Hi Poukim0m. Thanks for reaching out.
I think that what you are looking for is an EQL sequence, rather than a threshold query. By using a sequence, you can use the by join keyword to look for matching documents. An example would look something like the following:
sequence by source.ip, user.name, destination.ip, customer.name with maxspan=5s
[ process where ... ] with runs = 10
Thanks,
Ruben