Hi Pete,
what you are talking about is not possible within the product using custom alerts today. We have a project slated for 2021 dedicated to building static thresholds and alerts using groupby functions.
With that being said it is possible to have a custom python script against our query API which would deliver the alerts you desire.
The script would need to run as a cron (scheduled task) and it would essentially poll for the data last seen in the last 30 mins (for example) and alert if any sourceIP address exceeds your static threshold.
I have an example python script that you could build upon if that is something you would like to explore.
Otherwise we will have to wait until some time next year when we build this functionality into the product.
The closest thing that exists within the product today is a change detection alert. With this you could detect an increase in failed logons, (increase or decrease in any calculation or pattern match query) with respect to some other time.
So an example would be, a change detection alert, with a trigger of where(source_json.eventCode=4625)calculate(unique:source_json.computerName)
you could fire an alert if you observed an increase of 500% in the last 1 hour with respect to the previous hour.
See change detection alert details here: https://docs.rapid7.com/insightidr/create-and-manage-custom-alerts#change-detection-alert
The limitation with these alerts are that you cannot perform a groupby, only a calculation. And also, it is a relative comparison, you cannot have a static threshold.