If it was a problem du jour type thing, we could probably seed it with something new we discovered this week, like "hey, this week we heard the Target breach was because someone had infiltrated their POS network and was copying data off - how would you have detected this?" And maybe we'd get some rule examples or source data out of that, or just spirited discussion about why that really sucks and how hard it would be to detect.
I think that would be an awesome start! I think it would really help make the connection between theory and reality and provide a good discussion forum to help people get more value out of LEM.
Part of the uphill battle historically in the security world tends to be confidentiality, where people don't really want to talk about how they have solved problems, though they might be interested in talking about how they WOULD solve a problem.
Yeah, this isn't surprising. With that being said, I think you are absolutely correct in that folks don't need to admit to anything specific that has happened to them while still being able to talk about real world examples of how they have used the tool to identify and/or protect against threats or solve operational problems.
I have found that it only takes a few real-world examples that touch people at a personal level to have them look at the capabilities and say "I need that!" Many SIEM products can be very complicated and unapproachable by a large percentage of the technical community which is also why I think studies have shown many SIEM deployments fail. I think LEM could easily be positioned in such a way to pull away from the rest of the pack as a very approachable solution if it could just make that connection between theory and reality.