Stay organized with collectionsSave and categorize content based on your preferences.
Self-service deprovisioning for Google SecOps
Supported in:
Google secops
This document explains how to use the self-service deprovisioning feature in Google Security Operations to delete a Google SecOps tenant and all related data. This feature provides a scalable and compliant process for handling deletion requests efficiently.
With deprovisioning, you can remove user access to Google SecOps and delete the tenant, including all associated data and resources. You manage the deletion process directly without relying on external support.
Use the Data Governor role to deprovision and restore
To initiate deprovisioning or restore a tenant, you must use an administrator user with theData Governorrole.
Billing implications of deleting your instance
Before initiating the deprovisioning process, it's important to understand the billing implications, as follows:
Deleting a Google SecOps instance does not cancel your billing.
If you have an active contract, you're still responsible for the full contract value, even after you delete the instance.
Billing continues until the contract term ends, regardless of the tenant's status.
Deprovisioning phases
Self-service deletion occurs in two phases:
Soft delete phase (12-day grace period)
Hard delete phase (permanent deletion within 62 days)
Soft delete phase
Only the Data Governor can access the Google SecOpsProfilepage, where they can:
View the remaining days in the soft delete phase.
ClickRestoreto cancel the deletion and restore the tenant.
The Data Governor initiates a 12-day grace period for soft deletion before data is permanently deleted. During this phase, the following restrictions and actions apply:
The system disables UI and API access and data ingestion is halted; no new data will be ingested into the Google SecOps tenant after the deletion request is initiated.
All roles can access the profile page.
The Data Governor can see the 12-day remaining soft-delete phase and use theRestorebutton, which reverts the soft delete and restores the tenant.
Most product functions are deactivated for all the users.
Hard delete phase
After the 12-day soft delete phase has ended, the data deletion process starts, systematically removing data and resources associated with the Google SecOps tenant. This process can potentially take up to two days.
Once the process begins, the following irreversible actions occur:
All customer data, including backup snapshots, are permanently deleted within 62 days of the initial request.
All UI access is permanently deactivated.
Deprovision a Google SecOps tenant
To deprovision a Google SecOps tenant, do the following:
Go to Google SecOpsSettings>Profile.
ClickDisable & Delete. A notification window displays several warning messages:
Access to Google SecOps will stop immediately; by proceeding with disabling and deleting this instance, the following occurs:
Only Admin users with the Data Governor role can restore the instance within 12 days. All other users will immediately lose access to Google SecOps and its data.
Data collection will stop within a few hours.
The instance can continue to be charged for a period of time, depending on your billing agreement.
All data, including cases, alerts, detection rules, settings, and logs will be permanently deleted after 12 days and can't be recovered.
EnterDeletein the confirmation field.
ClickDisable & Delete. The messageGoogle SecOps has been disabled. All data will be deleted starting [date]appears, where the date is 12 days once you clickDisable & Delete. The user can't navigate within the platform. A timer displays the start and progress of the 12-day soft delete phase.
Restore a deleted tenant
You can restore your tenant within 12 days after initiating deletion. The system reverts your tenant to its original state with previously existing data. TheRestorebutton appears after you clickDisable & Delete. ClickRestoreto restore the Google SecOps tenant/platform.
Limitations
The deprovision feature only provides self-service capabilities handled byCustomer Support. It doesn't unify or automate the deprovision process across all Google SecOps systems.
After restoring a tenant, all data feeds remain inactive. You must manually re-activate the data feeds that you need.
The system deprovisions the SIEM and any associated SOAR instances; however, associated VirusTotal and Mandiant instances required manual deprovisioning, tracked by a bug ticket.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[[["\u003cp\u003eGoogle Security Operations offers a self-service deprovisioning feature that allows users to delete a tenant and all its associated data directly.\u003c/p\u003e\n"],["\u003cp\u003eOnly users with the Data Governor role can initiate the deprovisioning or restore process of a Google SecOps tenant.\u003c/p\u003e\n"],["\u003cp\u003eDeleting a Google SecOps instance does not cancel billing, and users are responsible for the full contract value until the contract term ends, even after deletion.\u003c/p\u003e\n"],["\u003cp\u003eThe deprovisioning process has two phases: a 12-day soft delete period, during which data can be restored, followed by a hard delete phase where data is permanently deleted within 62 days of the initial request.\u003c/p\u003e\n"],["\u003cp\u003eWhile the system deprovisions SIEM and associated SOAR instances, manual deprovisioning is required for associated VirusTotal and Mandiant instances, and the customer is responsible for deleting any projects and related data not included in this process.\u003c/p\u003e\n"]]],[],null,["Self-service deprovisioning for Google SecOps \nSupported in: \nGoogle secops\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\n\u003cbr /\u003e\n\n| **Note:** This feature is not available to all customers in all regions.\n\n\u003cbr /\u003e\n\nThis document explains how to use the self-service deprovisioning feature in Google Security Operations to delete a Google SecOps tenant and all related data. This feature provides a scalable and compliant process for handling deletion requests efficiently.\n\nWith deprovisioning, you can remove user access to Google SecOps and delete the tenant, including all associated data and resources. You manage the deletion process directly without relying on external support.\n| **Note:** When deprovisioning partner-managed instances, tenants with full access to Google SecOps linked Google Cloud projects should ideally delete their own instances. However, we strongly recommend they consult with their partner before proceeding.\n\nUse the Data Governor role to deprovision and restore\n\nTo initiate deprovisioning or restore a tenant, you must use an administrator user with the **Data Governor** role.\n\nBilling implications of deleting your instance\n\nBefore initiating the deprovisioning process, it's important to understand the billing implications, as follows:\n\n- Deleting a Google SecOps instance does not cancel your billing.\n- If you have an active contract, you're still responsible for the full contract value, even after you delete the instance.\n- Billing continues until the contract term ends, regardless of the tenant's status.\n\nDeprovisioning phases\n\nSelf-service deletion occurs in two phases:\n\n- Soft delete phase (12-day grace period)\n- Hard delete phase (permanent deletion within 62 days)\n\nSoft delete phase **Note:** Permanent data deletion doesn't start during this phase.\n\nOnly the Data Governor can access the Google SecOps **Profile** page, where they can:\n\n- View the remaining days in the soft delete phase.\n- Click [**Restore**](#restore-a-deleted-tenant) to cancel the deletion and restore the tenant.\n\nThe Data Governor initiates a 12-day grace period for soft deletion before data is permanently deleted. During this phase, the following restrictions and actions apply:\n\n- The system disables UI and API access and data ingestion is halted; no new data will be ingested into the Google SecOps tenant after the deletion request is initiated.\n- All roles can access the profile page.\n- The Data Governor can see the 12-day remaining soft-delete phase and use the **Restore** button, which reverts the soft delete and restores the tenant.\n- Most product functions are deactivated for all the users.\n\nHard delete phase **Note:** Projects where customers directly manage their own resources and roles aren't deleted. Customers are solely responsible for deleting these projects and any associated data.\n\nAfter the 12-day soft delete phase has ended, the data deletion process starts, systematically removing data and resources associated with the Google SecOps tenant. This process can potentially take up to two days.\n\nOnce the process begins, the following irreversible actions occur:\n\n- All customer data, including backup snapshots, are permanently deleted within 62 days of the initial request.\n- All UI access is permanently deactivated.\n\nDeprovision a Google SecOps tenant\n\nTo deprovision a Google SecOps tenant, do the following:\n\n1. Go to Google SecOps **Settings \\\u003e Profile**.\n2. Click **Disable \\& Delete**. A notification window displays several warning messages:\n\n `Access to Google SecOps will stop immediately; by proceeding with disabling and deleting this instance, the following occurs:\n `\n - `Only Admin users with the Data Governor role can restore the instance within 12 days. All other users will immediately lose access to Google SecOps and its data.`\n - `Data collection will stop within a few hours.`\n - `The instance can continue to be charged for a period of time, depending on your billing agreement.`\n - `All data, including cases, alerts, detection rules, settings, and logs will be permanently deleted after 12 days and can't be recovered.`\n\n \u003cbr /\u003e\n\n3. Enter **Delete** in the confirmation field.\n\n4. Click **Disable \\& Delete** . The message `Google SecOps has been disabled. All data will be deleted starting [date]` appears, where the date is 12 days once you click **Disable \\& Delete**. The user can't navigate within the platform. A timer displays the start and progress of the 12-day soft delete phase.\n\nRestore a deleted tenant\n\nYou can restore your tenant within 12 days after initiating deletion. The system reverts your tenant to its original state with previously existing data. The **Restore** button appears after you click **Disable \\& Delete** . Click **Restore** to restore the Google SecOps tenant/platform.\n\nLimitations\n\n- The deprovision feature only provides self-service capabilities handled by [Customer Support](https://console.cloud.google.com/support). It doesn't unify or automate the deprovision process across all Google SecOps systems.\n- After restoring a tenant, all data feeds remain inactive. You must manually re-activate the data feeds that you need.\n- The system deprovisions the SIEM and any associated SOAR instances; however, associated VirusTotal and Mandiant instances required manual deprovisioning, tracked by a bug ticket.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
