Depends on how homogeneous your network and your user base are. Check for these and see what you find.
(EventID=528 OR EventID=540 OR EventID=552 OR EventID=4624 OR EventID=4648)
Whether the individual workstations are going to forward their logs of type 7 events, whether you have technical users that will be using runas and generating type 9s, logging on through VPN and generating type 10s, not to mention whether there is any KVM/IP going on and generating pseudo-Type 2s, and so on, is highly organization-specific.
Oh, and that's for windows; unix logons have a whole different set of criteria. As a place to start, look for stuff like this -
((pam_vas:* AND "<succeeded") OR "Accepted" OR "Auth_methods_completed")