I went to a Splunk event in Denver a couple years ago. This story has stuck around in my mind for a while.
A guy from JeffCo Public Schools (where I grew up, btw) presented. They had a small budget, decided to spend that budget sending their authentication and authorization logs into splunk. Through their dashboards they noticed one teacher's credentials being used from the wrong school.
They correctly deduced and later confirmed that a student at one school had obtained the credentials (probably from a sticky note on the keyboard) and shared them with students at the other school who went on to fiddle with grades, or similar mischief.
Several audience members immediately asked if they could hire the students in question. The speaker indicated they'd thought of that too. They did find ways to direct the students to constructive application of their skills and mischief.
I've been occasionally thinking about benefits of instrumenting security logs with analytics ever since.