Overview of composite detections
This document introduces composite detections and how they can enhance threat detection workflows by correlating outputs from multiple rules.
Composite detections use composite rules, which consume outputs (detections) from other rules (in whole or in part)—combined with events, metrics, or entity risk signals. These rules detect complex, multistage threats that individual rules can miss.
Composite detections can help analyze events through defined rule interactions and triggers. This improves accuracy, reduces false positives, and provides a comprehensive view of security threats by correlating data from different sources and attack stages.
The following concepts define the building blocks of composite rules and help clarify how they function within detection workflows:
Composite rules: use detections or alerts as input, along with optional events,
metrics, or entity risk. These rules must always have a match section and can
reference meta fields, match labels, and outcome variables from input rules.
Detection: the result of a rule. Can also be referred to as an alert.
Detection-only rules: composite rules that use only detections or alerts as inputs. These rules don't contribute to entity's risk score. Any risk score that is set for a detection-only rule applies only to the detections it generates.
Benefits of composite detection
Composite detections have the following benefits:
Unmask multi-stage attacks: Cyberattacks are often multifaceted and interconnected. Composite detection reveals the broader attack narrative by linking seemingly isolated incidents. For example, composite detections can identify the full sequence of an attack, such as an initial breach, followed by privilege escalation and data exfiltration.
Tame alert fatigue: Composite rules consolidate and filter noisy alerts, enabling a more focused response. This approach helps prioritize high-impact incidents and reduce overall alert fatigue.
Enhance detection accuracy: Combine insights from Unified Data Model (UDM) events, rule detections, entity context, User and Entity Behavior Analytics (UEBA) findings, and data tables to build more accurate detection logic.
Streamline complex logic: Break down complex detection scenarios into manageable, interconnected, and reusable rules to simplify development and maintenance.
Input source for composite rules
Composite rules ingest data from collections as the input type, which store outputs of previously run rules.
Limitations
When designing and implementing composite detections, consider the following limitations:
Composite rules—Google Security Operations supports a maximum depth of 10 for composite rules. Depth is the number of rules from a base rule to the final composite rule.
Detection-only rules—Have a maximum match window of 14 days. However, the following apply:
- If the rule uses ingested events, entity graph data, or reference lists, the match window is limited to 48 hours.
- Detection-only rules are subject to a daily detection limit of 10,000 detections per rule.
Outcome variables—Each rule is limited to a maximum of 20 outcome variables. Additionally, each repeated outcome variable is limited to 25 values.
Event samples—Only 10 event samples are stored per event variable in a rule (for example, 10 for
$e1and 10 for$e2).
For more information on detection limits, see Detection limits.
How composite detections work
When single-event or multi-event rules meet predefined conditions, they generate detections. These detections can optionally include outcome variables, which capture specific data or event states.
Composite rules use these detections from other rules as part of their inputs. The evaluation can be based on the following factors of the rules that initially generate the detections:
- Content defined in the
metasection of the rule - State or data attribute set by the rules in outcome variables
- Fields from the original detection
Based on this evaluation, composite rules can trigger alerts and record new state information. This helps correlate multiple factors from different detections to identify complex threats.
See composite rules syntax and examples for more information.
Best practices
We recommend the following practices for building composite rules.
Optimize for latency
For minimal latency in detection pipelines, start a rule sequence with a single-event rule, followed by composite rules. Single-event rules have higher execution speed and frequency than multi-event rules, which helps reduce the overall latency for composite rules.
Use outcome variables, meta labels, and match variables
We recommend using outcome variables, meta labels, and match variables to join
detections in composite rules. These methods offer the following advantages over
using event samples or references from input detections:
Improved reliability—Provide more deterministic and reliable results, especially when detections involve many contributing events.
Structured data extraction—Enable you to extract specific fields and data points from the events to help create a structured system for organizing event data.
Flexible correlation—
metalabels let you categorize rules, and consequently, the detections generated from them, for more flexible joining of detections. For example, if several rules share the samemetalabeltactic: exfiltration, you can have a composite rule that targets any detection where thetacticlabel has the valueexfiltration.
Test or run a retrohunt
When you test or retrohunt a composite rule, the system runs only the specific rule you select, using existing detections. To run the entire composite, you need to manually start a retrohunt from the first rule in the sequence, wait for it to finish, and then continue with the next rule.
Update rules
When you update a rule that is used in one or more composite rules, the system automatically creates a new version of the rule. Composite rules automatically use the new version. We recommend testing the updated rules to verify their intended behavior.
What's next
For information on how to build composite detection rules, see composite detection rules.
Need more help? Get answers from Community members and Google SecOps professionals.