Overview of composite detections

Supported in:

This document introduces composite detections and how they can enhance threat detection workflows by correlating outputs from multiple rules.

Composite detections use composite rules, which consume outputs (detections) from other rules (in whole or in part)—combined with events, metrics, or entity risk signals. These rules detect complex, multistage threats that individual rules can miss.

Composite detections can help analyze events through defined rule interactions and triggers. This improves accuracy, reduces false positives, and provides a comprehensive view of security threats by correlating data from different sources and attack stages.

The following concepts define the building blocks of composite rules and help clarify how they function within detection workflows:

Composite rules: use detections or alerts as input, along with optional events, metrics, or entity risk. These rules must always have a match section and can reference meta fields, match labels, and outcome variables from input rules.

Detection-only rules: composite rules that use only detections or alerts as inputs.

Input source for composite rules

Composite rules ingest data from collections as the input type, which store outputs of previously run rules.

Limitations

When designing and implementing composite detections, consider the following limitations:

  • Composite rules—Google Security Operations supports a maximum depth of 10 for composite rules. Depth is the number of rules from a base rule to the final composite rule.

  • Detection-only rules—Have a maximum match window of 14 days. However, the following apply:

    • If the rule uses ingested events, entity graph data, or reference lists, the match window is limited to 48 hours.
    • Detection-only rules are subject to a daily detection limit of 10,000 detections per rule.

  • Outcome variables—Each rule is limited to a maximum of 20 outcome variables. Additionally, each repeated outcome variable is limited to 25 values.

  • Event samples—Only 10 event samples are stored per event variable in a rule (for example, 10 for $e1 and 10 for $e2).

For more information on detection limits, see Detection limits.

How composite detections work

When single-event or multi-event rules meet predefined conditions, they generate detections. These detections can optionally include outcome variables, which capture specific data or event states.

Composite rules use these detections from other rules as part of their inputs. The evaluation can be based on the following factors of the rules that initially generate the detections:

  • Content defined in the meta section of the rule
  • State or data attribute set by the rules in outcome variables
  • Fields from the original detection

Based on this evaluation, composite rules can trigger alerts and record new state information. This helps correlate multiple factors from different detections to identify complex threats.

See composite rules syntax and examples for more information.

Best practices

We recommend the following practices for building composite rules.

Optimize for latency

For minimal latency in detection pipelines, start a rule sequence with a single-event rule, followed by composite rules. Single-event rules have higher execution speed and frequency than multi-event rules, which helps reduce the overall latency for composite rules.

Use outcome variables, meta labels, and match variables

We recommend using outcome variables, meta labels, and match variables to join detections in composite rules. These methods offer the following advantages over using event samples or references from input detections:

  • Improved reliability—Provide more deterministic and reliable results, especially when detections involve many contributing events.

  • Structured data extraction—Enable you to extract specific fields and data points from the events to help create a structured system for organizing event data.

  • Flexible correlationmeta labels let you categorize rules, and consequently, the detections generated from them, for more flexible joining of detections. For example, if several rules share the same meta label tactic: exfiltration, you can have a composite rule that targets any detection where the tactic label has the value exfiltration.

What's next

For information on how to build composite detection rules, see composite detection rules

Need more help? Get answers from Community members and Google SecOps professionals.