Migrate to Google Cloud
This document applies to both Google Security Operations unified customers and SOAR standalone users migrating to Google Cloud.This migration enables deeper integration with other Google services, including Google Cloud, IAM monitoring for access control, Cloud Monitoring, and Cloud Audit Log.
Start the first migration stage
You'll receive an email and an in-app notification (starting mid-July 2025) with your expected migration date and containing a link to a Google form.
Perform the required migration steps
If you're a Google SecOps customer, the first stage of the migration process will occur without any need for action on your part.
However, if you're a SOAR standalone customer, you'll need to complete the following steps to migrate your deployment:
Bind SOAR with a new Google Cloud project
- To bind SOAR with your Google Cloud project, you need to create a new Google Cloud project. For more information, see Configure a Google Cloud for Google SecOps.
- In your new Google Cloud Project, enable Chronicle API.
- Fill in the Google form using the Project ID and your email address
- Follow the link in the invitation email to the Get Google Security Operation page and enter your project details.
- Set up the authentication method for your project:
- Workforce Identity Federation: (recommended if you're using external identity providers). If you're using an external IDP, create an IDP group mapping. in your existing SOAR settings. Post migration, the platform will authenticate users based on this mapping.
- Cloud Identity: (recommended if you have internal users):
Upcoming changes to SOAR access and authentication
- SOAR URL updates:
- The existing SOAR-only platform URL remains active through June 2026.
- When you access the SOAR web application, you will be automatically redirected to the new URL.
- APIs and Remote Agents
- The API and remote agents will continue to function using the old domain.
- Authentication migration
- SOAR is migrating the authentication flow to the Google Cloud authentication services and shifting to IDP based authentication in SOAR.
Expected downtime for initial migration
The expected downtime is as follows:
- Up to 2 hours for SOAR standalone customers
- Up to 1.5 hours for Google SecOps customers
During the first stage of migration, system services—including ingestion and playbooks—will be temporarily unavailable. Users will also be unable to sign in. The data will be ingested and processed once the system is back online. No data loss is expected.
What to expect during the first migration stage
- Communication and Support: We will notify you at the beginning of the migration window and once the process is complete.
- Migration Validation: The migration process includes a full backup and restore of the tenant environment, copying all secrets, and updating system metadata. A series of comprehensive end-to-end tests are performed to verify functionality. Infrastructure and application validations are monitored in real time using system metrics and alerting tools.
Start second stage migration
The second stage applies to all customers and will take place between September 2025 and June 2026. This phase includes the following key steps:
Migrate permission groups
Use the UI script in your Google Cloud console to migrate existing permission groups to IAM custom roles.
The script also assigns custom roles to users (for Cloud Identity customers) or to IDP groups (for Workforce Identity Federation customers).
(Optional) Set up permissions using IAM
You need to set up permissions in the IAM console using the following predefined SOAR roles. You also have the option of creating custom roles:
- SOAR Viewer
- SOAR Analyst
- SOAR Engineer
- SOAR Admin
For full details on how to set up permissions, see Configure feature access
Set the default landing page for Google SecOps
Each user can set the landing page from the User Preferences menu, accessible from their avatar.
Restricted actions
The restricted actions has moved from the Permissions page to the IDP Group Mapping page.
License type
The license type is now determined by the user's assigned permissions in IAM.
Remote agents
The existing remote agents continue to work during the transition period.
During the transition period, you need to do the following:
- Create a Service Account instead of an API key for the remote agent.
- Perform a major version upgrade of the remote agent.
Collect SOAR logs
All SOAR logs are now available for you in the Google Cloud. For more information, see Collect SOAR logs.
Use SOAR APIs on Google Cloud
The SOAR API is transitioning to the Chronicle API. Update your scripts and integrations to use the new API endpoints. Going forward, you must use a Service Account for authentication instead of an API key.
The existing API and API keys will continue to work until June, 2026. After this, they will no longer be available for use.
Need more help? Get answers from Community members and Google SecOps professionals.