You could do something like this

index = auth0 (data.type IN ("fu", "fp", "s")) 
| bucket span=5m _time 
| stats dc(eval(if('data.type'="s", null(), 'data.user_name'))) AS unique_failed_accounts 
        dc(eval(if('data.type'="s", 'data.user_name', null()))) AS unique_successful_accounts 
        values(eval(if('data.type'="s", null(), 'data.user_name'))) as tried_accounts 
        values(eval(if('data.type'="s", 'data.user_name', null()))) as successful_accounts 
        values(data.client_name) as clientName 
        values(eval(if('data.type'="s", null(), 'data.type'))) as failure_reason 
        latest(eval(if('data.type'="s", 'data.user_name', null()))) as last_successful_account
        max(eval(if('data.type'="s", _time, null()))) as last_successful_time
        max(eval(if('data.type'="s", null(), _time))) as last_failed_time
        by data.ip 
| where unique_failed_accounts > 10

Then you can see the latest failed time, successful time and failed and successful accounts and make any decisions needed.

What you're essentially after is the eval() test inside the stats to test what to collect. Make sure you wrap the field names in single quotes in that test, as it's an eval statement and the field names contain . characters.