I am attempting to do something similar with After Hour logins
Current setup is
Naming my domain so Windows services accounts don't trigger and vendor service accounts named as "does not contain" so I won't get alerts for those either.
I will probably have to adjust the correlation time a little bit but I have high hopes for this time around.
Will keep you updated.