So, here's the unfortunate deal.... we haven't exposed a way to do a threshold of one, which is what you need.
You CAN do this:
2 in 10 seconds (alert when you see two of the same event in 10 seconds)
Advanced Threshold (little gears on the correlation time that become active when you add a threshold):
SAME <whatever> (interface, source, etc, you can add more than one field)
Re-Infer: 1 hour
Your Response Window will need to be 1 hour also so it can remember data for that long.
Correlation Time on the entire rule applies to EVERYTHING in the correlations box. You can also add a threshold for each grouping in the correlations box if you want to get more fancy.
Then, the "Advanced Threshold" box basically modifies your threshold by defining how to "count" your threshold (they need to come from the same IP, the same user, etc) and tells the threshold how often to check for "over threshold" again (your "wait an hour before telling me the **** is still hitting the fan" thing).
This is an old thread, but I'm wondering why a way to do a threshold of one isn't available. I'm not finding any info so far that explains it. Is it a technical issue/performance issue prevention thing or just an interface limitation that the Re-Infer (TOT) option is in the advanced correlation window ?
Seems to me that feature would be very useful...