 is currently in Preview.

New placeholders added

A new category of placeholders have been added which focus on the current state of the session, such as logged-in user and the platform. These can be used in a variety of scenarios. For example, you can use them in an HTML widget to create customized information specifically for logged-in users as opposed to the users assigned to the case.

A new section called General has been added to the placeholders. It contains the following placeholders

  • HostUrl
  • CurrentUserEmail
  • CurrentUserID
  • CurrentUserFullName
  • CurrentUserRole

Note that the Current User placeholders cannot be used in playbooks or jobs.

Case Queue not refreshing automatically (ID #00267303)

January 05, 2024

Release 6.2.43 is now in General Availability.

January 04, 2024

Release 6.2.44 is currently in Preview.

New platform navigation

An entirely new way of navigating the platform is now available. For more information, refer to Navigate the SOAR platform.

Delete SAML provider

You can now delete existing SAML providers in the External Authentication page.

Additional support for trimming large alerts

In order to prevent performance issues, when an alert contains over 500 entities, the alert is ingested with the key entities retained and the additional entities are removed.

This trimming support works in parallel with the current trimming mechanism as defined in Handle large alerts .

Issues when trying to update a specific playbook block (ID #00267635)

Playbooks and their folders within a specific environment are deleted without a corresponding entry in the audit logs. (ID #48557086)

The following API endpoints will be deprecated in July 2024.

  • api/external/v1/settings/AddOrUpdateSamlSettings
  • api/external/v1/accounts/DisableJitAndAutoRedirect
  • api/external/v1/settings/GetSamlSettingsTemplate

December 08, 2023

Release 6.2.42 is now in General Availability.

December 07, 2023

Release 6.2.43 is currently in Preview.

Searching by entities does not return the full results (ID #47644037)

API endpoint /api/external/v1/logging/python not returning logs (ID #00258483)

Cases are loading too slowly (ID #00246621)

Predefined widgets not available after updating playbook block (ID #47667046)

November 30, 2023

Release 6.2.41 is now in General Availability.

November 29, 2023

Release 6.2.42 is currently in Preview.

Environments missing after toggling on All Environments in the Permission Group page (ID #00248779)

Hash values are displayed instead of analyst names when generating a report (ID #47508033)

The audit log shows the internal IPs instead of the external ones (ID #00170308, #00245571, #00262470)

Changing remote agents on an integration instance doesn't work

November 23, 2023

Release 6.2.40 is now in General Availability.

November 22, 2023

Release 6.2.41 is currently in Preview.

Jobs enhancement

The following features have been added:

  • Ability to sort the job execution table by time or status
  • Indication in the jobs queue for each failed job iteration

IDE's Live Autocomplete feature not working properly (ID #00250083)

November 16, 2023

Release 6.2.40 is currently in Preview.

Playbook actions carried out by automation are not labeled as such on the case wall (ID #47525692).

This bug fix is in Preview.

Case title is not picking up information if it's in square brackets (ID #00262914).

This bug fix is in Preview.

November 15, 2023

Release 6.2.39 is now in General Availability.

November 09, 2023

Release 6.2.39 - Preview

Dynamic mode instance support

When a playbook is built for more than one environment, you need to use dynamic mode which picks the relevant instance configuration from the target environment. When using dynamic mode within environments that contain multiple instances, the playbook needs to stop and wait for the analyst to pick the right instance by the context of the alert.

In this release, we have added a new option to the playbook designer, such that the analyst can specify an instance for the dynamic mode to use within the target environment by entering a name or a pattern in a new Specify Instance Name field.

For more information, see Specify instance in dynamic mode. This feature is in Preview.

Jobs enhancement

The Jobs page in the platform has been enhanced to provide more information at a glance for the security analyst. The following is a list of the added features:

  • Filter jobs according to success or failure.
  • Click View Details to open a side bar with full details.
  • Export the log details in raw text format.
  • View all job iterations with extra pagination support.

This feature is in Preview.

Update SiemplifyUtils to support Python 3 (ID #45825896).

This feature is in Preview

Incorrect playbook is attached to alert when using trigger Product Name when alerts are grouped (ID #47362407).

This bug fix is in Preview.

Issues with remote agent connected to remote connector in a shared instance configuration.

This bug fix is in Preview.

SDK function result.add_html which generates HTML reports within a case ends up generating blank text (ID #47721779).

This bug fix is in Preview

November 01, 2023

Release Notes 6.2.38

Beta - 5th November, 2023

GA - 12th November, 2023

Custom roles denied access to Advanced Reports (ID #47668375)

In certain cases, significantly large entity graphs failed to load (ID #00250400)

October 25, 2023

Release Notes 6.2.37

Beta - 29th October, 2023

GA - 5th November, 2023

A new Explore containing case-related fields has been added to the Advanced Reports module in the platform. This Explore allows you to find fields and build visualizations for your report. We recommend using this new Explore in new widgets.

Error when trying to log in again to Chronicle SOAR (ID #46831483)

Email HTML template shows blank page in Settings (ID #46912863)

Users filter in the Search page not displaying all the users (ID #00249930)

Active Directory Groups field removed from Settings Permission groups as it is not supported

October 24, 2023

Remote Agents 1.4.4

  • Added support for all SDK calls over remote agents
  • Improved managing integrations over the remote agent leading to a more overall stable product experience
  • Publisher Python version upgraded to Python 3.11

Remote Agents 1.4.4

  • Remote agent actions do not return script results in the same way local actions return them (ID #45682680)
  • Users unable to change the remote agent environment via agent CLI

October 03, 2023

Release 6.2.36

GA - 14th October, 2023

Internal security fixes

September 27, 2023

Release Notes 6.2.35

GA - 8th October

Risk Score and Severity added

Two new information fields have been added to the Alert Details widget which appears in the Alert overview tab. These are Risk score and Severity. These values will only be populated when using the Google Chronicle SIEM connector.

Export/Import for Advanced Reports (using Looker) now supported both in the platform and using new APIs.

This enables customers to create reports on their staging environment and then import the template without the data into their production environment.

In the platform, the import is at the top of the Reports queue while the export icon is inside the actual report itself. The report file is in yaml format.

New APIs are as follows:
/api/external/v1/looker/report/import

/api/external/v1/looker/export/{report_id}

Playbook name drop-down not showing any playbook names in various Playbook actions (ID #00248732)

Placeholders located inside other placeholders not always picked up correctly (ID #00244133)

Case title says unknown (ID #00249611)

GetCaseFullDetails and GetWallActivitiesV2 API endpoints failing to return results (ID # 00243878)

September 12, 2023

Remote Agents 1.4.3.6

Remote agent now supports the same alert and event trimming logic as implemented in the server. New parameters in the database control the size of the alert as well as the size of the fields and events within them. Alerts that are bigger than this size will be automatically trimmed. If the alert is still too big, then the size of the fields and events will be trimmed. The resulting alert ingested into the case might therefore not contain all the original information.

Remote connector logs now display as required in the platform.

Remote agent no longer takes ownership of the entire /var/log directory when using the installer.

August 30, 2023

Release Notes 6.2.34

  • Alerts ingested using webhooks are missing details (ID #00249611)
  • Entity Graph widget either not appearing or appearing without information (ID #00246250, #46124390)
  • Entity Graph API call not working

August 16, 2023

Release Notes 6.2.33

New Case Mentions in Playbook Actions

You can now mention the case assignee directly from a Playbook action


To mention the case assignee:

  1. Drag the Siemplify Case Comment action into a Playbook step.
  2. In the Comment field, write a message that you want the case assignee to see.
  3. Click on the placeholder, drill down to Case > case.mentioncaseassignee and double click it in order for it to appear in the Comment field with the message. Alternatively, write [case.mentioncaseassignee] in the Comment field.

After the Playbook runs, the notification is written to the case wall and depending on your notification settings, sent to the user.

July 26, 2023

Release Notes 6.2.32

Playbook not running with Playbook Simulator turned on in rare cases (ID #45093920)

Playbooks do not appear on the platform for some customers due to null category creation (ID #45985799, #00244424)

The timestamp displayed on the Cases>Alert>Playbooks tab drawer menu corresponds to the most recent modification time of the playbooks/blocks, rather than the actual execution time of the actions. Timestamp now displays actual execution time. (ID #00245107)

July 19, 2023

Release Notes 6.2.31

Added the ability to write comments on cases that have already been closed.

New API for Logs: Admin users can now retrieve raw python logs directly from the platform using the following API: POST/api/external/v1/logging/python

Release Notes 6.2.31

Importing a custom integration on top of an existing commercial integration causes the connector to not work properly (ID #00243798)

Specific Integration showing incorrect update available (ID #00181718)

SDK call siemplify.current_alert.creation_time returns 0 (ID #00226591)

In rare situations, unable to access several cases via the Platform or via API (ID #00243878)

When changing the Case Stage under the Cases tab, the drop down list of stages does not follow the same numerical order as defined in the Settings (ID #44453181)

Entities that should be internal are created as external if ingested using the environment alias (ID #00225318)

In certain situations, alerts are ingested into the platform for environments that don't exist yet in the platform and as soon as the environments are created - the cases are opened and playbooks run. It is now possible to configure alerts to be dropped if the source environment doesn't exist. (ID #00180834)

July 12, 2023

Release Notes 6.2.30: Playbooks not always saved correctly within Platform (ID #00243484)