Watcher alert when specific event logged against unique IP

Hi,

I am new to Elasticsearch and want to configure alerts when there are more than X number of failed login attempts from unique IP (i.e alert should not be triggered when total failed login attempts are more than X.

One condition to achieve this is to create separate watcher alert for each device but then there would be extra load on Elastic as there will be multiple scheduled searches.

I've created a visualization to show my requirement to have alert if login attempt on a devices exceeds X times. Can someone please guide me how to create a watcher to meet this requirement.

Search query for above output is

{
  "aggs": {
    "2": {
      "terms": {
        "field": "host.keyword",
        "order": {
          "_count": "desc"
        },
        "size": 5
      }
    }
  },
  "size": 0,
  "_source": {
    "excludes": []
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "@timestamp",
      "format": "date_time"
    }
  ],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match": {
                  "tags": "device_login_fail"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2019-11-21T09:02:22.168Z",
              "lte": "2019-11-25T09:02:22.168Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}