You inherit a detection rule that generates over 200 alerts per day, and the team estimates that 95 percent are false positives. How do you approach tuning this rule?

Sample answer preview

A rule generating 200 alerts per day with a 95 percent false positive rate is a serious problem because it contributes to alert fatigue, wastes analyst time, and may cause real threats to be overlooked.