Skip to main content

Hi,

I’m trying to create a Chronicle rule that identifies when the total number of error responses (400 or 500) across my environment is significantly higher than the number of successful responses (200) within a one-week period.

Specifically, I want to trigger a detection if the total number of 400/500 responses during the week is at least twice the number of 200 responses — not necessarily from the same IP address.

Is it possible to implement this kind of comparison between two response code groups in a single Chronicle rule, and how would you implement this?

Also, is it necessarily possible to write Chronicle rules that check over a one-week time window, or are rules limited to 24-hour periods?

Thank you!

 

 

Hi ​@Roni11,

 

The match statement for rules were recently changed, an increase from a maximum of 2 days, to 14 days[1]. Although, this is not reflected in the official documentation related to match statements [2].

 

[1] - https://cloud.google.com/chronicle/docs/secops/release-notes#September_03_2025

[2] - Match section syntax  |  Google Security Operations  |  Google Cloud Documentation

 

Kind Regards,

Ayman

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.