SOAR migration overview

Supported in:

This document describes the process and timelines to migrate SOAR infrastructure to Google Cloud. The migration aims to modernize the infrastructure and enhance its integration with Google Cloud services, benefiting both Google Security Operations unified customers and standalone SOAR users transitioning to Google Cloud.

This migration is necessary to provide critical infrastructure upgrades including enhanced reliability, improved security, greater compliance, and more granular access control. It also enables access to Agentic AI capabilities through Model Context Protocol (MCP) integration and best-in-class services including IAM for access control, Cloud Monitoring, and Cloud Audit Logs.

The migration is carried out in two Stages - Stage 1 and Stage 2.

Stage 1 includes the following migrations:

  • Migration of your Google-owned SOAR Project to Google Cloud infrastructure. This is carried out by Google.
  • Migration of SOAR Authentication to Google Cloud (only applicable for SOAR standalone customers).

Stage 2 includes the following migrations:

  • Migration of SOAR Permission Groups and Permissions to Google Cloud IAM.
  • Migration of SOAR APIs to the new unified Chronicle API, requiring updates to existing scripts and integrations.
  • Migration of remote agents.
  • Migration of SOAR Audit Logs.

Migration stage 1 for Google SecOps unified customers

You will receive an In-product notification containing your Stage 1 migration date. The notification includes a google form for you to confirm the migration date and time slot. Stage 1 includes the following migrations.

  • Migrate Google owned SOAR Project to Google Cloud

The migration includes a 90 minute downtime where the Google SecOps platform is not accessible. During this downtime, your SIEM services will continue to operate in the background, while SOAR services will be temporarily paused. Following the downtime, the platform will be accessible, and SOAR services will resume processing any alerts generated or ingested during the downtime.

Once the migration is complete, we will send you an email.

Migration stage 1 for SOAR standalone customers

You will get an in-product notification message when we are ready to initiate Stage 1 for you. Make sure to do the following:

  1. Set up a Google Cloud project. You can also use an Google Cloud project that may have been set up to access Chronicle Support but does not have a Google Security Operations instance yet.
  2. Enable Chronicle API.
  3. Set up Google Cloud Authentication to access SOAR. Refer to Set up Google Cloud Authentication to access SOAR.
  4. Provide the Google Cloud project ID in the Google form in the in-product notification and confirm the migration date and time slot before you submit the form.
  5. Accept the invitation email to the "Get Google Security Operations page" and complete the set up. Make sure your region information is accurate.

You will experience a downtime in SOAR services for 2 hours during the migration. We will send an email after the completion along with a new URL to access the SOAR platform. The old URL will work until June 30, 2026 by redirecting you to the new URL.

Set up Google Cloud authentication to access SOAR

Depending on what type of identity you want to set up and use, you need to set up one of the following options. You may need the help of your Google Cloud administrator to perform these instructions.

Option 1: Configure Cloud Identity Authentication in Google Cloud (Google Managed accounts)

This option lets you create and manage user accounts directly within Cloud Identity, with each user having a Google-managed username and password. Complete the following steps:

  1. Set up Cloud Identity in Google Cloud. You can skip this step if you already have Cloud Identity set up.
  2. Make sure all the SOAR users are configured in the Cloud Identity Admin console.
  3. Grant the onboarding SME all the following predefined roles in Google Cloud IAM:
    • Chronicle API Admin
    • Chronicle Service Admin
    • Chronicle SOAR Admin
    • Project IAM Admin
    • Service Usage Admin
  4. Grant all your existing users in SOAR one of the following predefined roles in IAM
    • Chronicle API Admin
    • Chronicle API Editor
    • Chronicle API Viewer
    • Chronicle API Limited Viewer
  5. Complete the authentication setup in SOAR by mapping each user (including administrators) to an email user group.
    1. Go to Settings > SOAR Settings > Advanced > Group Mapping.
    2. Map the Chronicle SOAR Admin as Administrator in All Environments.
    3. For all other users, map the following:
      • Group Names: The name you assign to an email group, such as T1 analysts.
      • Group Members: The collection of user emails that make up that group.
      • Map them to environments and SOC Roles.

Option 2: Configure Workforce Identity Federation Authentication in Google Cloud

This option lets you use Workforce Identity Federation for Single Sign On using third party Identity Providers (IdP) such as Microsoft Azure Active Directory, Okta, Ping Identity, and AD FS.

  1. Set up Workforce Identity Federation in Google Cloud You can skip this step if it was already set up.
  2. Make sure all the existing users in SOAR are part of the workforce pool groups set up in the Workforce Identity Federation. You can either work with your Google Cloud administrator or request that they grant you the necessary permissions for you to complete this.
  3. Grant the onboarding SME all the following predefined roles in IAM. Make sure to follow the role assignment format for Workforce Identities.
    • Chronicle API Admin
    • Chronicle Service Admin
    • Chronicle SOAR Admin
    • Project IAM Admin
    • Service Usage Admin
  4. Grant all your existing users in SOAR one of the following roles in IAM:
    • Chronicle API Admin
    • Chronicle API Editor
    • Chronicle API Viewer
    • Chronicle API Limited Viewer
  5. Complete the authentication setup in SOAR by mapping each user (including administrators) to an IdP group.
    1. Go to Settings > SOAR Settings > Advanced > IdP Group Mapping.
    2. Map the Chronicle SOAR Admin as Administrator in All Environments.
    3. For all other users, map the following:
      • IdP group: The name you assign to an email group, such as T1 analysts.
      • Permission groups, Environments and SOC Roles.

Migration Stage 2 for all customers

Stage 2 will be available from November 1st, 2025 and must be completed by June 30, 2026. You can execute Stage 2 migration procedures after the completion of Stage 1. These procedures are for both Google SecOps SOAR standalone customers and Google SecOps customers.

Migrate SOAR permission groups to Google Cloud IAM

Migrate the SOAR permission groups and permissions to IAM through a single-click of the migration script (to be launched before Nov 1 ). The script creates new custom roles for each permission group and assigns them to users for Cloud Identity customers or IdP groups for Workforce Identity Federation customers.

For more information about how to set up permissions, see Configure feature access. The new predefined SOAR roles are:

  • Chronicle SOAR Admin
  • Chronicle SOAR Engineer
  • Chronicle SOAR Analyst
  • Chronicle SOAR Viewer
  • Chronicle SOAR Service Agent

After the migration of the permissions, the following happens

  • SOAR Settings > Organization > Permissions page is still available until June 30, 2026 (for backwards compatibility with Appkeys). Don't make any changes to this page. The permissions are all managed through IAM.
  • The Permission Group column on mapping pages is removed.
  • The restricted actions section in the Permissions page will move to the IDP Group Mapping page (or Email group page).

Migrate SOAR APIs to Chronicle API

The SOAR API is being replaced with the Chronicle API.

You must update your scripts and integrations to replace the SOAR API endpoints with the corresponding Chronicle API endpoints. The legacy SOAR API and API Keys will be available till June 30, 2026 after which they will no longer function. For more information, refer to Migrate endpoints to Chronicle API

Migrate Remote Agents

You can migrate the Remote Agents to Google Cloud by doing the following:

  1. Create a Service Account instead of an API key for the remote agent.
  2. Perform a major version upgrade of the remote agent.

Existing Remote Agents will be available until June 30, 2026, after which they will no longer function. For detailed instructions, see Migrate Remote Agents to Google Cloud.

Migrate SOAR Audit Logs

SOAR logs will become available in Google Cloud once you complete the permissions migration to IAM. Any calls made to the legacy SOAR API until June 30, 2026 will remain accessible in the SOAR Audit logs For Google SecOps customers, see Collect Google SecOps SOAR logs. For SOAR standalone customers, see Collect SOAR logs

Further changes post migration:.

License type The license type is now determined by the user's assigned permissions in IAM.

Landing page The landing page will move from the Permissions page to the User Preferences menu, accessible from your avatar.

What's Next

Need more help? Get answers from Community members and Google SecOps professionals.