i have a use case in which we need to correlate multiple failed login attempts (10 in 10) with IPS event grouped by destination IP ( both events should have same destination IP). may be we can put them in sequence ... but not sure how i can acheive this .
Match Component Filter #1: Signature ID (In) <list of failed login Signatures> (or Normalized ID (in) Authentication > Login + Event Subtype (in) Failure)
Match Component Filter #2: Device ID (In) <select your IPS Data Source/Sensor> (and/or use Signature ID / Normalized ID for specific IPS events)
The above should only trigger if there are 10 Failed Login Events with IPS Events within a 10 Minute window, and the Group By setting will make sure those events only meet the criteria if the Failed Login and IPS events share the same Destination IP. Hopefully this works as desired and helps.