Detection limits

Google Security Operations has the following limitations with regards to detections:

• Each rule version has a limit of 10,000 detections per day. This limit resets at midnight UTC.

  For example, if a rule version produced 9900 detections by 3PM UTC on January 1 and all of these detections have a detection time on January 1, it will only generate 100 more detections that have a detection time on January 1. On January 2, the rule version can generate 10,000 new detections for that day.

• If the rule version is updated, the limit is reset and the rule can again generate 10,000 detections in that same day.

  For example, if a rule version produced 9900 detections by 3PM UTC on January 1 and all of these detections have a detection time on January 1, it will only generate 100 more detections that have a detection time on January 1. If rule version is updated at 4PM on January 1, that rule version can generate 10,000 detections that have detection time on January 1 till end of day. On January 2, the rule version can generate 10,000 new detections for that day.

• Running a retrohunt after changing the reference list doesn't reset the existing detections limits and will not generate new detections if they have already reached the limit.