I have had the same issue with various clients. It's different for every single client as they all have different audit policies. Playing with the correlation time is the only way.
This is something I used for a client in looking for an file open (ignore the last line with the HR Admin). Note the correlation time as 6 events within 2 seconds which worked for one client. Another client required 4 events within 8 seconds.
