Another great weekly update from Chris Martin, Google Security Specialist. Thank you Chris. Keep the insights coming!
What’s New in Google SecOps for the interval May 25 through May 31, 2026.
Highlights
Another week, and lots of SecOps updates.
- 🔥 A usual great post from John Stoner on Managing Table TTL and Row Expiration
- ✍️ Chris Martin wrote up a brief guide on Advanced Filters in SecOps Native Dashboards
- 📹 And last but not least, a short video on Data RBAC in Google SecOps
Product Updates & New Features
Google SecOps
🚀 Release Notes from Google Cloud Documentation
- Google SecOps tenant administrators can now directly manage access to public preview features via a dedicated page, eliminating the need to go through official support channels. [Read More]
Manage access to preview features | Google Security Operations | Google Cloud Documentation
- The Chronicle API has been upgraded from v1 beta to v1, signaling its stability and readiness for production use, offering a more robust, secure, and extensible experience for new integrations. [Read More]
- Google SecOps has introduced a new focused support policy for Standard parsers, aiming to enhance platform stability, predictable performance, and high-quality data normalization by structuring service level objectives based on customer support tiers. [Read More]
Standard parser support policy | Google Security Operations | Google Cloud Documentation
SecOps SIEM
📑 New Doc: Ingestion > Cloud Context Parsers > GCP SQL Context from Google Cloud Docs
- This document describes how Google Cloud SQL context logs are collected and normalized into Google Security Operations’ Unified Data Model (UDM) [Read More]
📝️ ️️Updated Doc: Reference > Detection Engine Api from Google Cloud Docs
- The document outlines a shift in how API responses represent detection data, primarily through the introduction of a new detection.variables field that uses structured FindingVariable objects to provide detailed, typed data.
- Consequently, the previous detection.outcomes list has been officially deprecated and should be replaced by this new mapping in future implementations. Updated sample responses now reflect both structures to assist developers with the transition.
📝 ⚠️ Updated Doc: Reference > Chronicle Api Feeds from Google Cloud Docs
- A mandatory 5-minute ingestion lag is applied to all log types ingested via the Microsoft fetcher (including Azure AD and Microsoft Graph Security API).
- This lag is an architectural requirement due to late data availability within the Microsoft Graph API.
- Consequently, status changes occurring within this 5-minute window may not be captured as intermediate events.
- This inherent latency is a known behavior and may result in event count discrepancies when compared to other ingestion methods or platforms.
📝 ⚠️ Updated Doc: Reference> Feed Management Api from Google Cloud Docs
- The key change in this document concerns the ingest schedule details for Google Workspace Activities from admin.googleapis.com.
- Previously the ingest schedule was simply stated as “Every hour”. Now the schedule is more detailed, specifying Native ingestion: “real time”, and Feed based ingestion: “5-hour minimum for login and user_accounts events to prevent data loss”
📝 Updated Doc: Event Processing > Entity Graph from Google Cloud Documentation
- The “ECG data processing pipeline” documentation has been restructured with improved navigation and a shift toward “best practices,” specifically detailing how merging enables enhanced connections and derived context.
- Key technical additions include precise merge-key requirements for File, URL, and Domain entities, alongside clarified logic for conflict resolution and deduplication across multiple context sources.
- The update also explains that when entity attributes change, previous values are retained to ensure search results remain accurate across different time intervals.
SecOps SOAR
🚀 New Feature : Support for SOAR Custom Fields in Native Dashboards! from Google Cloud Security Community
- Google Security Operations has launched a new feature, supporting SOAR Custom Fields in native dashboards. This allows customers to track alerts and cases more effectively by capturing organization-specific incident response data. [Read More]
Create and manage calculated fields | Google Security Operations | Google Cloud Documentation
📝 Updated Doc: Respond > IDE > Building A Custom Integration from Google Cloud Documentation
- This update introduces a recommended workflow using the Marketplace CLI (mp) and uv package manager to automate the packaging of complex, nested dependencies for custom integrations.
- For users choosing manual uploads, the documentation now explicitly requires individual wheel files for the entire dependency tree to avoid errorCode: 2000 failures.
- Additionally, the guide includes a minor bug fix in the ArmisManager example code to ensure proper API token assignment.
📝 Updated Doc: Working With Remote Agents > Migrate Remote Agent To Google from Google Cloud Documentation
- Introduction of Podman Support, with new instructions added for Podman users on how to securely store the service account key.
- Dedicated sections are introduced for Podman on how to migrate environment variables for existing agents and how to migrate the service account into the Remote Agent.
Google Threat Intelligence
🚀 Release Notes from gtidocs.readme.io
- This article announces several new features and updates, including advanced HTA and Office document analysis, macOS CDHash extraction, third-party integrations, and bulk IoC downloads, along with a reminder for the Google TI Mondays series. [Read More]
Google Cloud
✍️ Introducing Google AI Threat Defense to help you outpace the adversary from Google Cloud Blog
- Google is introducing its AI Threat Defense system to help organizations combat the growing landscape of AI-powered cyber threats. [Read More]
This is a bundle positioning Wiz, Gemini, Codemender, and Mandiant. The aim is to use AI to help prioritize which bugs to fix, and even fix them for you.
✍️ Developer’s guide to Gemini Enterprise and A2UI integration from Google Cloud Blog
- This article provides a developer’s guide on integrating Gemini Enterprise with A2UI to build more effective AI applications, such as chatbots that better understand user context. [Read More]
✍️ AI in SRE: Where and how Google is deploying agentic AI to improve operations from Google Cloud Blog
- Google is actively deploying agentic AI within its Site Reliability Engineering (SRE) practices to enhance the reliability and operational efficiency of its critical services. [Read More]
This is orthogonal to SecOps, but the concepts discussed here for SRE approaches to building Agents is very relevant and useful reading.
Adoption Guides & Deep Dives
✍️🔥 New To Google SecOps: Fade to Grey: Managing Table TTL and Row Expiration from Google Cloud Security Community
- This article from John Stoner article discusses managing table Time-to-Live (TTL) and row expiration within Google Security Operations (SecOps), building on previous discussions about data table capabilities for handling large datasets and rule integration. [Read More]
✍️ Risk Tiering AI Use Case — A Practical Guide from Google Cloud Security Community
- The article is a practical guide on risk tiering AI use cases, focusing on comprehensive AI governance for enterprise-wide transformation, particularly with generative AI. [Read More]
3rd Party Blogs
✍️ 🔥Advanced Filters in SecOps Native Dashboards from Chris Martin (Chris Martin (@thatsiemguy)
- The article details the functionality and advantages of advanced filters integrated into Security Operations (SecOps) native dashboards. [Read More]
✍️ MSPs Become The AI Operations Layer For SMBs from raffy.ch
- The article discusses how Managed Service Providers (MSPs) are evolving to provide AI-native security operations as an “AI operations layer” for Small and Medium-sized Businesses (SMBs), moving beyond basic alert triage. [Read More]
✍️ Breaking the Patch Sound Barrier Part 2: So Is The Apocalypse Coming and What Is It? from Anton on Security
- This article, part two of a series, delves into the challenges of software patching and explores the potential severe consequences or ‘apocalypse’ associated with these issues. [Read More]
Podcasts & YouTube
🎙️ EP279 Native Cloud Security: Is ‘Good Enough’ Actually Winning? from Cloud Security Podcast
- This podcast episode debates whether native cloud security controls provided by cloud providers are sufficient or if third-party solutions are superior, revisiting the ‘Native vs. Third-Party’ discussion. [Read More]
▶️ Introducing Google AI Threat Defense from YouTube
- Google is introducing a new initiative focused on leveraging AI for threat defense. [Read More]
▶️ 🔥 Introduction to Data RBAC in Google SecOps from YouTube
- The content provides an introduction to Data Role-Based Access Control (RBAC) within the Google SecOps platform. [Read More]
Introduction to Data RBAC in Google SecOps
▶️ CodeMender Identifies and Proposes Effective Code Fixes to Secure Your Applications from YouTube
- CodeMender is a tool designed to identify and propose effective code fixes, aimed at securing applications. [Read More]
Wiz
✍️ Evidence at the Moment of Attack. Answers at AI Speed from Wiz Blog
- Wiz Sensor Forensics is now generally available, automatically capturing forensic artifacts at the moment of detection and leveraging AI to accelerate investigations for security teams. [Read More]
✍️ Defending at Machine-Speed: Building AI Threat Readiness from Wiz Blog
- Wiz is assisting organizations in adopting an AI Operating Model to achieve machine-speed AI threat readiness and improve defense capabilities. [Read More]
The AI Threat Defense pitch from the Wiz perspective
✍️ State of SDLC Security 2026: How Risk Scales in Modern Development from Wiz Blog
- The article provides insights into the evolving landscape of SDLC security, analyzing how modern development practices, tools, automation, and AI are influencing application security risks. [Read More]
