You will probably want to use Advanced Correlations. Assuming that your rule is something like this, click the highlighted gear button:
Then you can create a correlation like this:
That means that all five events (in my example) have to come from the same DetectionIP to trigger the rule.
I hope that helps!
To clarify - using DetectionIP will match for the machine where the logs are being generated.
- If you're monitoring domain controllers, you will see logons constantly from many different users and this rule may fire false positives.
- If you're monitoring servers and systems directly, this rule will work as described.
You may be able to accomplish what you want for both the DC and local login case using DestinationMachine instead.
Really helpful, thanks very much. I was going to ask this question also but someone beat me to it! Thanks.