Google Security Operations (SecOps) continues to push the boundaries of innovation, focusing on deep integration and intelligent automation. Our recently released features are designed to reduce noise, accelerate investigations, and ensure your security operations remain resilient and scalable.
Agentic SOC
Emerging Threat Center: (Public Preview)
- The Emerging Threat Center in SecOps helps customers immediately determine if their environment is impacted by new critical intelligence published by GTI, enabling them to quickly understand “Are we impacted?” and “Are we prepared?”, transforming the starting point for threat hunting workflows into a proactive, curated journey. As new Campaigns are published, Gemini processes the reports, determines detection coverage, and suggests new rules to add to Curated Detections. Learn more | Blog
OneMCP: (Public Preview)
- SecOps OneMCP standardizes how AI agents (like Gemini CLI and Orcas) interact with SecOps SIEM and SOAR data using the Model Context Protocol (MCP). It allows agents to perform actions like listing cases, retrieving UDM events, and managing detection rules through a unified interface. Learn more
Gemini Alert Triage and Investigation Agent: (Public Preview)
- This purpose-built AI agent natively embedded into Google Security Operations acts as force multiplier for analysts. The Alert Triage and Investigation agent helps security practitioners quickly and effectively identify threats by performing initial triage and deep first-party investigation, saving valuable time and telling analysts what responses and next steps to take. Learn more
Image: Sample investigation performed by the Triage Agent
Image: Sample Search
SecOps Labs: (GA for Enterprise and Enterprise+ Customers)
- This dedicated sandbox allows customers to configure and run Google SecOps Gemini and other intelligence experiments without disrupting your existing production systems—and benefit from their output. Learn more
Intel-Led Proactive Security Outcomes
Visibility is the foundation of effective defense. We've introduced new ways to visualize your coverage and refine your detection logic.
MITRE ATT&CK Visualization: (GA)
- View a snapshot of your YARA-L detection coverage mapped directly against MITRE tactics and techniques. Learn more
Suppression Window Updates: (GA)
- Manage alert fatigue with reliable deduplication tools that control how often a rule fires during specific windows. Learn more
Data Management and Enterprise Readiness
Efficient data management is the backbone of a high-performing SOC. Our latest updates focus on simplifying how you ingest, process, and monitor security telemetry.
Auto Extraction (GA)
- This feature empowers users to instantly use structured log data (JSON and XML) in UDM search, detection rules, and native dashboards without waiting for a prebuilt parser. Since its initial preview, Auto Extraction has been used in over 1,300 SecOps tenants to accelerate data onboarding and detection engineering. Learn more
Direct Ingestion for Google Cloud Model Armor Logs (GA)
- Ingest of Google Cloud Model Armor logs directly into Google SecOps using a new export filter via the direct ingestion method. Learn more
Share SOAR Logs to Cloud Logging (GA)
- This BYOP (Bring Your Own Project) capability enhances visibility and proactive issue response by providing a native flow for sharing SOAR logs directly into your Google Cloud Logging project. Learn more
CMEK for SecOps EU Multi-Region (GA)
- For organizations with strict compliance requirements, Customer-Managed Encryption Keys (CMEK) give you the control you need. By managing your own encryption keys, organizations demonstrate due diligence, build trust, and maintain regulatory compliance with greater confidence. Learn more
Enrichment Provenance: (Public Preview)
- Gain better transparency into your UDM events with details on the source of enriched data and the ability to block specific out-of-the-box enrichments. Learn more
Enhanced Data Export API: (Public Preview)
- Now supports high-volume exports to external Google Cloud Storage buckets, helping you meet SOX, HIPAA, and GDPR requirements. Learn more
Best-in-class Analyst Experiences
The Google SecOps search experience has been refined to provide analysts with better data management, improved performance, and more flexible viewing options.
Results Centric View: (GA)
- New display options allow for more results by collapsing the editor pane to utilize full screen space. You can also toggle the histogram and aggregations panels to create your optimal default view.
Pagination in Search: (GA)
- Search now features pagination to improve large data set management on browsers with limited cache. This update also prevents Out-Of-Memory (OOM) errors, increasing UI stability. Learn more
Raw Logs in CSV Export: (GA)
- Users can now include Raw Logs in UDM Search CSV exports. This facilitates the correlation of UDM events with original logs during offline forensic and compliance analysis. Learn more
Column Set Sharing: (GA)
- Search now allows you to share your column sets with other users so that your team can view a common set of columns with a single click. Learn more
Data Export Documentation Revamp: (GA)
- We've completely overhauled our YARA-L and Data Export documentation to make it more intuitive, user-journey focused, and easier to navigate. Learn more
Yara-L Documentation Enhancements: (GA)
- Two new Yara-L guides have been released to provide additional support to customers who are getting started with Yara-L or looking to translate from SPL. Check them out here:
Advanced Querying: (Public Preview)
- Use Inner Joins and Multistage queries within Search and Dashboards to correlate data across events, Entity Graph, or data-tables, and filter out noise using a "data funnel" approach. Learn more
Content Hub & Response Integration Enhancements
Streamline SOC workflows with expanded content library and improved data accessibility.
Recent Content Updates: We’ve expanded our content with over 100 new & updates items across rules, response integrations, dashboards, and content packs. Learn more.
- Google SecOps SIEM: New features include UDM query generation via prompts, support for raw log data in UDM events and Curated Rules, and the ability to manage Watchlist entries.
- Google Threat Intelligence: Enhanced enrichment capabilities of the integration and updated filtering support for DTM and ASM connectors, add ability to submit URLs privately and added new functionality to fetch Association data.
- Palo Alto XDR: Enhanced connector capabilities with additional filtering options, added a synchronization job and released new actions to execute XQL queries and scan endpoints.
- Image Utilities: A new integration featuring content rasterization and Optical Character Recognition (OCR) capabilities.
Integration Rollback: This feature provides a self-service way for any tenant to roll back response integration to the previous installed version. Learn more