needless to say, when something is happening in real time where you need to isolate a user/unknown with statistical information to pinpoint to the cause, what do you use? since all alot of things could be considered "evidence" during an IH (incident handling), how or what have you used to triangulate the root cause?

example: p2p abuse
router log
firewall log
web log
network monitor tool

w0rm3y