Console
    Contact Us Start free

    Feature deprecations

    The Google Cloud Platform Terms of Service (section "Discontinuation of Services") defines the deprecation policy that applies to Google Security Operations. The deprecation policy only applies to the services, features, or products listed therein.

    After a service, feature, or product is officially deprecated, it continues to be available for at least the period of time defined in the Terms of Service. After this period of time, the service is scheduled for shutdown.

    The following table lists feature deprecations and their related shutdown schedules for Google Security Operations.

    Feature
    Deprecated date
    Shutdown date
    Details
    NETSKOPE_ALERT log type
    October 15, 2025
    November 30, 2025
    As of October 15, 2025, the Netskope Alerts v1 connector (for the NETSKOPE_ALERT log type) has been deprecated and will be removed on November 30, 2025. If you have existing feeds configured using the NETSKOPE_ALERT log type, you can create a new feed with the NETSKOPE_ALERT_V2 log type as described in this guide .
    ListAvailableLogTypes API
    September 09, 2025
    October 09, 2025
    As of October 09, 2025, the ListAvailableLogTypes API is deprecated. To get a list of all log types, you can now use the logTypes.list API.
    Forwarder component
    Apr 1, 2026
    Apr 1, 2027
    The forwarder component is being phased out of the Google SecOps platform and will reach end-of-life (EOL) in January 2027. This impact will change all any data collection pipelines that currently use the forwarder.

    Action required: If you're currently using the forwarder component, you must migrate your data collection workflows to an alternative mechanism before April 1, 2027. You'll need to use another data pipeline management application for log ingestion.

    We recommend that you migrate to the Bindplane OpenTelemetry (OTel) collector , which provides a scalable, open-standard solution for log and metric ingestion.

    The following are key dates to note:
    • Apr 1, 2026: New Google SecOps customers cannot use the forwarder component.
    • Jan 1, 2027: The forwarder is officially EOL. No further patches, including security patches, will be released.
    • Apr 1, 2027: Data is no longer allowed to be ingested from the forwarder component.
    Reference lists
    June 2026
    September 2026
    The reference list functionality is being retired from the Google SecOps platform.

    All existing reference lists will be transparently migrated to data tables. During this migration period, you can continue to use your existing reference lists until they're migrated.

    In September 2026, the legacy reference list functionality will be fully retired from the platform. At that time, all data will be accessible through the data table interface.
    Python 3.7
    February 1, 2025
    June 1, 2025
    Support for Python 3.7 is being decommissioned from the Google SecOps platform and Marketplace. Users will no longer be able to use integrations that run Python 3.7 in the Google SecOps platform after June 1, 2025. For more details, see Upgrade the Python Versions .
    BigQuery data lake
    December 31, 2024
    April 30, 2025
    The shutdown of managed BigQuery resources and API keys associated with the chronicle-tla Google Cloud project has been extended to April 30, 2025.

    This change doesn't affect Google Security Operations Enterprise Plus customers.

    SOAR infrastructure migration to Google Cloud
    June, 2025
    December 31, 2025
  • Starting June 2025, the SOAR infrastructure is migrating to Google Cloud, including authentication migration to Workforce Identity Federation and Cloud Identity.
  • For more details, see SOAR migration overview - stage 1 .
    • SOAR API and permission groups
    6 months from migration period (June-September 2025)
    June 30, 2026
  • Starting November 17, 2025, SOAR permission groups are migrating to Cloud IAM. SOAR APIs will be hosted as part of the Google API service . They can be accessed as part of Stage 2 of the SOAR Migration.
  • Stage 2 Early Access begins November 17, 2025. General Access is available for all customers from January 1, 2026. You can initiate Stage 2 at any time, after you complete Stage 1, with a completion deadline of June 30, 2026.
  • For more details, see SOAR migration overview - stage 2 .
    • UDM alert metadata fields
    July 22, 2024
    June 22, 2025
    The Google SecOps alert metadata fields for UDM idm.is_significant and idm.is_alert have been deprecated. Use YARA-L detection rule alerts for alert metadata.
    Incident Manager
    July 22, 2024
    July 22, 2025
    The Incident Manager in Google Security Operations will be fully decommissioned in July 22, 2025. We will provide support and maintenance until July 22, 2025 but no new features will be released.
    BigQuery data lake
    December 31, 2024
    March 31, 2025
    On December 31, 2024, the managed BigQuery data lake for export won't be accessible to Google SecOps customers except for customers in the Enterprise Plus Tier. Enterprise Plus Tier customers will retain access until a replacement is available. Other customers can use their own BigQuery instance to export telemetry data, a feature currently in preview. For more information, see Configure a data export to BigQuery in a self-managed Google Cloud project . The managed BigQuery resources and API keys associated with the chronicle-tla Google Cloud project will be fully decommissioned by March 31, 202e5.
    Python 2.7
    July 14, 2024
    October 13, 2024
    Support for Python 2.7 is being decommissioned from the Google SecOps platform and Marketplace. Users will no longer be able to use integrations that run Python 2.7 in the Google SecOps platform after October 13, 2024. For more details, see Upgrade the Python Versions .
    Symantec Event Export API feed
    July 11, 2024
    October 01, 2024
    The third-party API feed Symantec Event Export has been discontinued due to the deprecation of Symantec Event Export API . To ingest data, use a Cloud Storage bucket. For more information, see Add a feed and Adding a Data Bucket event stream type .
    Ingestion alerting method
    April 18, 2024
    September 01, 2024
    The ingestion alerting system using Google Security Operations has been deprecated. This system will no longer be updated, and no alerts will be sent from this system after September 01, 2024. Use the Cloud Monitoring integration which provides more flexibility in alert logic, alert workflow, and integration with third-party ticketing systems.
    Google SecOps ingestion_stats table in BigQuery
    April 18, 2024
    May 15, 2024
    The ingestion_stats table in BigQuery has been deprecated and will no longer be updated after May 15, 2024. Existing data is retained until May 15, 2025. Use the Google SecOps ingestion_metrics table in BigQuery, which provides more accurate ingestion metrics. Additionally, real-time alerting on ingestion metrics is also available in Google Security Operations Cloud Monitoring integration .
    Google Security Operations CBN alerts
    July 22, 2024
    July 22, 2025
    The Enterprise Insightspage and the CBN alerts will no longer be available after July 2025. Use the Alerts and IOCspage to view the alerts. We recommend that you migrate the existing CBN alerts to the YARA-L detection engine . Google Security Operations's YARA-L detection engine is the preferred option for detection alerts because it offers enhanced transparency in detection logic and robust tuning capabilities. For more information see Overview of the YARA-L 2.0 language .
    labels fields for UDM nouns
    November 29, 2023
    November 29, 2024
    On or after November 29, 2023, the following Google Security Operations labels fields for UDM nouns are deprecated: about.labels , intermediary.labels , observer.labels , principal.labels , src.labels , security_result.about.labels , and target.labels . For existing parsers, in addition to these UDM fields, the logs fields are also mapped to key/value additional.fields UDM fields. For new parsers, the key/value settings in additional.fields UDM fields are used instead of the deprecated labels UDM fields. We recommend that you update the existing rules to use the key/value settings in the additional.fields UDM fields instead of the deprecated labels UDM fields.
    Google Security Operations forwarder executable for Windows
    April 04, 2023
    March 31, 2024
    On or after March 31, 2024, existing Google Security Operations forwarder executable for Windows will be removed. For information about Google Security Operations forwarder for Windows on Docker, see Google Security Operations forwarder for Windows on Docker .
    Chronicle BigQuery udm_events table
    July 01, 2023
    August 01, 2023
    On or after July 1, 2023, the existing udm_events table in Chronicle-managed BigQuery projects will be fully replaced with a new table named events . This new table is currently available for all Customers . Chronicle will handle all changes in-product for this new table. Customers issuing queries against the udm_events table through Cloud Console, API, or directly connecting to BQ should fully migrate queries to the new table by July 1 to avoid interruption. When migrating SQL queries to use the new Event table, also replace the _PARTITIONTIME field with the new hour_time_bucket field.
    MICROSOFT_SECURITY_CENTER_ALERT log type
    May 03, 2022
    May 03, 2022
    As of May 03, 2022, the MICROSOFT_SECURITY_CENTER_ALERT log type has been removed. Logs previously fetched by the MICROSOFT_SECURITY_CENTER_ALERT feed are now a part of the MICROSOFT_GRAPH_ALERT feed. If you have a feed configured using the MICROSOFT_SECURITY_CENTER_ALERT log type, you can create a new feed using the MICROSOFT_GRAPH_ALERT log type. For more information about the MICROSOFT_GRAPH_ALERT log type, see Microsoft Graph Security API Alerts .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: