this is a great login search that I use. Got most of it from the MalwareArchaeology.com
sourcetype="WinEventLog:Security" EventCode=4624 NOT (host=“DC1" OR host=“DC2" OR host=“DC…”) NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON") NOT (Account_Name="Service_Account") NOT [ inputlookup Trusted_Logon_Whitelist.csv | fields Account_Name Account_Domain Logon_Type ] | eval Account_Domain=(mvindex(Account_Domain,1)) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Time=strftime(_time,"%Y/%m/%d %T") | stats count values(Account_Domain) AS Domain, values(host) AS Host, dc(host) AS Host_Count, values(Logon_Type) AS Logon_Type, values(Workstation_Name) AS From_WS_Name, values(Source_Network_Address) AS Source_IP, values(Process_Name) AS Process_Name by Account_Name | sort - Host_Count | where Host_Count > 2 | head 10 | fields - Host Source_IP
Not exacly what your looking for but might help you develop what your looking for.
... View more