How to find actual Windows User logins among the noise?

I'm new to ArcSight and I'm trying to get a list of a specific user's login times. In logger I'm searching on ((categoryBehavior = "/Authentication/Verify" AND destinationUserName = jdoe)) and deviceEventClassId = "Microsoft-Windows-Security-Auditing:4624". 

Unfortunately I'm getting hundreds of events per hour and I don't see another field I can sort on to identify the interactive "type 2"  4624 events.

How can I isolate these down to just the actual user logins?

Thanks in advance for any help!

jm

Parents
  • Hello JM

    Which type of connector and architecture are you using to get your windows events?

    getting 4624 type 2/10/5 etc can be accomplished in several ways

    I recommend implementing event log forwarding using a GPO and installing a native connector to get the forwarded events log on the subscriber server

    Best regards

    David

Reply
  • Hello JM

    Which type of connector and architecture are you using to get your windows events?

    getting 4624 type 2/10/5 etc can be accomplished in several ways

    I recommend implementing event log forwarding using a GPO and installing a native connector to get the forwarded events log on the subscriber server

    Best regards

    David

Children
No Data