In Microsoft style, I'm going to start this response with:
- Never use the "AnyAlert" group in a rule, as it will cause the LEM to chew through memory like a boss.
- Never extend the correlation time too much, as longer correlation times will cause the LEM to chew through memory like a boss.
- This example is really likely to totally destroy a LEM in production. Don't do this.
Now, how you might do this:
So, I agree with Nicole: there isn't a good way to do this, but this might be a way to do it.