Depending on the provider, it may be as minimal as "when they get abuse complaints" or they may have proactive detection. Larger providers are more likely to have proactive measures. These can range from sort of incidental things like alerting on significant increases in size of the connection tracking table at a router or firewall, often caused by opening a very large number of connections on different ports as in port scanning... but could go up to a network intrusion detection system.