Skip to main content

Google SecOps Field Notes: A Basic Rule-Behavior Audit

  • July 11, 2026
  • 0 replies
  • 4 views

GromeroSec
Forum|alt.badge.img+5

**A read-only report for what your rules are actually doing**

As detection engineers we all hit the same wall: you can list your rules, but the list doesn't tell you which of them are actually working. Whether a rule is live / alerting, and how much it fires, lives in two other places — the deployment record and the detections endpoint — and nothing joins them back to the rule for you.

Following up on the export script I shared earlier, here's the companion: a small, read-only script that joins the three sources and gives you, per rule:

  • - live / alerting / archived state
  • - detections for the **current version** (so the average reflects the config running now, not an old one)
  • - first / last fired, average per day
  • - **who last changed it, and when**
  • - a one-word verdict: **SILENT** (test it) / **STALE** / **TUNE** / **REDESIGN** / **OK**

Two honest limits worth flagging: the detections endpoint caps at ~1000 per rule (rules that hit it are marked `CAPPED`), and it's per-rule and rate-limited, so it's slow on large tenants — test on a subset with `--max-rules` first.

Requirements: a service account with rule/detection read access, and `pip install secops openpyxl`.

Repo: https://github.com/gromerosec/google-secops-rule-export
Full write-up: [Medium — A Basic Rule-Behavior Audit]https://medium.com/@gromerosec/google-secops-field-notes-a-simple-way-to-export-your-rules-d61f0aa7f79d?sharedUserId=gromerosec

Hope it helps someone triage their rule set. Cheers.