This chapter considers some of the tradeoffs, capabilities, and issues facing intrusion-detection system users and builders. This is a bit more theoretical than some parts of the book, but I use real-world examples to try to keep the material useful and pragmatic. We invest some time talking about events of interest (EOI). This is an important concept because an analyst gets better results from an intrusion-detection system if she understands what she is searching for and tunes the IDS to find it, as opposed to letting the IDS tell the analyst what to look for. We also discuss severity. All incidents are not created ...