sequence_detect step conditions dependant on previous step?

For those who don't actually want to read through the above query to figure out exactly what it does, it's looking for a sequence of the following security events for the same user, within a 30 second period:

• a 4769 event (kerberos service ticket request)
• a 4624 (logon) event with an impersonation type of Delegation
• another 4769 event

It then formats the sequence information together with the complete 4769 and 4624 events for output.

The hope/expectation would be that this would indicate a user coming from some workstation IP address (the IP in the first 4769 event), requesting access to a particular servicename, on some particular server Computer/IP which has delegation rights (the Computer name in the 4624 event), and that Computer/IP then immediately using those delegation rights to request a service ticket for itself on behalf of that user (the IP of the 2nd 4769 event should be the IP assigned to the Computer listed in the 4624 event).