Any help figuring out how to design a query for this would be helpful.
something like this:
index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND other stuff here
| streamstats time_window=?? count dc(dest) AS dc BY host
| where count>?? AND dc>??
Install the Splunk Security Essentials app and check out the Brute Force Access Attempt Detected use cases.