User Activity Report - any options?

We are using Managed Threat Ultimate (for now…), so whatever within this suite would be just fine. I did try something with InsightConnect but that went sideways real fast. I am trying to produce an executive report of a user’s physical login activity - workstation unlocks, logging in to workstations, etc. I believe I am narrowing in on the correct query (massive pain…) but at the end of it all I am afraid its just not going to be “actionable” by the intended recipient. A standard:

workstation1… 4:32PM EST 2/21/2025
workstation1… 7:28PM EST 2/21/2025
workstation2… 3:43AM EST 2/22/2025
workstation1… 8:54AM EST 2/22/2025

is what I am after. I want it to be accurate and normalized for time zone (if possible). Spoke with my CA and we’re kind of working on a query too but I am starting to lose faith that IDR is capable of producing what I need. Any tips, pointers? Really do not want to look at third-party toolsets. Seems like a report like this should be really very simple to produce with all the data sources pouring information into the IDR platform. Thanks!

I just did something similar and i think i have the data you are after. I wasn’t concerned with date specifics though. But hopefully this helps for your data needs.

Go to your logsearch in IDR. Go to Asset Authentication → Endpoint Agents. For a query run "where(“destination_account” = “” and (“source_json.insertionStrings.8” = “2” or “source_json.insertionStrings.8” = “7” ))

A string type 2 indicates a full interactive login at the console while a type 7 is a screen unlock. At the end of the day, these are all part of Windows EventID 4624 if you need to dig further on the other logon type codes.