I would like to trigger the task only if the login attempt is against a disabled account. This includes the Result Code 0x12. How can I add this to the trigger? Any help would be much appreciated. Thanks.
Here is the event.

Here is the event details XML View:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-04-19T16:40:04.842900000Z" />
<EventRecordID>562602120</EventRecordID>
<Correlation />
<Execution ProcessID="528" ThreadID="106016" />
<Channel>Security</Channel>
<Computer>XXXXXXXXXX</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">XXXXXXXX</Data>
<Data Name="TargetDomainName">XXXXXXX</Data>
<Data Name="TargetSid">S-1-0-0</Data>
<Data Name="ServiceName">krbtgt/mie</Data>
<Data Name="ServiceSid">S-1-0-0</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x12</Data>
<Data Name="TicketEncryptionType">0xffffffff</Data>
<Data Name="PreAuthType">-</Data>
<Data Name="IpAddress">::ffff:192.168.240.79</Data>
<Data Name="IpPort">50126</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
Here is a task trigger that includes everything but the result code:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[band(Keywords,4503599627370496) and (EventID=4768)]]</Select>
</Query>
</QueryList>
Not sure where to put the Result Code 0x12
<Data Name="Status">0x12</Data>