Skip to main content

What’s New in Google SecOps: 2026–06–28

  • June 29, 2026
  • 0 replies
  • 7 views
matthewnichols
Community Manager
Forum|alt.badge.img+20

This weeks update is brought to you by Chris Martin, Google Security Specialist. 

 

What’s New in Google SecOps for the interval June 22 through June 28
https://youtu.be/Uu-1HwqMRZ4

 

Highlights

 

 

Product Updates & New Features

 

🚀 Release Notes from Google Cloud Documentation

  • 🔥 Announcement: Google has announced improved navigation for its documentation portal, reorganizing sections to be more user-centric and aligned with security operations workflows.

 

Google SecOps use cases | Google Security Operations | Google Cloud Documentation

We've reorganized our navigation structure to align directly with your operational workflows. See the Google SecOps…docs.cloud.google.com

  • Feature: Google SecOps has added an “Ask Gemini Cloud Assist” button to the Feed Management interface. It provides guidance and troubleshooting help for creating, configuring, and managing data feeds and log sources. The assistant only offers advice and recommendations. It cannot automatically make configuration changes for you, so all changes must be applied manually


Using Google Cloud Assist to troubleshoot Feed Management

Note, you will need Google Cloud access with your logged in principal in order for this to work.

 

Data feeds overview | Google Security Operations | Google Cloud Documentation

This page provides an overview of Google SecOps feed management. You can create and manage feeds using the feed…docs.cloud.google.com

  • Change: Google Security Operations corrected a bug that caused ingestion metrics to be under-reported in both the dashboard and Cloud Monitoring. You may see a one-time spike in your reported ingestion metrics between June 29 and July 10, 2026, as the update rolls out to your region. The actual volume of logs you are ingesting remains the same; the spike is simply a correction to the reporting data.

  • Breaking: If you currently use a custom field named siemAlertId, you must migrate to a different name immediately to prevent data loss. Effective July 5, 2026, the siemAlertId field is strictly reserved for internal Chronicle SIEM alert IDs. Starting on that date, the system will automatically overwrite any user-supplied data passed through this field across all ingestion methods (API, webhooks, and connectors).


Google SecOps

 

📑 New Doc: Reference > Service Limits from Google Cloud Documentation

Introduction of Comprehensive Limit Sections: A large new section has been added detailing limits for:

  • Alert, Case, and Entity Limits:

  • Alerts per case: Maximum increased from 20 to 90.

  • Event field size: New limit of 25,000 characters.

  • Events in alert: New limit of 500 events (events exceeding this are removed).

  • Entities in alert or case: New limit of 500 entities.

  • Relations in alert or case: New limit of 500 relations, clarifying that 500 entities and 500 relations can coexist.

  • Timeframe for grouping alerts: Maximum extended from 2 hours to 24 hours.

  • Timeframe for overflow case grouping: Maximum extended from 2 hours to 24 hours.

  • Alert grouping into overflow case: Maximum increased from 50 to 100.

Playbook Limits:

  • Playbook import size: New limit of 10 MB.

  • Playbooks per alert: New limit of 10 total (1 automatic, 9 manual).

  • Parallel actions: New limit of 5 actions per step.

  • Playbook sync actions run time: Maximum increased from 10 minutes to 20 minutes.

  • Playbook async actions runtime: Async polling interval maximum increased from 1 hour to 24 hours.

  • Playbook JSON result: New limit of 28 million characters (26.7 MB).

Case and User Management Limits:

  • New limits introduced for Case - entity properties (100 per entity), File size uploaded on case wall (50 MB), Roles in platform (20 roles), and Case stages (20 stages).

Automation Feature System Limits:

  • Data retention: Maximum significantly increased from 12 months to 60 months.

  • API rate: New limit of 4000 requests per minute.

  • Size of libraries added to IDE integration: New limit of 500 MB.

  • Manual Python execution timeout: New limit of 5 minutes.

 

SecOps SIEM

 

📝 Updated Doc: Reference > Feed Management API from Google Cloud Documentation

The key changes in this document are primarily related to AWS integration, focusing on Security Token Service (STS) configuration for “opt-in” regions and the re-inclusion/repositioning of configuration details for Amazon SQS feeds.

  1. New AWS STS Endpoint Configuration Guidance for Opt-in Regions (Amazon S3 and Amazon SQS v2):

  • Added: A new section on “AWS STS endpoint configuration for opt-in regions” has been introduced in both the Amazon S3 and Amazon SQS v2 feed documentation.

  • Purpose: This guidance is crucial for users employing AWS IAM Roles for federated authentication when their S3 buckets or SQS queues (for SQS v2) are located in AWS “opt-in” regions (e.g., eu-central-2, il-central-1, ap-southeast-3).

  • Requirement: Users must configure their AWS account settings to allow session tokens from the global STS endpoint (sts.amazonaws.com) to be valid in all AWS regions, as tokens from the global endpoint are not valid in opt-in regions by default.

  • Consequence of not configuring: Failure to do so may result in PERMISSION_DENIED errors due to invalid security tokens.

📝 Updated Doc: Reports: Dashboards Overview from Google Cloud Documentation

The key changes in the document are:

  1. Introduction of a Troubleshooting Section: A new reference to a “Troubleshooting” section has been added, emphasizing its importance for ensuring optimal dashboard performance.

  2. Detailed Troubleshooting Guidance: A comprehensive “Troubleshooting” section has been added to the end of the document. This new section:

  • Outlines performance expectations and self-service fixes for common dashboard and search issues.

  • Specifically addresses how to optimize dashboard performance when dealing with large datasets.

  • Highlights a 10,000-row visualization limit in the Google SecOps UI, explaining that exceeding this can cause browser unresponsiveness.

  • Provides explicit recommendations for visualizing high-volume log data:
    - Always apply “Top N” filters.
    - Reduce search time ranges (e.g., to 15-minute or 1-hour increments).
    - Utilize “Export to CSV or BigQuery” for accessing more than 10,000 rows.


Google Threat Intelligence

 

🚀 New Feature Release! Generating Threat Profile Recommendations from Splunk Events from Google Cloud Security Community

  • Google Threat Intelligence has released a new feature allowing users to generate threat profile recommendations directly from Splunk events, automatically synchronizing observed threats into GTI Threat Profiles.

🚀 Don’t just manage vulnerabilities — anticipate them with new target technology watchlist capabilities in Google Threat Intelligence from Google Cloud Security Community

  • Google Threat Intelligence is introducing new target technology watchlist capabilities to help customers anticipate vulnerabilities and stay ahead of AI-enhanced attacks, moving beyond traditional ‘find and fix’ methods.

✍️ STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus from Google Cloud Blog

  • Google Threat Intelligence Group has analyzed STOCKSTAY, a continually developed .NET backdoor used by the Russia-linked threat actor Turla for intelligence gathering.

✍️ Zero-Day Exploitation of Vulnerability (CVE-2026–20245) in Cisco Catalyst SD-WAN Manager from Google Cloud Blog

  • Mandiant identified a threat actor exploiting a zero-day vulnerability (CVE-2026–20245) in Cisco Catalyst SD-WAN Manager in early 2026, targeting SD-WAN infrastructure at a service provider.

BindPlane

 

⚙️ OTEL v1.102.0 from GitHub

  • This changelog announces v1.102.0 of the bindplane-otel-collector, introducing new features such as an embed_library build tag for telemetrygeneratorreceiver blitz embed integration.
     

Google Cloud & AI

 

Nothing specific to SecOps, but more Google AI related updates, and some interesting Cloud Monitoring new features using SQL for alerting.

✍️ Securing agentic AI with perimeter guardrails: What’s new in VPC Service Controls from Google Cloud Blog

  • The article discusses the importance of robust architectural guardrails, specifically using VPC Service Controls, to secure agentic AI as enterprises scale autonomous AI agents into production, ensuring data protection and safe innovation.

✍️ From query to action: Introducing SQL alerting in Cloud Monitoring Observability Analytics from Google Cloud Blog

  • Google Cloud Monitoring is introducing SQL alerting, which allows for more precise and flexible alerts on complex data patterns, overcoming the limitations of traditional alerting systems.

✍️ Log Analytics is now Observability Analytics: Query logs and traces with SQL from Google Cloud Blog

  • Google Cloud has rebranded Log Analytics to Observability Analytics and announced new capabilities, including the ability for developers and SREs to query logs and traces with SQL to better understand system behavior.

✍️ Boost BigQuery with Python: Managed Python UDFs now generally available from Google Cloud Blog

  • Google BigQuery has announced the general availability of managed Python User-Defined Functions, enabling users to perform complex computations, scientific analysis, and machine learning workflows directly within BigQuery, addressing SQL’s limitations.

✍️ The Starter Tier for Google AI Studio explained from Google Cloud Documentation

  • The article explains the Starter Tier for Google AI Studio, detailing how it enables developers to deploy and share their AI prototypes with a live URL.

✍️ Build Cross-Language Multi-Agent Team with Google’s Agent Development Kit and A2A from Google Developers Blog

  • The article demonstrates how to build cross-language multi-agent teams using Google’s Agent Development Kit and the Agent2Agent protocol, enabling collaboration for tasks such as contract compliance with agents like Python and Go.
     

Community & Events

 

✍️ Multi-tenancy on a single Google SecOps — Part 1: The Isolation Challenge from Google Cloud Security Community

  • This is the first part of a four-part series outlining how to implement and manage multi-tenancy on a single Google SecOps instance, focusing on the foundational mental model and naming conventions.

✍️ Guide on Migrating SecOps SOAR Remote Agents from Google Cloud Security Community

  • This guide details the migration process for Google SecOps SOAR remote agents as part of Google’s “OnePlatform” initiative, moving workloads into customer-owned Google Cloud projects to streamline identity and access management.

✍️ Data RBAC Scoping: Problem, Findings & Fix from Google Cloud Security Community

  • The article details a challenging experience configuring data RBAC in Google Chronicle SIEM using Azure AD groups for specific data scopes, where initial attempts failed, and the author shares their findings and a fix.

✍️ Tuesday’s Tip of the Week — Feeds, BindPlane, and Cloud Connectors: How Data Enters SecOps from Google Cloud Security Community

  • This blog post provides a comprehensive guide on the various ingestion methods — including feeds, BindPlane, and Cloud Connectors — used to bring security data into Google SecOps.
     

Wiz

 

✍️ MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension from Wiz Blog

  • A critical vulnerability in the Amazon Q VS Code extension allowed attackers to execute code and compromise cloud environments by exploiting the automatic loading of malicious MCP servers from workspace files.

✍️ Uncovering Hidden Attack Paths in Cloud Environments Using Runtime Signals from Wiz

Blog

  • Wiz has integrated runtime signals into its Security Graph to uncover hidden attack paths in cloud environments, providing security teams with a more comprehensive view of risk.

✍️ How AI Is Rewriting the SecOps Playbook from Wiz Blog

  • The article explains how AI is transforming Security Operations (SecOps) to counter rapidly evolving cyber threats, emphasizing the need for speed and automation in defense.

✍️ AI Threat Readiness Pillar 4: Detect and contain threats in real-time from Wiz Blog

  • This article is a guide on operationalizing AI-powered threat detection and response in real-time to defend against AI-driven attackers.
     

Platform Issues

 

✅ RESOLVED: Some customers in asia-southeast1 region may be experiencing delay in ingesting specific 3rd party data sources from Google Security Products Status

  • Google is investigating an incident in the asia-southeast1 region causing delays for some customers in ingesting specific third-party data sources related to Google SecOps.

✅ RESOLVED: Some Google SecOps SIEM customers in the asia-southeast1 region may experience intermittent elevated latency and timeout errors in Search queries from Google Security Products Status

  • Google SecOps SIEM customers in the asia-southeast1 region are experiencing intermittent elevated latency and timeout errors in Search queries, with the engineering team actively investigating the issue.

✅ RESOLVED: Google SecOps customers may experience higher latency and failures with dashboard and search queries for some data sources in asia-southeast1 region from Google Security Products Status

  • Google SecOps customers in the asia-southeast1 region are experiencing higher latency and failures with dashboard and search queries for some data sources.

✅ RESOLVED: Google SecOps SIEM (Chronicle) customers in the asia-southeast1 region may experience search latencies, slower dashboard performance, and elevated error rates from Google Security Products Status

  • Google SecOps SIEM (Chronicle) customers in the asia-southeast1 region are experiencing search latencies, slower dashboard performance, and elevated error rates, with an investigation underway.

✅ RESOLVED: Google SecOps SIEM (Chronicle) Europe multi-region customers are experiencing intermittent elevated latency and timeouts errors in Search and Dashboard from Google Security Products Status

  • Google SecOps SIEM (Chronicle) Europe multi-region customers are currently facing intermittent elevated latency and timeout errors in Search and Dashboard functionalities.

✅ RESOLVED: Google SecOps SIEM (Chronicle) US multi-region customers are experiencing intermittent elevated latency and timeouts errors in Search from Google Security Products Status

  • Google SecOps SIEM (Chronicle) US multi-region customers are experiencing intermittent elevated latency and timeout errors in Search, an incident that began on 2026–06–23 05:00 US/Pacific.

✅ RESOLVED: Some Google SecOps customers in Europe Multi-region may experience delays with data ingestion from Google Security Products Status

  • Google SecOps customers in Europe multi-region are currently experiencing data ingestion delays, an issue that Google’s engineering team is actively investigating.

✅ RESOLVED: Google SecOps customers may have experienced issues creating new feeds from Google Security Products Status

  • Google SecOps customers experienced issues creating new cloud storage bucket feeds between 09:30 and 11:34 PDT on June 22, 2026, due to request throttling, but the incident has since been resolved.

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.