Threshold and Timeframe in custom detection rule

Hello everyone,
I am creating custom detection rule that generates alert when user login with invalid credential more than 5 times within 30 min. I have login_time ( Datetime ).
For this I had written logic and using following:
group by : user_name
Set Threshold : This rule will detect only once on match 6.
Timeframe : 30 min.

But The logs we are receiving are not realtime, all yesterdays logs ingested in Rapid7 in a batch.
The Timeframe this rule should consider is login_time of that user. But it seems it is taking ingestion time and as logs are coming in batches ingestion time for all the logs is almost same and hence it may be generating false alert.

Is there anyway to use login_time to set threshold or any other way to full fill this requirement. Because even if I fetch only time from login_time it will not give me that rolling effect for 30 min as should start counting 30 min where user invalid login first time.

@vvivek.halpatrao how are these logs being transmitted that they are delayed so significantly?

What you are describing is not currently possible

I didn’t know that much about ingestion as it is handled by another team. I think files are not getting delayed it is done knowingly.
But please can you confirm that Timeframe in threshold is take ingestion time or not ? And is there any way to achieve above requirement