The "windows security operations center" app can return kerberos successful logons using exclusively event id 4768. This does capture the 4768 event generated whenever someone logs on in the morning (i.e. interactive logon) but it also reports other 4768 events generated by windows subsystems. All the extra 4768 events create noise and make it impossible to determine what is user logon and what is background processes.
I've taken a 4768 event I know to come from a user logon but the text nearly matches random 4768 events word for word. There is no unique code/text inside a 4768 user logon event that I can use to filter out the noise. Also tried matching the 4624 events that are created at the same time as the user logon 4768 event but it's hit/miss unless there is a query string that can do this.
thanks.