Like this (maybe put some of the last | search stuff into the WHERE clause of tstats😞

| tstats summariesonly=true  count(eval('action'=="failure")) AS failure count(eval('action'=="success")) AS success
FROM datamodel=Authentication
WHERE index=*
BY _time span=10m "Authentication.src_user"
| search success>0 AND failure>=10 AND (Authentication.src_user!="NULL SID" AND NOT Authentication.src_user="-" AND NOT Authentication.src_user="unknown")

The OOTB Brute Force Behavior correlation rule with ES already does this. Why are you trying to create a custom one?

Why not try with a subsearch, looking for failed logins. You can use a stats count by IP, computername or username and have where clause > 10.

You give that field and the time to the search for looking to successful logins. To control when it is done, you need to play with earliest and latetst time values of the searches.

I am not sure of where you are getiting your data... But maybe you could modify this snippet..

index=wineventlog sourcetype=WinEventLog:Security (EventCode="4624" OR EventCode="4625") user!="*$" 
| eval count_failure = if(action=="failure", 1, 0), count_success = if(action=="success", 1, 0)
| eval time_failure = if(action=="failure", _time, "-"), time_success = if(action=="success", _time, "-")
| stats min(time_failure) as first_fail, sum(count_failure) as count_failure, min(time_success) as first_success by user
| eval time_difference = first_success - first_fail
| where count_failure > 0
| search time_difference>400
| eval first_fail=strftime(first_fail,"%Y-%m-%d | %H:%M:%S"), first_success=strftime(first_success,"%Y-%m-%d | %H:%M:%S")