First of all, if you think 10 unique events in 60 seconds will fire too many rules, you should consider increasing that event count to be greater than 10 for a true representation of abnormal activity
To answer your question for your rule definition, each unique source machine that matches the correlation criteria should result in a correlation rule being fired. So, if your second 'bad actor' ( I am assuming you mean source machine here) is a different IP than the first 'bad actor', it should result in another rule being fired. However, it should not trigger any action for 15 minutes for the same source IP even though you may see 10 events in a rolling time frame of 60 seconds
From the admin guide
Open the Set Advanced Thresholds form.
2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Then
use the adjacent fields to type or select the threshold’s time interval and unit of
measure.
The Re-Infer (TOT) option defines the period in which an alert must remain above the
threshold before the system issues a new notification and/or active response.
For example, suppose an alert has exceeded the threshold, and the alert’s Re-Infer
(TOT) period is 1 Hour. If the alert stays above the threshold for more than 1 hour, the
system will issue an additional notification or active response at the end of 1 hour