From network logs, like Ayn said, it captures anything you can export to it. It's up to the admin to filter those logs for relevant information.
For example, with out ASAs, I'm able to see who logs into the VPN the most, which IPs generate the most URL requests, which IP addresses have the most outbound traffic (in number of requests, not bandwidth), and so forth.
If you want to find network abusers (such as people who download excessive amounts of data), you'll want to combine Splunk with a tool that'll monitor bandwidth and activity.
... View more