Here you are:
{
"_id": "W1234_b2b77b91-c0f7-4ee2-9970-3aa41112bc59-2018-01-16T14:06:36.040Z",
"watch_record": {
"watch_id": "W1234",
"node": "uy-aQe2PT12NAjCj-B7QKQ",
"state": "executed",
"status": {
"state": {
"active": true,
"timestamp": "2018-01-16T14:04:36.002Z"
},
"last_checked": "2018-01-16T14:06:36.040Z",
"last_met_condition": "2018-01-16T14:06:36.040Z",
"actions": {
"email_admin": {
"ack": {
"timestamp": "2018-01-16T14:05:36.403Z",
"state": "ackable"
},
"last_execution": {
"timestamp": "2018-01-16T14:06:36.040Z",
"successful": true
},
"last_successful_execution": {
"timestamp": "2018-01-16T14:06:36.040Z",
"successful": true
}
}
},
"execution_state": "executed",
"version": 23129
},
"trigger_event": {
"type": "manual",
"triggered_time": "2018-01-16T14:06:36.040Z",
"manual": {
"schedule": {
"scheduled_time": "2018-01-16T14:06:36.040Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
},
{
"term": {
"EventID": "4625"
}
}
]
}
},
"aggs": {
"User": {
"terms": {
"field": "TargetUserName.keyword"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.User.buckets.0.doc_count": {
"gte": 3
}
}
},
"metadata": {
"name": "Failed User Logons",
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2018-01-16T14:06:36.040Z",
"execution_duration": 2347,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 122,
"failed": 0,
"successful": 122,
"skipped": 0
},
"hits": {
"hits": [],
"total": 38,
"max_score": 0
},
"took": 12,
"timed_out": false,
"aggregations": {
"User": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 38,
"key": "MyNameGoesHere"
}
]
}
}
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
},
{
"term": {
"EventID": "4625"
}
}
]
}
},
"aggs": {
"User": {
"terms": {
"field": "TargetUserName.keyword"
}
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.aggregations.User.buckets.0.doc_count": 38
}
}
},
"actions": [
{
"id": "email_admin",
"type": "email",
"status": "success",
"email": {
"account": "outlook_account",
"message": {
"id": "W1234_b2b77b91-c0f7-4ee2-9970-3aa41112bc59-2018-01-16T14:06:36.040Z",
"sent_date": "2018-01-16T14:06:36.054Z",
"to": [
"yournamegoeshere@myawesomecompany.com"
],
"subject": "Warning: Multiple Failed Logons",
"body": {
"text": "The user: failed to logon: 38 times."
}
}
}
}
]
},
"messages": []
}
}
Also please not, I have changed the: The user: {{ctx.payload.TargetUserName}} failed to logon to
The user: {{ctx.payload.TargetUserName.keyword}} failed to logon but that didn't work.
If you need any more info please do no hesitate to ask 
Cheers,
G