1) You have to establish a logon policy according to company work time and also approved by HR. Everyone have to know the presence of restrictive logon policy, and can't be bypassed. 2) Apply the policy to your AD. 3) Log Windows Security Events from Domain Controllers into Netwitness infrastructure. 4) Create one simple rule looking for eventid 4625 and status/sub statuscode 0xC000006F(https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625). Depending on your Authentication Policy restriction, can be useful also eventid 4820. 5) Aggregate alerts by logon username and trigger one incident.