Create a condition in EQL/ES|QL query for alert

Hi,

Can we create a condition using EQL or ESQL query to raise an alert?

such as

if there is any failed login more than twice then followed up by success it will raise?

{
  "query": """
    sequence by user.name with maxspan=10m
      [authentication where event.outcome == "failure"]
      [authentication where event.outcome == "failure"]
      [authentication where event.outcome == "success"]
      [authentication where event.category == "logoff"]
  """
}

can we like [authentication where event.outcome == "failure"] > 2?

or to raise an IoC that truly detect without any preventation action followed up?

sequence by source.ip
  [
    any where
      event.category in ("network", "malware") and
      event.action == "Detect" and
      (IOC)
  ]
  not followed by
  [
    any where
      event.category in ("network", "malware") and
      event.action == "Prevent" and
      (IOC)
  ]