To narrow down to a possible password in the username field, you need to add the Sub_Status field for a value of "0xc0000064"
index=wineventlog EventCode=4625 Sub_Status="0xc0000064"
This will return failed logon attempts where "Username does not exist."
The problem you have is that you will have a username that doesn't exist (likely a typo of the user's name, but sometimes is a password) and then you will have a valid username. Therefore, your transaction cannot be by the Account_Name field. If your target is a workstations, you can probably remove Account_Name from the transaction. Things will be more difficult if you're working with an RDP server or something else with lots of logons from different users.
Explore your data with the addition of the Sub_Status - I think that will get you closer to where you want to be.
... View more