Organizations often deploy intrusion detection systems on their networks to detect malicious activities or violations of policy. Monitoring systems generate streams of event data that represent a variety of events occurring on the network or on hosts coupled to the network. For example, the events can correspond to network connections, programs executed on hosts, files downloaded to hosts, bandwidth usage, processor usage, and other events. Intrusion detection systems examine these events using rule-based analysis to determine whether they correspond to intrusion profiles. When malicious activities or policy violations are detected, automated remedial actions can be performed and/or security administrators can be notified.