Most corporate victims fail to detect their own compromised computer systems. Most often the malicious activity is first noticed by outsiders, but even then the discovery may occur many months, if not years, after the original compromise. The central problem is that most alerting systems are 99.999 percent full of events that indicate nothing malicious whatsoever — it’s a self-induced denial-of-service attack. We get information overload from everywhere: firewalls, IDSes, antimalware consoles, antispam, system logs and system logs.”]
Source: https://www.csoonline.com/article/2611531/detect-the-undetectable-start-with-event-logs.html