Converting sigma correlation rules to ElastAlert

[Ah-U3]

Dear Community,

I'm trying to convert a playbook with sigma correlation fields to elastalert but getting errors.

Is correlation rules supported in playbooks?
title: Failed NTLM Logins with Different Accounts from Single Source System
id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
related:
- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
type: derived
status: unsupported
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth (Nextron Systems)
date: 2017/01/10
modified: 2023/02/24 <<<<<<<<<<<<<<<<
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
logsource:
product: windows
service: security
detection:
selection2:
EventID: 4776
TargetUserName: ''
Workstation: ''
timeframe: 24h
condition: selection2 | count(TargetUserName) by Workstation > 3 <<<<<<<<<<<
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
level: medium

An unsupported feature is required for this Sigma rule (/tmp/tmppommjj27): Aggregation count is not implemented for this backend

[Mav1814]

Hi,
Count is deprecated, will not work.

cheers.
Mav

[Ah-U3]

Thank you @Mav1814
Is there an alternative way to write correlation rules in security onion?