The question is how do I combine these searches? For each bad Acount_Name in the second search, I would like to find the next successful logon in a 60 second period. My end goal is a table containing 2 fields: failed login Account_Name and next successful login Account_Name. The input is the standard Windows security event log. For example:
I found your post looking for the same thing you were. I used your transaction based search to help out. I required Sub_Status=0xc0000064 as a requirement to the failed logon attempt because it means the attempt was from an unknown user. You could probably further increase the probability of detecting a password by incorporating your regex against the baduser field. I know this is almost 4 years old, but here is what I came up with:
Note - this search ran extremely slow for me. I decided a couple years ago I want to be able to search all logon activity very quickly, so I created a summary index with that data in it. When searching that index, my results are returned very quickly. Alternatively you can probably do an accelerated data model.
Hopefully this helps somebody, even if you're no longer after the answer.