Why Rule Count Is a Misleading KPI for SIEM

A CISO from a Fortune 2000 firm recently asked me about how many rules the New-Scale Security Operations Platform has. The question wasn’t surprising, but it felt outdated, like asking when I last defragged my PC. We’ve been reducing our rule count because we built more effective ways to detect threats, not because we detect less.

For years, rule count was a common measure of SIEM performance, with more rules supposedly meaning better coverage.  In reality, this approach often led to duplication, alert fatigue, and wasted effort. The industry is now moving from static signatures to heuristics and machine-learned detection. This same shift is happening in the SIEM, where behavioral analytics, adaptive risk scoring, and automated threat timelines are replacing an overreliance on rules.

Rules Still Matter, but Their Role Has Evolved

While rules are still important, their function has changed. This evolution drove us to build New-Scale Analytics with an updated user and entity behavioral analytics (UEBA) detection engine that includes Exabeam Nova, our embedded agentic AI system. The engine uses machine learning to detect threats, score risk, and adapt to the environment it protects.

Instead of maximizing volume, it prioritizes precision. A smaller number of rules now covers broader scenarios, delivering high-fidelity detections with less noise. For example, where a previous system might require separate rules for each cloud provider, New-Scale Analytics can model behavior across all cloud environments with a single rule, simplifying detection and expanding coverage.

From 1,100 Rules to Smarter Detection

To illustrate the change:

• Our previous system relied on more than 1,100 anomaly detection rules.
• New-Scale Analytics achieves comparable MITRE ATT&CK^® coverage with just 342 anomaly rules.
• It uses 395 fact-based rules, down from 681.

The difference is machine learning. New-Scale Analytics evaluates how rules perform in your environment, scoring events based on patterns and context. It builds behavioral baselines at the entity level, not just usernames or fields, so it can distinguish normal activity from high-risk anomalies. That reduces false positives and gives analysts clearer, more actionable insight.

Less Tuning, More Responding

This shift reduces the operational load on security teams. With fewer rules to maintain, analysts spend less time tuning and more time on investigation and response. Automated threat timelines, adaptive risk scoring, and behavioral baselines focus attention on the highest-priority events, not a deluge of low-value alerts. The result is more efficiency, faster response, and sustained detection coverage.

How to Tell if Your SIEM Is Doing Its Job

If rule count isn’t the right KPI, what is? More meaningful metrics include ATT&CK coverage, analyst investigation time, alert fidelity, and how quickly a team can detect and respond to threats. These are the outcomes that define an effective SIEM today.

The way we think about detection has evolved, and so should the way we measure it. New-Scale Analytics was built for this reality. It’s not about how many rules exist. It’s about how effectively they help you stay ahead of threats. So, the next time you hear a vendor boasting about the size of their rule set, ask them whether those rules actually improve detection, reduce noise, and speed up response.

See the Difference for Yourself

New-Scale Analytics is the insider threat detection engine within New-Scale Fusion, and it can also run on top of your existing SIEM to raise detection quality. Customers have reduced alerts by up to 60%, investigation time by 80%, and incident response time by 50%. These gains translate directly to stronger security operations. Request a demo to see how New-Scale Analytics can augment your current SIEM or whether New-Scale Fusion is the right fit for your organization.

Move Beyond Static Rules

Ready to see how modern threat detection moves beyond simplistic rule counts? Download our white paper, “Breaking the Rules: When Static Detection Logic Reaches Its Limits, What’s Next?” to learn how behavioral analytics can help you detect complex threats and focus on the incidents that pose real risk.