So, here's the unfortunate deal.... we haven't exposed a way to do a threshold of one, which is what you need.
You CAN do this:
2 in 10 seconds (alert when you see two of the same event in 10 seconds)
Advanced Threshold (little gears on the correlation time that become active when you add a threshold):
SAME <whatever> (interface, source, etc, you can add more than one field)
Re-Infer: 1 hour
Your Response Window will need to be 1 hour also so it can remember data for that long.
Correlation Time on the entire rule applies to EVERYTHING in the correlations box. You can also add a threshold for each grouping in the correlations box if you want to get more fancy.
Then, the "Advanced Threshold" box basically modifies your threshold by defining how to "count" your threshold (they need to come from the same IP, the same user, etc) and tells the threshold how often to check for "over threshold" again (your "wait an hour before telling me the **** is still hitting the fan" thing).