Service limits
This page provides details on the limits that apply to Google Security Operations. You can request API limit increases by contacting Cloud Customer Care.
API limits
The following APIs enforce limits on the volume of requests that can be made by you against the Google Security Operations platform. The limits are measured in queries per second (QPS) or queries per hour (QPH).
API name | API method | Limit |
---|---|---|
Search API | List Alerts | 1 QPS |
Search API | ListEvents | 1 QPS |
Search API | ListIocs | 1 QPS |
Search API | ListIocDetails | 1 QPS |
Search API | ListAssets | 5 QPS |
Search API | ListAssetAliases | 1 QPS |
Search API | ListUserAliases | 1 QPS |
Search API | udmSearch | 360 QPH |
Search API | GetLog | 60 QPS |
Search API | GetEvent | 60 QPS |
Feed management | Create Feed | 1 QPS |
Feed management | Get Feed | 1 QPS |
Feed management | List Feeds | 1 QPS |
Feed management | Update Feed | 1 QPS |
Feed management | Delete Feed | 1 QPS |
Forwarder management | Create Forwarder | 1 QPS |
Forwarder management | Get Forwarder | 1 QPS |
Forwarder management | List Forwarders | 1 QPS |
Forwarder management | Update Forwarder | 1 QPS |
Forwarder management | Delete Forwarder | 1 QPS |
Collector management | Create Collector | 1 QPS |
Collector management | Get Collector | 1 QPS |
Collector management | List Collectors | 1 QPS |
Collector management | Update Collector | 1 QPS |
Collector management | Delete Collector | 1 QPS |
BigQuery Access | Update BigQuery Access | 4 QPS |
Data table limits
Maximum number of data tables for a Google SecOps account: 1,000.
Only the
CSV
file type is supported for uploads.The limits on the number of
in
statements when referencing a reference list in a query also apply toin
statements in a data table.Maximum number of
in
statements in a query: 10.Maximum number of
in
statements in a query forString
andNumber
data type columns: 7.Maximum number of
in
statements with regular expression operators: 4.Maximum number of
in
statements with CIDR operators: 2.Maximum columns per data table: 1,000.
Maximum rows per data table: 10 million.
Maximum aggregate limit of data volume across data tables in a account: 1 TB.
Maximum display limit in web page for data table rows in text and table editor view: 10,000 rows.
Maximum row limit when uploading a file to a new data table in the web page: 10,000 rows.
Maximum file upload size limit for data table creation from API: 1 GB.
Placeholders aren't allowed in the setup section.
Unmapped columns of a data table with data type set to
string
can only be joined with string fields of UDM event or UDM entity.Use only unmapped columns in a data table with a data type set to
cidr
orregex
for CIDR or regular expression.Data table lookups: Regular expression wildcards aren't supported and search terms are limited to 100 characters.
Joins
Fetching all event samples for detections isn't supported when using data table joins with events.
Unlike entities and UDM, data tables don't support placeholders. This means you can't:
Apply one set of filters to a data table and join it with a UDM entity.
Apply a different set of filters to the same data table while joining it with another UDM placeholder.
For example, a data table named
dt
with 3 columns:my_hostname
,org
, andmy_email
and with the following rule:events: $e1.principal.hostname = %dt.my_hostname %dt.org ="hr" $e2.principal.email = %dt.my_email %dt.org !="hr"
All filters on a data table are applied first, and then the filtered rows
from the data table are joined with UDM. In this case, the contradictory filters (%dt.org ="hr" and %dt.org !="hr"
) on the dt
table result in an empty data table, which is then joined with both e1
and e2
.
Use data tables with rules
The following limitations apply to data tables when used with rules.
Run frequency
Real-time run frequency isn't supported for rules with data tables.
Output to data tables
any
andall
modifiers aren't supported for repeated field columns in data tables.Array indexing isn't supported for repeated fields columns in data tables.
You can only export outcome variables to a data table. You can't export event path or data table columns directly.
Column lists must include the primary key columns for data tables.
You can have a maximum of 20 outcomes.
If a data table doesn't exist, a new table is created with the default
string
data type for all columns, following the order specified.Only one rule can write to a data table at a time. If a rule tries to write to a data table that another rule is already writing to, the rule compilation fails.
There's no guarantee that a producer rule can add rows to a data table before a consumer rule for that data table starts.
A single rule has a limit on the number of outcomes rows. A maximum 10,000-row limit applies over the result and persisted data and to data tables.
If a row with the same primary key already exists in the data table, it's non-primary key columns are replaced with the new values.
Entity enrichment from data tables
You can apply only one enrichment operation (either
override
,append
, orexclude
) to a single entity graph variable.Each enrichment operation can use only one data table.
You can define a maximum of two enrichment operations of any type in the
setup
section of a YARA-L rule.
In the following example, an override
operation is applied to the entity graph
variable $g1
and an append
operation is applied to the entity graph variable
$g2
.
setup:
graph_override($g1.graph.entity.user.userid = %table1.myids)
graph_append [$g2, %table1]
In the preceding example, the same data table (table1
) is used to enhance
different entity graphs. You can also use different data tables to enhance
the different entity graphs, as follows:
setup:
graph_override($g1.graph.entity.user.userid = %table1.myids)
graph_append [$g2, %table2]
Use data tables with Search
The following limitations apply to data tables when used with Search.
You can't run search queries on data tables using the Chronicle API. Queries are only supported through the web interface.
A single query execution can output a maximum of 1 million rows to a data table or 1 GB, whichever limit comes first.
Search output to a data table skips event rows if they exceed 5 MB.
Entity enrichment is not supported with Search.
Data tables are not supported for customer-managed encryption keys (CMEK) users.
Writes are limited to 6 per minute per customer.
API support is not available Search-related data table operations.
Statistics queries aren't supported with data table joins.
Data table and data table joins are only supported with UDM events, and not with entities.
Supported:
%datatable1.column1 = %datatable2.column1
Not supported:graph.entity.hostname = %sample.test
You can't include a
match
variable in statistics query in theexport
section of a statistics query.For example, the following is not supported:
match:
principal.hostname
export:
%sample.write_row(
row: principal.hostname
)
Reference list limits
A reference list is a generic list of values which can be used to analyze your data. For more information, see Reference lists.
String lists
String lists have the following limits:
- Maximum list size: 6MB
- Maximum length of any single list content line: 5000 characters
Regular expression lists
Regular expression lists have the following size limits:
- Maximum list size: 0.1MB
- Maximum number of lines: 100
- Maximum length of each content line: 5000 characters
CIDR lists
CIDR lists have the following size limits:
- Maximum list size: 0.1MB
- Maximum number of lines: 150
- Maximum length of each content line: 5000 characters
Ingestion rate
When the data ingestion rate for a tenant reaches a certain threshold, Google Security Operations dynamically adjusts the ingestion rate to ensure availability for new data feeds. The ingestion volume and tenant's usage history determines the threshold. For information on volume of data which can be ingested into Google SecOps by a single customer, see Burst limits.
Dashboard search limit
In search, the quota is per user per hour but for dashboards it is per Google SecOps instance. For more information about dashboards, see Dashboards.