One of the key points of NSM (Network Security Monitoring) is the use of flows to track/analyse the network activity in order to response to an incident or perform forensics.
I found the two following posts thanks to Richard Bejtlich. They describe how to use the flow data that we can extract from our routers to track and response to an incident.
The first post explains how to track anomalous activity in our systems thanks to the network activity recorded in the flows. In this case, the attacker planted an IRC backdoor.
The second post explains how to detect the attack vector by filtering the 'known good' traffic.