@David
Here's the update based on the customer's feedback that @hrottenberg_splunk mentioned:
Sec Essentials use cases:
New Logon Type for User
Disabled Update Service
Monitor Unsuccessful Windows Updates
New RunAs Host
Successful Login of Account for Former Employee
In Splunk demo env, most cases bring up events with identical source and sourcetype names, which is odd.
... View more