First of all, if you think 10 unique events in 60 seconds will fire too many rules, you should consider increasing that event count to be greater than 10 for a true representation of abnormal activity
To answer your question for your rule definition, each unique source machine that matches the correlation criteria should result in a correlation rule being fired. So, if your second 'bad actor' ( I am assuming you mean source machine here) is a different IP than the first 'bad actor', it should result in another rule being fired. However, it should not trigger any action for 15 minutes for the same source IP even though you may see 10 events in a rolling time frame of 60 seconds
From the admin guide
Open the Set Advanced Thresholds form.
2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Then
use the adjacent fields to type or select the threshold’s time interval and unit of
The Re-Infer (TOT) option defines the period in which an alert must remain above the
threshold before the system issues a new notification and/or active response.
For example, suppose an alert has exceeded the threshold, and the alert’s Re-Infer
(TOT) period is 1 Hour. If the alert stays above the threshold for more than 1 hour, the
system will issue an additional notification or active response at the end of 1 hour
Adjusting the threshold is part of the discovery process. Each client has a different level of exposed threat space. After letting it run for 12 hours I did up the threshold for one common application port but not the others. The good thing about the scans is that they are only taking less than a minute so the rule only fires once during that time.
i.e. the scan actually hit 500 addresses in 45 seconds and only one alert email is sent.
So with Re-Infer, it treats each firing of the rule as its own instance? Exactly what I was hoping.
Thank you for the reply.