I have been making an effort to get our LEM/SEM logs in order so we can start shaping and alerting the information it is giving us. One problem I have run into is we are getting a huge number of UserLogon and UserLogoff events under both "Local Account Authentication/Changes" and "User Logons" under "Authentication". I will see 3 or 4 copies of the same log hit SEM for the same user on the same remote server with the only difference ever being a slight change between DestinationLogonID. I will attach a redacted example of a logon and logoff to this thread as an example.
How do you all deal with the constant logon/logoff events while still staying PCI or HIPAA compliant?