Thanks for all your posts so far, it was really excited reading them all. When I finished my project and this article I started thinking of many other ways I could use SQL server to automate the analysis. It's amazing how can SQL be such an extensible solution - you can literally stretch it with no limits. Due to the time limit on the project I didn't implement Reporting Service or any other nice and universal way to analyze data; but in a real environment and with real requirements things can get even more exciting.

Grade for the project was 92% . Having IDS logs as the only artifact of the break in was pretty harsh challenge. Imagine millions of records and every record indicates malicious activity. The real problem was that 90% of those are false positives and the rest 10% needs to be nicely aggregated before it starts making sense. The last stage was to reconstruct steps of an attacker.