Correlation Rules for Virus Alerts
I've made a correlation rule for this, more or less. We would use it to identify something spreading on the network. Right now it will fire if the same virus is found on 3 hosts within an hour. It would be easy to modify it to increase the number of hosts or increase the timeframe.
I have attached the rule for you.
Note that it uses cache variables to determine if its the same virus on different hosts, not multithreading. The reason for this is that I like to see each of the messages that generate the alert. If you use multi threading it will only show you the last message to cause the alert to fire which annoys me.
It should work as I made an correlated alert on 3 accounts locked out within a short period using the same logic you provided.