How do i apply/use "distinct" parameter in ESA rule format if i need to have an alert created for particular source connection ip only as per threshold time. I tried using unique parameter but it didn't suffice my requirement.
Sounds like you are wanting to group / thread a specific alert criteria by a variable, in this case - source IP addresses in a certain window of time.
Perhaps using 'GROUP BY' will meet your requirement, rather than the "unique" or "distinct" parameters.
The syntax below is an example of creating an alert for failed logon criteria, and grouping the alert by source IP address, specifically where the count of failed logon events is greater than 5 - in a window of 5 minutes. The count parameter here is optional, but it may come in handy for alerts grouped by source IP address.
SELECT * FROM
Event(user_dst IS NOT NULL AND ip_src IS NOT NULL AND event_cat_name = ‘User.Activity.Failed Logins’).win:time(5 min)