Do you have the Agent on the user's laptop?
If you search for logons based only on data from a domain controller, than you're going to see events all day. Windows is constantly asking the domain to confirm rights for all sorts of things (permission to run apps, connect to Exchange, map shares, access files, etc) and Windows and LEM call all those things "Logons."
There is a special event that shows when meat touched a system, though: the Interactive Logon.
So, if I search for my own account in nDepth for the last couple hours, I get this:
If I search for Interactive Logons, though, I get a lot fewer events. These events don't get sent to the domain controllers, they only get logged on the destination systems, so you'd need an agent on the systems in question.
These definitively report when a user entered their password to log into a system, as opposed to all the AD authentication traffic noise.
Naming my domain so Windows services accounts don't trigger and vendor service accounts named as "does not contain" so I won't get alerts for those either.
I will probably have to adjust the correlation time a little bit but I have high hopes for this time around.
Will keep you updated.
Additional note: I do not have the agents on any workstations, just servers, so this is all DC reporting and I did set up a special email that contains the info I deemed necessary.