In your correlation rule, you would do the following:
Group by: session ID
In the rule body you'd have a single AND gate. You'll set the time property here to determine the window you'll watch to look for 2 different IPs. I'd suggest a short window as possible to be efficient with memory: perhaps 10 minutes?
Inside the AND gate, you'll want a single filter block, configured to capture IIS events (use Device Type, or perhaps specific Device IDs, if you prefer). At the bottom of the filter block, you'll configure it to look for multiple distinct source IPs, like so:
At the end, your rule should look something like this:
I haven't tested this, but it should get you pretty close.
Thanks for your reply. I haven't had a chance to implement this yet but I hope to do so early next week. I'll get back to you after I have do so.