You could use Rules occurence settings in new UI (advanced correlation in older Flex UI) to specify that userName/sourceAccount have to be same in the alerts AND source IP of the event should differ. Set "Set time when a rule won't trigger actions after rule was true" (Re-Infer TOT - in Flex) as well to not fire rule multiple times during few seconds.
↧