I have selected windows event logs coming from our DCs and among them I am ingesting failed login ID 4625. I created a stream that extracts these events and sends an email callback. The condition I have applied is to trigger an alert x5 of these messages are caught in the stream within 1 minute. I have a backlog of 5 messages set and am extracting the relevant fields to add to the alert. This works fine with the exception that it is not reflecting when a single user had 5 failed login attempts. For example if 5 individual users had 1 failed login attempt the alert would be triggered.
Is there a way that I can be more specific and only fire when a single user is detected with 5 failed log in attempts?