Migrate to Google Cloud

Supported in:

This document is both for customers using Google Security Operations unified and those using the SOAR standalone platform who are migrating to Google Cloud. This migration integrates the product more closely with other Google services, including Google Cloud services, IAM monitoring, Cloud Monitoring, and Cloud Audit Log.

Before you begin

  • To migrate to Google Cloud, you need to create a new Google Cloud project or link to an existing project. For information on how to create a new project, see Configure a Google Cloud for Google SecOps.
  • If you are creating a new Google Cloud project, choose whether you are migrating to one of the following providers.
    • Workforce Identity Federation. This is recommended if you are using SAML.
    • Cloud Identity. This is recommended if you have internal users.

Migrate Permission Groups

You can either run a script to migrate all existing SOAR permission groups to custom IAM roles, or provide the service account to your Google SecOps representative who can migrate the SOAR permission groups for you. For guidance on creating a service account, see Create service accounts.

Set up permissions using IAM

You need to set up permissions in the IAM console using the following predefined SOAR roles. You also have the option of creating custom roles:

  • SOAR Viewer
  • SOAR Analyst
  • SOAR Engineer
  • SOAR Admin

For full details on how to set up permissions, see Configure feature access

Map users in the Google SecOps platform

You now need to map the users to the SOAR-side of the Google SecOps platform. If you are using Workforce Identity Federation, you need to map IdP groups with SOC roles and environments only. If you are using Cloud Identity, you need to map user emails with SOC roles and environments only.

Set landing page for Google SecOps

Each user can set the landing page from the User Preferences menu, accessible from their avatar.

Remote Agents

The existing remote agents continue to work during the transition period.

During the transition period, you need to do the following:

  • Create a Service Account instead of an API key for the remote agent.
  • Perform a major version upgrade of the remote agent.

Collect SOAR logs

All SOAR logs are now available for you in the Google Cloud. For more information, see Collect SOAR logs.

Use SOAR APIs on Google Cloud

If you continue to use the SOAR static IPs, you need to allowlist the chronicle.googleapis.com domain. The static IPs continue to work during the transition (6 months after migration).

The API endpoints are being moved to the same location as the Chronicle APIs. For more information, see Chronicle APIs. You need to create a Service Account instead of an API key for the new Chronicle SOAR APIs. These Chronicle SOAR APIs are available as a preview version.

The existing APIs and API keys continue to work after the migration during the 6 months transition. After this, they will no longer be available for use.

Post Migration

After the migration procedure has been completed, you have 6 months to do the following:

  • Migrate the API (including changing from API keys to creating a Service Account)
  • Update commercial and custom integrations
  • Update remote agents
  • Change to the new URL given to you for the Google SecOps platform

Need more help? Get answers from Community members and Google SecOps professionals.