Chronicle Rules Capacity

Overview

Chronicle Rules (also called curated detections) are rule sets created by Google Cloud Threat Intelligence (GCTI) that are used by Chronicle customers. The Chronicle Rules capacity limits how many rule sets can be enabled at any given time in a Chronicle account.

Each rule set has a capacity value assigned to it. When any rules (Precise rules, Broad rules, or both) are enabled for a rule set, the rule set's full capacity is met and counted toward the Chronicle Rules capacity. Additional rule sets can't be enabled when an account has reached its Chronicle Rules capacity. The default Chronicle Rules capacity for a Chronicle account is 150.

Chronicle rule capacity is not a count but the weight assigned to a rule set. The weight of a rule set is based on its complexity. More complex rule sets have a higher weight. The weight of a rule set is also affected by the number of events that the rule set processes. Rule sets that process more events have a higher weight.

The sum of weights must be below 150. You cannot enable a rule set that causes the sum of enabled sets to exceed 150. To view the weight of each rule set in the console, go to Detection > Rules & Detections.

If you exceed the capacity for curated rules, you can continue to run the existing rules, but you cannot create new rules. If you want a higher capacity, contact your Chronicle account team.

View capacity details

The Rule Sets tab on the Curated Detections page displays a Capacity column and a Curated Detections Capacity button (top-right).

The capacity value for a rule set represents the full capacity of the rule set. The rule set's full capacity is met if the rule set is enabled. A rule set is considered enabled when its Precise rules, Broad rules, or both, are enabled. When a rule set's capacity is met, the capacity is counted toward the Chronicle rules capacity for the Chronicle account. For example, if rule set A's capacity of 8 is met, and rule set B's capacity of 7 is met, then 15 is counted toward the total Chronicle rules capacity. If the Chronicle rules capacity is 150, then the rule set capacity is 15/150. To view the Chronicle rules capacity for the account, click the Curated Detections Capacity status button. When the Chronicle rules capacity is met, additional rule sets can't be enabled.

Check capacity before enabling all rule sets

You can enable all rules across all rule sets. However, this action requires that your account has a curated detections capacity that supports enabling all of your account's rule sets. For details on viewing the capacities of all of your rule sets to ensure that their total combined capacity when enabled won't exceed the total available Chronicle rules capacity, view capacity details.

To enable all rule sets:

  1. Click the Quick Actions pull-down menu.

  2. Select Set up recommended rule settings.

  3. Click Enable all rules across all rule sets.

  4. Confirm your capacity usage by clicking the Chronicle Rules Capacity button (top-right).