The amount of processing that it's worthwhile to perform really depends on the amount of data you have. If it's a dragnet attack, then a high degree of automation is worthwhile, but if it's a targeted attack, then human processing is much more likely.
About 7 years ago, after some suspicious symptoms, I discovered there was an outgoing connection to an IRC channel from my machine. I ran a network sniffer and discovered that every keystroke and mouse click were being sent, along with the name of the object that handled the click.
If the person or people who wrote the malware hadn't decided to change my email password, it could've been a long time before I noticed I was compromised. I never found the attack vector. In retrospect, it may have been my ex.