Use the "AND" gate around your filter. Edit the AND gate to set the threshold on 5 en time on 5 minutes.
In the correlation rule, under "Group by" select "Source User"
This should do the trick.
Perfect we are really close Problem is that it is triggering 8 events for different source user
Any idea what can be the problem? I am guessing that probably aggregation for such message must be disabled by why it cannot count to 5?
Aggregation should not be the issue as aggregation numbers are added up to the total event count threshold.
Make sure that you group by "Source User" in the correlation rule. If you don't do this, the correlation engine will not group each unique source user and correlation will trigger when 5 or more logins happen (regardless of number of unique source users). By grouping on source user, a correlation event will only trigger if a specific source user fails to login 5 or more times within the timewindow specified.