Currently, cyber attackers have an asymmetrical advantage over defenders. This unfavorable and vulnerable position calls for robust and efficient intrusion detection mechanisms. While current detection workflow involves human defenders, and rely on their analytical capabilities, we argue that in order to improve detection and protect networks against sophisticated attacks there is a need for a non-linear and interactive analyst-in-the-loop approach. This approach posits that cyber defenders should have means to interact with and exert influence on each and every component of the detection processes. Furthermore, we posit that the role of the analyst is to lead and supervise automated detection processes, resolve ambiguity and provide contextual mission relevant information rather than handling large amounts of information and weeding out false alerts. Situating the defender as the controller of the detection process instead of a handler of alerts allows the defender to direct analytical capabilities to the tasks where their contribution has the maximal impact. Efficient allocation of the defender analytical capabilities improves the detection accuracy and speed. This study depicts an analyst in-the-loop detection framework and provides a description of the types of required interactions between the evidence collection, inference engine, and the analyst. The use of queries and operations to improve detection is demonstrated and establishes the foundations for more detailed operational definitions of the interactions.