What’s New in Google SecOps: 2026–06–21

This weeks update is brought to you by Google Security Specialist, Chris Martin.

What’s New in Google SecOps for the interval June 15 through June 21 2026.

Highlights

🔥 There is now an official monthly Changelog for Google Cloud SecOps documentation 

🔥 You can now use Google Cloud Secret Manager to manage SOAR Credentials

🔥 New guidance on How To Batch Close Cases for SecOps SOAR with an out of the box Tool

Product Updates & New Features

Google SecOps

🥳 Google named a Leader in IDC MarketScape SIEM 2026 Vendor Assessment from Google Cloud Blog

• Google has been recognized as a Leader in the IDC MarketScape SIEM 2026 Vendor Assessment for its modern security information and event management (SIEM) systems, helping organizations defend against sophisticated threats. [Read More]

🚀 Release Notes from Google Cloud Docs

• June 17, 2026: Chronicle now offers a configurable auto-collapse setting for the query editor, allowing users to maximize screen space for search results after running a query. [Read More]

• June 16, 2026: Google SecOps has integrated Gemini Cloud Assist (GCA) directly into its Feed Management interface, providing AI-powered assistance for feed creation, setup, and troubleshooting through a new dedicated button. [Read More].

🔥 📑 New Docs: SecOps > Changelogs from Google Cloud Documentation

• This Google SecOps changelog for May 2026 highlights extensive updates across documentation, features, integrations, APIs, and infrastructure. [Read More]

📝 Updated Docs: Agentic SOC > Trial from Google Cloud Docs

• The key change in this document is a reduction in the trial usage limits for customers with Enterprise Plus & Google Unified Security (GUS) subscriptions.
  - The “Total Hourly Limit” for Enterprise Plus & GUS customers has been decreased from 20 trial runs to 10 trial runs.
  - The “Limit Breakdown” for these customers has been adjusted from “Up to 10 automatic and 10 manual runs” to “Up to 5 automatic and 5 manual runs.”

⚠️ At the end of the Agentic Trial period the auto-investigation Settings will be disabled automatically.

📝 Updated Docs: Reports > Native Dashboards > RBAC for Case from Google Cloud Docs

• RBAC for Cases & History: Case and case history data now support Role-Based Access Control (RBAC), automatically filtering visualization data based on a user’s assigned access scope.
• Global-Only Restrictions: Playbooks and alerts remain visible only to global users.
• Scope Limitation: RBAC filtering applies strictly to new cases containing scope data; it is not retroactive for historical cases.

📝 Updated Docs: Reports > Bigquery Export from Google Cloud Docs

• New Best Practice Added: A new best practice titled “Filter on clustering columns” has been introduced. This section advises users to utilize clustering columns (metadata.log_type, metadata.event_type, and metadata.product_event_type) in their WHERE clauses to improve query latency and reduce scanning costs.

SecOps SIEM

📑 New Docs: Ingestion > Optimize Ingestion from Google Cloud Documentation

• This document outlines how to optimize high-volume log ingestion into Google Security Operations (SecOps) using Data Processing Pipelines [Read More]

📝 Updated Docs: Ingestion > Log Ingestion And Parsing from Google Cloud Docs

• The key change is the addition of new UDM (Unified Data Model) event size limits within the “Latency, service quota, and limits” section.
  - If a batch UDM event exceeds 8.2 MB, all UDM events in that batch will be dropped.
  - If a single UDM event exceeds 500 KB, that individual UDM event will be dropped.

SecOps SOAR

🚀 🔥 Use the new Secret Manager integration to automatically manage Response Integration credentials! from Google Cloud Security Community

• Google SecOps has released a new Secret Manager integration designed to automate and simplify the management of credentials for Response Integrations, Connectors, and Jobs, addressing previous tedious manual processes. [Read More]

• Yuriy’s quote aptly sums this up: “As you know, managing credentials in Google SecOps can be quite tedious. To address this, we released a new integration called “Secret Manager”. The purpose of this integration is to allow you to automatically manage all of the credentials associated with Response Integrations, Connectors and Jobs from 1 place.”
• Being able to use existing Google Cloud workflows for credential management with SecOps SOAR is a big improvement over having to build something custom atop of the Chronicle API.

🔥 Updated Docs: SOAR > How To Close Cases from Google Cloud Docs

• For volumes higher than 50 cases, users are now directed to use the “Close Cases Based On Search job in the Tools integration.”
• A new Important note has been added, advising users to utilize “Custom” timerange filters (fixed dates) when configuring the “Close Cases Based On Search” job to prevent accidental closure of newly ingested cases.

Being DOS’d by a large number of Cases in SecOps SOAR is a rite of passage. I am however glad there is an out of the box solution for this now that does not require custom scripts anymore.

• Tools | Google Security Operations | Google Cloud Documentation
• A set of utility actions for data manipulation to power up playbook capabilities. The following lists the types of…docs.cloud.google.com

Google Cloud & AI

All adjacent to Google SecOps, but several interesting AI updates.

✍️ Build and Deploy a Remote MCP Server to GKE in 30 Minutes from Google Cloud Blog

• This article provides a guide to quickly build and deploy a remote Model Context Protocol (MCP) server to Google Kubernetes Engine (GKE) to address challenges in integrating context into LLMs for AI agent development. [Read More]

✍️ How A2A is Building a World of Collaborative Agents from Google Cloud Developer Blog

• Celebrating its first anniversary, the Agent-to-Agent (A2A) protocol is highlighted for enabling autonomous AI agents to securely collaborate, hand off tasks, prevent context pollution, and ensure data privacy, simplifying application design through modularity. [Read More]

✍️ A2UI + MCP Apps: Combining the best of declarative and custom agentic UIs from Google Cloud Developer Blog

• The article introduces three architectural patterns for integrating A2UI and MCP Apps, aiming to combine declarative and custom agentic UIs for more flexible, native-feeling, and embeddable application development. [Read More]

✍️ Announcing the Agentic Resource Discovery specification from Google Cloud Developer Blog

• The article announces the Agentic Resource Discovery specification, an open standard designed to help AI agents find and verify tools and skills across the web. [Read More]

✍️ Enhance Security and Trust: New Session Metadata in Sign in with Google from Google Cloud Developer Blog

• Google is enhancing “Sign in with Google” with new OIDC standard claims (auth_time and amr) to provide developers with deeper session metadata, enabling more dynamic, risk-based access controls and preventing account takeovers. [Read More]

Community & Events

✍️ Lock down your Azure feeds so a leaked credential can’t be used from anywhere from Google Cloud Security Community

• Bartosz J provides a solution for adding IP restrictions to Azure feed credentials using network firewalls to prevent unauthorized access [Read More]
• Hardening Azure Feeds Into Google SecOps
• A leaked Azure storage key or Event Hub connection string is, by default, usable from anywhere on the public internet…blueaisecurity.com

✍️ Tuesday’s Tips — Week 1: UDM: One Schema to Hunt Them All from Google Cloud Security Community

• David covers Google SecOps’ Unified Data Model (UDM), which normalizes diverse log sources into a single schema, simplifying security hunting and detection across different tools and platforms by eliminating the need to manage multiple data formats. [Read More]

✍️ Leveraging Agentic SecOps Migration Helper to Accelerate SIEM Migration from Google Cloud Security Community

• Vesselin introduces an Agentic SecOps Migration Helper designed to accelerate and automate the challenging process of migrating SIEM systems, particularly focusing on the transfer of thousands of custom rules. [Read More]

• This is a great read, and covers a lot of useful Google SecOps related tooling. Even if not migrating, this is worth a read just for visibility of the tools available.

✍️ Connecting Google Security Operations and Cribl Search from Google Cloud Security Community

• Sumit discusses connecting Google Security Operations (SecOps SOAR) with Cribl Search to overcome the challenges of fragmented and expensive security log data, making it more accessible. [Read More]

📢 Prompt Injection to Playbook: Detecting Compromised AI Agents in Google Cloud from Google Cloud Security Community

• This webinar focuses on detecting compromised AI agents in Google Cloud, detailing how prompt injection attacks can lead to infrastructure compromise and data exfiltration, and proposing a 4-layer defense architecture. [Read More]

✍️ Accelerating SOAR: A Practitioner’s Guide to the Gemini Playbook Assistant in Google SecOps from Google Cloud Security Community

• Bernie Weidel and Ivan Ninichuck introduce Google’s Gemini Playbook Assistant in Google SecOps, designed to accelerate and simplify the development of Security Orchestration, Automation, and Response (SOAR) playbooks, addressing the traditional complexities faced by SOCs. [Read More]

✍ Google SecOps — automating stale account suspensions with Google SecOps and AzureAD — Version 4 from Google Cloud Security Community

• Darren Swift introduces version 4 of the Google SecOps Inactive Accounts Connector, which automates stale account suspensions using Google SecOps and AzureAD, with optimizations for high-throughput environments. [Read More]

Wiz

✍️ The President’s Executive Actions on AI Have a Lot to Say on Cybersecurity from Wiz Blog

• The article analyzes the President’s executive actions on AI, highlighting their extensive focus on cybersecurity, including enhancing cyber defense and accelerating risk remediation. [Read More]

✍️ The Red Agent POV: How it Reasoned its Way to SSRF from Wiz Blog

• This article describes how a ‘Red Agent’ discovered a multi-step attack chain that exploited Server-Side Request Forgery (SSRF) to achieve local file read on GCP Cloud Run. [Read More]

✍️ Introducing the Red Agent POV Series from Wiz Blog

• The article introduces the new ‘Red Agent POV Series,’ offering an internal perspective on how Wiz’s AI-powered attacker identifies complex and exploitable security risks. [Read More]

✍️ Wiz Exposure Management Dashboard: Your CTEM Command Center from Wiz Blog

• Wiz has launched a new exposure management dashboard, aligning with CTEM principles to help organizations stay ahead of AI-driven vulnerability exploitation. [Read More]

Platform Issues

✅ RESOLVED: Google SecOps customers may be experiencing higher detection latency, slower searches and dashboards in asia-southeast1 from Google Cloud Status

• Google SecOps customers in asia-southeast1 are experiencing an incident causing higher detection latency, slower searches, and dashboard issues, which Google’s engineering team is actively investigating. [Read More]