How to find actual Windows User logins among the noise?

I'm new to ArcSight and I'm trying to get a list of a specific user's login times. In logger I'm searching on ((categoryBehavior = "/Authentication/Verify" AND destinationUserName = jdoe)) and deviceEventClassId = "Microsoft-Windows-Security-Auditing:4624". 

Unfortunately I'm getting hundreds of events per hour and I don't see another field I can sort on to identify the interactive "type 2"  4624 events.

How can I isolate these down to just the actual user logins?

Thanks in advance for any help!


Parents Reply Children
No Data