Google SecOps customers are experiencing delays in the accuracy of “first seen” and “last seen” timestamps within the Entity Context Graph (ECG), a critical component for threat detection and investigation. The issue, which began on January 15, 2026, impacts customers across multiple global regions, including locations in Asia, Europe, North America, and South America, according to a Google Security Products Status Dashboard update posted Friday.
The problem specifically affects entities identified by “Domain,” “file hash,” and “IP address.” Google reports that timestamps for entities first observed before January 15th remain accurate. The company states that mitigation efforts are ongoing, with resolution achieved in asia-northeast1, asia-south1, europe-west3, europe-west6, northamerica-northeast2, and southamerica-east1 as of Friday afternoon, Pacific Time.
The Entity Context Graph stores contextual data about assets, users, groups, resources, and Indicators of Compromise (IOCs), providing a crucial layer of enrichment for security investigations, according to Google Cloud documentation. This data is used to enhance UDM event data and is searchable within the Google SecOps platform. The ECG likewise incorporates derived data, such as prevalence metrics and Google Threat Intelligence.
The current issue impacts the reliability of threat detection rules that rely on accurate “first seen” or “last seen” timestamps. Customers may locate that rules are not matching recent malicious activity as expected. Similarly, search results displaying these timestamps may be outdated. Google has not provided a workaround at this time.
Google initially reported the issue on February 11, 2026, and has provided updates every twelve to twenty-four hours, outlining the ongoing mitigation function. The company anticipates completing mitigation by February 20, 2026, and has promised to provide further details by Tuesday, February 17, 2026. The company has apologized for the disruption.
According to Google documentation, the SecOps platform performs a five-day lookback when creating entity context data to account for late-arriving information, effectively creating a time-to-live for the data if an end time is not specified. The current incident suggests a disruption to this process for the affected entity types.
