Question about searching winlog events

Hello!
I'm using latest winlogbeat with ECS and its shipping security events in Elasticsearch. I've created a local user on Windows machine without password and get error, that password does not compline with local policies.
In windows event viewer I see three events:

  1. event_id = 4720 - user created.
  2. event_id = 4729 - user was removed from a security-enabled global group.
  3. event_id = 4726 - user deleted.

If i create user correctly I have only one event with id 4720 and its fine.
How can I filter out "wrong created" users using elasticsearch query?