Successful authentication after 3 failures

I'm new in ELK

I want to create an alert if a windows user makes a successful login after he make 3 failed authentication

that's mean after 3 failed (4625 event id ) and 1 success (4624 event id ) he make alert

I use winlogbeat to collect log from windows machine