I am trying to make a rule for 100 similar logon failures and trigger an email and SNMP trap. I have several rules setup and they all work well. This is one thing I cannot figure out, probably because I don't fully understand the "1 event within 5 minutes" part of the correlation. I always had it at 1 per 30 seconds and it has worked well.
Also, I have multiple customers logging to a single appliance and I hope I dont have to make one rule for each customer.