Detection limits

Google Security Operations has the following limitations with regards to detections:

• Each rule version has a limit of 10,000 detections per day. This limit resets at midnight UTC.

  For example, if a rule version produced 9900 detections by 3PM UTC on January 1 and all of these detections have a detection time on January 1, it will only generate 100 more detections that have a detection time on January 1. On January 2, the rule version can generate 10,000 new detections for that day.

• If the rule version is updated, the limit is reset and the rule can again generate 10,000 detections in that same day.

  For example, if a rule version produced 9900 detections by 3PM UTC on January 1 and all of these detections have a detection time on January 1, it will only generate 100 more detections that have a detection time on January 1. If rule version is updated at 4PM on January 1, that rule version can generate 10,000 detections that have detection time on January 1 till end of day. On January 2, the rule version can generate 10,000 new detections for that day.

• Running a retrohunt after updating the reference list doesn't reset the existing detections limits and won't generate detection limits. If the existing detection limit has already been reached, no new detections are generated.

• Retrohunts limitations:

  • Maximum of 10 concurrent retrohunt jobs per user.
  • Each job can include up to 300 YARA rules.
  • The combined text size of all rules must not exceed 1 MB.

Need more help? Get answers from Community members and Google SecOps professionals.