I found your post looking for the same thing you were. I used your transaction based search to help out. I required Sub_Status=0xc0000064 as a requirement to the failed logon attempt because it means the attempt was from an unknown user. You could probably further increase the probability of detecting a password by incorporating your regex against the baduser field. I know this is almost 4 years old, but here is what I came up with: index=whatever sourcetype="wineventlog:security" EventCode=4624 OR (EventCode=4625 Sub_Status=0xc0000064) | transaction host startswith="EventCode=4624" endswith="EventCode=4625" maxspan=180s | eval baduser=mvindex(Account_Name,1), gooduser=mvindex(Account_Name=-1) | reverse | table _time, host, baduser, gooduser, Account_Name, duration Note - this search ran extremely slow for me. I decided a couple years ago I want to be able to search all logon activity very quickly, so I created a summary index with that data in it. When searching that index, my results are returned very quickly. Alternatively you can probably do an accelerated data model. Hopefully this helps somebody, even if you're no longer after the answer.
... View more