The advanced correlation you have there means that the 5 events that trigger the rule have to have the SAME value in the WarningMessage field. You may want to make that something like ServiceWarning.DetectionIP so that the 5 events have to come from the SAME system to fire the rule, otherwise 5 different systems getting the same alert would fire this rule.
↧