Help creating a alert

[Sinistr0]

the idea of ​​the alert is as follows, I receive logs from an AD windows, and I would like to create an alert that would alert when there is a bruteforce of login attempts on the same user, and the alert would have to contain this information:
user : test , date: xx.xx.xxxx, ip: 192.168.0.1, number of attempts: X

I'm not sure how to create this type of alert, whether by frequency or cardinality, because the alert should show the number of login attempts made and the user, and in the logs that are being digested in elastic it doesn't show the number of attempts, so this calculation would have to be done by elastalert, so my doubt is. how could i create this kind of alert in elastalert?
remembering that login attempts must be shown in number, so I think it would have to be a count on the number of documents analyzed in the query and in the specified timeframe, I suppose

[jertel]

I suggest using a metric aggregation rule combined with a query_key set to the username field. Cardinality isn't a good fit since you are not looking for a count of unique users logging in, but rather a summation (a.k.a. metric) of the aggregated logins per user.

Frequency rule, with a similar query_key, will also work, provided you don't need to sum a number_of_attempts field, and instead only need the count of log lines per user.