Techniques for detecting network intrusions are disclosed. An example intrusion detection system includes a storage device to store audit data generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level. The system also includes a processor to receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition. The processor performs queries of the audit data in accordance with each of the symptoms to generate captured symptom data. The symptoms are scored based on the captured symptom data to generate symptom scores, and the symptom scores are summed to generate a case score. If the case score exceeds an alert threshold specified by the case definition, the processor issues an alert.