Skip to main content

Latest Blog

Managing Saved Searches via the Google SecOps REST API

Saved searches are a workflow optimization tool in Google Security Operations (SecOps). They enable security operations teams to store and share multi-line queries, retrieving them instantly without having to recall precise syntax and field mappings. Beyond convenience, they drive consistency during investigations and can serve as your curated library for threat hunting exercises.Reviewing saved searches in Google SecOps in Search ManagerMany Google SecOps customers manage their security content as code via the REST API using Content Manager or Terraform. By managing content as code, your Git repository becomes the single source of truth, ensuring that changes are tracked, tested, reviewed, and approved before they’re deployed to Google SecOps. We recently expanded Content Manager to support Saved Searches. In this post, we’ll look at how to programmatically retrieve, version control, and update your saved searches via the Google SecOps REST API.Reviewing the help output for Content ManagerThe execution of the “get” command shown below retrieves all of my saved searches from Google SecOps and writes them to the “saved_search_config.yaml” file.(venv) $ python -m content_manager saved-searches get01-Dec-25 10:49:45 MST | INFO | <module> | Content Manager started01-Dec-25 10:49:45 MST | INFO | get_saved_searches | Attempting to pull latest version of all saved searches from Google SecOps and update the local config file01-Dec-25 10:49:45 MST | INFO | get_remote_saved_searches | Attempting to retrieve all saved searches from Google SecOps01-Dec-25 10:49:46 MST | INFO | get_remote_saved_searches | Retrieved 3 saved searches01-Dec-25 10:49:46 MST | INFO | get_remote_saved_searches | Retrieved a total of 3 saved searches01-Dec-25 10:49:46 MST | INFO | dump_saved_search_config | Writing saved search config to /Users/x/Documents/projects/detection-rules/tools/content_manager/saved_search_config.yamlIn the generated YAML file, we get a structured entry for each saved search. Each saved search contains information such as the UDM query, description, created & updated timestamps, and the resource name for where the object lives in Google Cloud.Reviewing the saved_search_config.yaml fileExecuting the “update” command does the following:Loads the saved searches stored in the “saved_search_config.yaml” file Fetches all of the saved searches from Google SecOps Compares the saved searches in the config file with what’s in Google SecOps Creates and updates saved searches based on the comparison Retrieves the latest version of saved searches from Google SecOps and updates the config file. This step ensures that metadata such as the Google Cloud resource name and created & updated timestamps for saved searches in the config file are in sync with Google SecOps.Let’s look at how to create a new saved search in the config file. In this example, I’m adding a new saved search named, “User Sign-ins By Status”. I’ve included a description and query for the saved search and specified that it should be shared with all users in my Google SecOps tenant. The supported values for the “query_type” field are listed in our documentation.Creating a new saved search in the config fileExecuting Content Manager’s “saved-searches update” command created the saved search successfully.(venv) $ python -m content_manager saved-searches update01-Dec-25 11:16:26 MST | INFO | <module> | Content Manager started01-Dec-25 11:16:26 MST | INFO | update_saved_searches | Attempting to update saved searches in Google SecOps based on the local config file01-Dec-25 11:16:27 MST | INFO | update_remote_saved_searches | Attempting to update saved searches in Google SecOps based on local config file /Users/x/Documents/projects/detection-rules/tools/content_manager/saved_search_config.yaml01-Dec-25 11:16:27 MST | INFO | load_saved_search_config | Loading saved search config from /Users/x/Documents/projects/detection-rules/tools/content_manager/saved_search_config.yaml01-Dec-25 11:16:27 MST | INFO | load_saved_search_config | Loaded 4 saved search config entries from file /Users/x/Documents/projects/detection-rules/tools/content_manager/saved_search_config.yaml01-Dec-25 11:16:27 MST | INFO | update_remote_saved_searches | Attempting to retrieve latest version of all saved searches from Google SecOps01-Dec-25 11:16:27 MST | INFO | get_remote_saved_searches | Attempting to retrieve all saved searches from Google SecOps01-Dec-25 11:16:27 MST | INFO | get_remote_saved_searches | Retrieved 3 saved searches01-Dec-25 11:16:27 MST | INFO | get_remote_saved_searches | Retrieved a total of 3 saved searches01-Dec-25 11:16:27 MST | INFO | update_remote_saved_searches | Checking if any saved search updates are required01-Dec-25 11:16:28 MST | INFO | update_remote_saved_searches | Created new saved search User Sign-ins By Status01-Dec-25 11:16:28 MST | INFO | update | Logging summary of saved search changes...01-Dec-25 11:16:28 MST | INFO | update | Saved searches created: 101-Dec-25 11:16:28 MST | INFO | update | created saved search ('User Sign-ins By Status', 'projects/chronicle-xxxxxx/locations/us/instances/{UUIDv4}/users/me/searchQueries/{UUIDv4}')01-Dec-25 11:16:28 MST | INFO | update | Saved searches updated: 001-Dec-25 11:16:28 MST | INFO | get_remote_saved_searches | Attempting to retrieve all saved searches from Google SecOps01-Dec-25 11:16:28 MST | INFO | get_remote_saved_searches | Retrieved 4 saved searches01-Dec-25 11:16:28 MST | INFO | get_remote_saved_searches | Retrieved a total of 4 saved searches01-Dec-25 11:16:28 MST | INFO | dump_saved_search_config | Writing saved search config to /Users/x/Documents/projects/detection-rules/tools/content_manager/saved_search_config.yamlReviewing the config file, we can see the Google Cloud resource name for the new saved search along with its metadata.Reviewing the new saved search object in the config fileFinally, I can review the saved search in Google SecOps by opening the Search Manager.Reviewing the saved search in Search ManagerLike many Google SecOps customers, I’ve implemented Detection-as-Code with my own tenant using Content Manager and GitHub Actions workflows. To create a new saved search via my CI/CD pipeline, I create a new branch and pull request in GitHub to stage my proposed changes.Creating a new saved search via GitHubOnce my unit tests pass, I can merge my changes into the “main” branch of the GitHub repository. My GitHub Actions workflow updates my saved searches in Google SecOps based on the configuration file in my GitHub repository. The GitHub Actions console output below shows that one saved search was created.Reviewing the GitHub Actions workflow log Viewing the new saved search in Google SecOpsThat’s it for this post where we looked at how to manage saved searches via the Google SecOps REST API. Content Manager is a utility that makes it easy for security teams to manage their content such as rules, rule exclusions, data tables, and saved searches in an automated fashion. Please leave a comment below if you’d like to see support added for other content types.

Latest Webinar

Webinar: Best Practices For Ingestion And Parsing in Google Security Operations

In this Security Operations webinar series, we'll show you how to unlock the full potential of your security data by mastering the art of ingestion and parsing in Google SecOps. Tom Ruff, a Technology Solutions Consultant at Google Cloud Security, demonstrates best practices for onboarding security data, how to reliably collect, transport, and parse logs from a wide variety of sources—including on-premise and cloud—to ensure your data is valuable from the moment it arrives.In this session, we cover:Best practices for collecting logs from diverse sources like security devices (firewalls, EDRs), cloud services (AWS, Google Cloud), and operating systems. Choosing the right transport method (Bindplane, SecOps Forwarder, Cribl) and why buffering is critical for reliable data delivery. Why sending logs in their original format (JSON, SYSLOG, CEF) maximizes out-of-the-box parsing success. Tips for building effective custom parsers, including using AI to generate Grok patterns when needed. A look ahead at upcoming AI-powered features for automatic parsing.  See the attached slide deck to follow along and for some helpful links. Just watching this video for the first time? Post your questions below. Didn't get your questions answered during the livestream event? Ask them here and we'll get them answered! Enjoy and happy learning!

Latest podcast

Behind the Binary EP20: Windows Under the Hood: Kernel Design, EDRs, and the Shift to VBS with Pavel Yosifovich

In this episode, we get a unique look at the history of Windows through the eyes of one of its leading experts, Pavel Yosifovich. We delve into his fascinating origin story, including the "fluke" that led him to become the author of the legendary Windows Internals series, and why he describes himself as a developer who "hates security."The conversation explores the most significant foundational changes in Windows kernel design, specifically the architectural shift toward Virtualization-Based Security (VBS) and the long-term strategy behind the "Secure Kernel." We discuss the ever-evolving landscape of EDRs, the reality of kernel-level threats, and the impact AI and memory-safe languages like Rust will have on future development. This episode offers valuable insights for reverse engineers and developers interested in the big-picture trends that have shaped—and will continue to shape—the world of operating system design.Get the latest from FLARE's community efforts: Email flare-external@google.com to join our mailing list for important announcements. Your information will not be shared and is used only for this purpose.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.