Threat data contained in Indicators of Compromise (IOC) can be applied against the data stored in StealthWatch to look for markers of historical breach. This entry outlines the steps in performing this analysis.
The difficulty in controlling user behavior makes spear phishing a "no-brainer" for attackers. Network surviellance can detect the attack at different parts of the kill chain.
NetFlow when effectively stored makes a great basis for analyzing indicators of compromise (IOC) like those provided in Mandiant's APT1 report.