I use this search:
index=_audit | dedup action | table action
and get these results:
Remote token requested
Notice a lack of "login attempt"
Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.
Combine that with _access and you'll come up with successful and unsuccessful logon attempts.
Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.
Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.
Another method might be checking the web access logs in _internal index.