Finding the winners or the best alerts
Anytime that you have an alert that proves successful and does so a higher percentage of the time (even 30% is exciting), it feels like you have a win. Those are the alert types that have always made me personally excited to triage and you want to find a way to continue that feeling and expand it to other detections. In my opinion, there are a few different categorizations for winning alerts. There is one where the alert is almost always going to be something actionable, whether it just shows a poor security practice, a violation of your acceptable use policy, or something more serious that could lead to an incident investigation starting. Then, there is an alert that is technically a true positive, but there are limited actions that can be taken. Finally, there are the surprise true positive alerts, which leave your team scrambling to triage and put together contextual information.
The first categorization can be all different alerts, but...