I'm working with composite detections in Google Security Operations (Chronicle SIEM) and running into an issue.

I'm trying to implement a level 2 composite rule that consumes detections from a producer rule (login_with_location_producer) which extracts user email and login country from USER_LOGIN events.

✅ Producer Rule (Works fine and persists detections):

rule login_with_location_producer {
meta:
author = "Google SecOps Gemini"
description = "Produces detections with user email and login country from Google Workspace login events."

events:
$e.metadata.event_type = "USER_LOGIN"
$e.target.user.email_addresses[0] = $user_email
$e.principal.ip_geo_artifact[0].location.country_or_region = $login_country

outcome:
$target_user = $user_email
$country = $login_country

condition:
$e
}

❌ Composite Rule (Fails to parse with "detection source is not supported"):

rule rapid_country_change_composite {
meta:
author = "Google SecOps Gemini"
description = "Detects rapid login location change for a user within 1 hour."
severity = "High"

events:
$d1.detection.detection.rule_name = "login_with_location_producer"
$user1 = $d1.detection.detection.outcomes["target_user"]
$country1 = $d1.detection.detection.outcomes["country"]

$d2.detection.detection.rule_name = "login_with_location_producer"
$user2 = $d2.detection.detection.outcomes["target_user"]
$country2 = $d2.detection.detection.outcomes["country"]

match:
$user1 = $user2 over 1h

condition:
$d1 and $d2 and $country1 != $country2
}

❓ My Questions:

1. What exactly causes this "detection source is not supported" error?

2. Is there a known issue with using detection.detection.* fields in composite rules?

3. Any best practices for chaining composite rules like this that I may have missed?

Appreciate any guidance or examples from others who’ve worked with multi-stage composite detections in Chronicle.

Thanks!