How to find actual Windows User logins among the noise?
I'm new to ArcSight and I'm trying to get a list of a specific user's login times. In logger I'm searching on ((categoryBehavior = "/Authentication/Verify" AND destinationUserName = jdoe)) and deviceEventClassId = "Microsoft-Windows-Security-Auditing:4624".
Unfortunately I'm getting hundreds of events per hour and I don't see another field I can sort on to identify the interactive "type 2" 4624 events.
How can I isolate these down to just the actual user logins?
Thanks in advance for any help!
Which type of connector and architecture are you using to get your windows events?
getting 4624 type 2/10/5 etc can be accomplished in several ways
I recommend implementing event log forwarding using a GPO and installing a native connector to get the forwarded events log on the subscriber server