**A read-only report for what your rules are actually doing**
As detection engineers we all hit the same wall: you can list your rules, but the list doesn't tell you which of them are actually working. Whether a rule is live / alerting, and how much it fires, lives in two other places — the deployment record and the detections endpoint — and nothing joins them back to the rule for you.
Following up on the export script I shared earlier, here's the companion: a small, read-only script that joins the three sources and gives you, per rule:
- - live / alerting / archived state
- - detections for the **current version** (so the average reflects the config running now, not an old one)
- - first / last fired, average per day
- - **who last changed it, and when**
- - a one-word verdict: **SILENT** (test it) / **STALE** / **TUNE** / **REDESIGN** / **OK**
Two honest limits worth flagging: the detections endpoint caps at ~1000 per rule (rules that hit it are marked `CAPPED`), and it's per-rule and rate-limited, so it's slow on large tenants — test on a subset with `--max-rules` first.
Requirements: a service account with rule/detection read access, and `pip install secops openpyxl`.
Repo: https://github.com/gromerosec/google-secops-rule-export
Full write-up: [Medium — A Basic Rule-Behavior Audit]https://medium.com/@gromerosec/google-secops-field-notes-a-simple-way-to-export-your-rules-d61f0aa7f79d?sharedUserId=gromerosec
Hope it helps someone triage their rule set. Cheers.

