@Amos1
Point 1: "...Target (department store) malware turned itself on at 9 AM and off at 5 PM..." Yeah, so the more dangerous stuff is stealthy--but I wouldn't assume that the stupid stuff can't do damage as well.
Point 2: "...monitoring for failed logins is far less valuable than monitoring for successful logins..." I prefer to know the ratio between the two. And, while the really ancient stuff may be less relevant today, especially with the ability to automatically lock out accounts (which I was shocked to find not everybody does), modems and batch files were once used in the days before MS Windows to dial into phone systems and simply step through PIN's by an increment of one. And yes, what you wanted to do is figure if any of those guesses worked. So, if it ever skipped a number, that was the one you needed to check for breach.
Back in those old days, we actually read each and every log event. That would be crazy today. For defense in depth, it's wise to get your statistics to reveal those hidden patterns for all the possibilities--both stupid and stealthy--being fully aware that a stupid attack may be used as cover a stealthy one.