We want to monitor and alarm brute force attacks on domain logins. We tried to setup a sensor to fetch Eventlogs from our DomainController with ID 4771. Unfortunately, we cannot further specify, that only a lot of events in a short time is relevant for an alarm regarding brute force. At the moment, every failed login attempt generates an alarm, this is not what we want. Does anyone have an idea how to realize such a task? Maybe another sensor can fulfill this requirements better?