A robust network-security monitoring application should include an alerting service. When an event that requires attention occurs, this service will send a notice by e-mail, page, instant messaging or other urgent method to a security expert.
The administrator may configure this service for pre-determined events or baselining may be used. When baselining is used, a threshold value is configured. When the value exceeds the threshold for a particular kind of event, an alert is issued.
For example, a number of failed attempts to log into an administrative account on a server may indicate that an attacker is trying to gain control of the server. The network team decides that up to ten tries is reasonable for someone who has just temporarily forgotten the password, so they set a threshold of ten failed attempts for this kind of event. At the eleventh attempt, an alert is sent so that an expert can investigate for other symptoms that would indicate an attack.