Most companies that use event log monitoring to keep an eye on their networks end up doing too much monitoring. The average enterprise generates literally millions to billions of events and collects them in a centralized repository. Most companies would be far better off defining a handful or two of events that clearly indicate malicious behavior. The best strategy is to let each endpoint device generate as many events as it likes — but forward and alert on only a dozen nasty ones. The Verizon Data Breach Report has told readers that most data breaches could have been caught by monitoring tools.”]
Source: https://www.csoonline.com/article/2687073/create-your-own-dirty-dozen-threat-list.html