As part of your monitoring system you probably have an Intrusion Prevention System (IPS). An IPS has an Intrusion Detection System (IDS), which monitors and records activity. An IPS additionally helps to prevent attacks by blocking them.
An IDS can watch or ‘inspect’ all activity that passes it across your networks and use things you tell it (eg. a duck with a bomb strapped under its wing looks like this) to alert you to things that shouldn’t be happening on the network or device.
An issue is that an IDS can create a lot of alerts and many may be false positives. The expensive part is the analysis of these alerts. An IDS also needs to be updated with new known threats and any changes to the network or devices.