Ok, Great! So we just got splunk running. Now what.
I've gone out and told it to grab AD data, so I thought Hey, how do I find failed logon attempts on the network? Even better, can I set a trigger to alert me when someone fails X times and the account gets locked out?
Any takers for a rookie question?