So I may have a solution for you, even if it isnt the most elegant solution. I have the following setup for a 3 virus' within 2 weeks alert:
2 watchlists - both purge accounts after 14 days.
3 alarms total.
First virus alert hits, inserts into first watchlist. Then a second alarm checks to see if a user is in the first watchlist and if it is adds the computer name (or IP in your case) to the second watchlist. A third alarm checks the second watchlist and first watchlist. If a user is in both watchlists and triggered a virus this alerts, creating a 3 in 2 weeks alert.
Why don't you use Correlation Rule?
I'm currently receiving 'virus detected' information from an endpoint protection server. I am trying to create an alarm that triggers when a virus has been detected on the same IP address 3 times in 10 minutes.
You can define this by Correlation Rule.
Then, you should define "Field Match" alarm referring to the Signature ID of this Correlation Rule.