Skip to main content
Solved

Detection rule shows only 10 events instead of 10,000

  • October 23, 2025
  • 3 replies
  • 45 views
Roni11

Hi,

 

I’m trying to create a detection rule in Chronicle that identifies cases where too many requests are sent to an external load balancer — specifically, more than 10,000 requests from the same IP within one day, where the response status is 400 or 500.

 

This is the rule I wrote - 

rule too_many_requests_to_external_lb{

meta:

  severity = "HIGH"

  platform = "Chronicle"

events:

  $e.metadata.event_type = "NETWORK_CONNECTION"

  $e.principal.ip = $ip

  $e.network.http.response_code = 400 OR $e.network.http.response_code = 500

match:

  $ip over 24

outcome:

      $http_method = array_distinct($e.network.http.method)

      $rule_name = array_distinct($e.security_result.rule_name)

      $remote_ip = array($ip)

condition:

    #e >= 10000

}

 

 

According to my Cloud Logging data, I know exactly when such an event occurred, so I used those timestamps to run Rule Test.

I expected to get a detection with around 10,000 events, but instead I always get 1 detection with only 10 events.

 

I would like to understand why the detection shows only 10 events — is Chronicle only displaying a sample of events, or is the rule logic not aggregating them correctly?

Any clarification on how to handle this threshold and grouping behavior would be appreciated.

 

Thank you!

 

Best answer by AymanC

Hi ​@Roni11 

 

This is due to sampling, it will not show all 10,000 events, and just a sample, to view all of the events, refer to [1].

 

[1] - https://docs.cloud.google.com/chronicle/docs/detection/downloading-events

 

Kind Regards,

Ayman

mdanowar

3 replies

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • Answer
  • October 23, 2025

Hi ​@Roni11 

 

This is due to sampling, it will not show all 10,000 events, and just a sample, to view all of the events, refer to [1].

 

[1] - https://docs.cloud.google.com/chronicle/docs/detection/downloading-events

 

Kind Regards,

Ayman

Roni11
Roni11
  • Roni11Bronze 3
  • Author
  • October 23, 2025

Hi,
Thank you for the clarification regarding sampling!
I just want to confirm — is the rule I wrote correct and properly configured to meet the requirement of detecting more than 10,000 requests from the same IP in one day with 400 or 500 response codes?

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 23, 2025

Hi ​@Roni11

 

Yeah your rule will work, other factors to consider is, if you have event duplication, it might be worth (if the underlying log source has a unique identifier) to utilise the outcome section to do a ‘count_distinct’ on that udm field, then conditionising this. For example, lets say my log source stores a unique identifier in metadata.product_log_id

 

outcome:

$EventCount = count_distinct($e.metadata.product_log_id)

 

condition:

 

$e and $EventCount >= 10000

Kind Regards,

Ayman

Roni11
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.