Hi,

I’m trying to create a detection rule in Chronicle that identifies cases where too many requests are sent to an external load balancer — specifically, more than 10,000 requests from the same IP within one day, where the response status is 400 or 500.

This is the rule I wrote - 

rule too_many_requests_to_external_lb{

meta:

  severity = "HIGH"

  platform = "Chronicle"

events:

  $e.metadata.event_type = "NETWORK_CONNECTION"

  $e.principal.ip = $ip

  $e.network.http.response_code = 400 OR $e.network.http.response_code = 500

match:

  $ip over 24h 

outcome:

      $http_method = array_distinct($e.network.http.method)

      $rule_name = array_distinct($e.security_result.rule_name)

      $remote_ip = array($ip)

condition:

    #e >= 10000

}

According to my Cloud Logging data, I know exactly when such an event occurred, so I used those timestamps to run Rule Test.

I expected to get a detection with around 10,000 events, but instead I always get 1 detection with only 10 events.

I would like to understand why the detection shows only 10 events — is Chronicle only displaying a sample of events, or is the rule logic not aggregating them correctly?

Any clarification on how to handle this threshold and grouping behavior would be appreciated.

Thank you!