I recall doing something like this a while back. It is certainly possible, but is highly dependent on the log sources to get the information. Grabbing firewall logs and parsing through those is relatively straight forward. Antivirus logs as well. Windows logs will certainly provide a wealth of insight but if organizations only focus on server logs, then thats the only visibility they would have. Kerberos logs from Active Directory are nice, but sometimes, you need the logs from endpoints too.
Ultimately, I feel much of this is achievable. Netwitness would just need the data fed into it. Once the data sources are there, it's a matter of going through and understanding the data for the organization.
