I have created following query as per my database but it is indicating only all events during that span. Not generate alert after successful login.
index=* (EventCode=4624 OR EventCode=4625)
| bin _time span=5m as minute
| stats list(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute Account_Name
| where mvcount(Attempts)>=10 AND Success=1 AND Failed>=2
| eval minute=strftime(minute,"%H:%M")
... View more