We use two rules, one for 20+ failures within 30 seconds from a single IP, and another for 40+ failures within 60 minutes from a single IP. Here's what the first looks like:
Correlations
UserLogonFailure AND
UserLogonFailure.DestinationAccount <> UserLogonFailure.DestinationMachine
CorrelationTime
20 Events within 30 seconds
Field: UserLogonFailure.SourceMachine Modifier:SAME *
Response Window 5 minutes
* Click on the Gear/Clock icon to the right of "Events within" to access advanced settings.
In truth, the first "UserLogonFailure" probably isn't necessary, but this was one of my first rules so I was still experimenting when I wrote it.