Hi Tukaram.
I hope you are doning well!
There is an option called <different_dstip /> to cover that case, but it's not possible to control 20 different ip into range of 50 request. Maybe you can do something like:
<rule id="822027" level="13" frequency="20" timeframe="300" ignore="10">
<if_matched_sid>222000</if_matched_sid>
<same_source_ip />
<different_dstip />
<description>Network scanning activity Detected</description>
</rule>
Above rule will trigger when, it find 20 commands (frequency="20") with same source ip (<same_source_ip />) with a different destination ip (<different_dstip />), in a range of 5 minutes (timeframe="300"), and after trigger it will ignore next 10 seconds commands (ignore="10") to avoid false possitive cases.
It will depends on rule 222000, looks like another custom rule, so I can't confirm that will works. If rule 222000 have some frequency depdency, new rule 822027 frecuency will depends on it.
It's recommended to review the custom rules id
The <id> of custom rules will be in the range from 100000 to 120000.
Link to <different_dstip />
Let me know how it goes.
Regards.
Christian.