I am looking forward to the rest of this series. You write well, so large paragraphs are not a problem at all - but if you'd like to put some icing on the cake, include some code samples or some pictures of the kind of report/analysis you use to make sense of the audit data.

Here's an anecdote about baselines: I had an app that was gathering branch office data dump files over our WAN. For the sake of logging I figured it made sense to capture transfer time and file size and was reporting bytes per second so it was readable at a glance. Overnight processing ran without incident for months and I stopped watching the logs. When the file transfers failed to complete by morning, I was immediately able to see that throughput had dropped to less than 10% of normal. Thinking through possible causes, we discovered the network was saturated overnight but returned to normal before anyone arrived at work each morning. We discovered 2 machines in our branch locations had become zombies in a botnet and were busy in DDOS attacks all night long. Clever zombie master might never have been noticed if not for the using the baseline delta as a detector that something was going on.