I'm new to ArcSight and I'm trying to get a list of a specific user's login times. In logger I'm searching on ((categoryBehavior = "/Authentication/Verify" AND destinationUserName = jdoe)) and deviceEventClassId = "Microsoft-Windows-Security-Auditing:4624".
Unfortunately I'm getting hundreds of events per hour and I don't see another field I can sort on to identify the interactive "type 2" 4624 events.
How can I isolate these down to just the actual user logins?
Thanks in advance for any help!