Just to backup HolyGuacamole with some pictures:
You'd want a rule that was at least this complicated:
The circled thing is what Guac is referring to. Then you can do this:
And that means the LEM has to see 5 events in 30 seconds from the same DetectionIP. You can obviously use other fields as well if you want to play with it.