Even with a well tuned system, at times it is difficult to spot the bad guys quickly among all the alerts. This is especially true in SOC type environments where one may have many sensors across many clients or environments generating many alerts.
Types of interesting attacks
The Worm / Trojan
Triggers 2 to 5 Alerts and typically hits multiple hosts.
The Security Scanner (legit, hacker, or some guy)
Triggers many alerts, from one to many hosts.
The Stealth Hacker
Few to Numerous Alerts to few or Numerous hosts.
The alerts are spread over a long period of time, typically hidden among many of the other alerts.
How to find them?
An effective technique is to use the Historical Alert Viewer and do some alert and source sorting. e.g.:
Sort by "Alert Type"
Select All, then CTRL Left Click on all the IM, P2P, Worm, or any other alert with a high trigger number and one that would not probably be part of a real attack. Also, do not include any Low or Information alerts if you have them.
On the remaining selected list, Right Click and drill down by "Source IP".
Sort by "Attack Number" from Highest to Lowest.
There should be a list of typically around 20 IP's that are in the range of 20 to 200 Alerts.
Drill down in to each one of these and / or sort by "Alert Type" again. If they triggered multiple alerts, and fit one of the above profiles, you probably found a suspicious host that is up to no good.
MFR: Please add this type of sorting logic to the ISM to automatically show any hosts that trigger multiple alerts over time and trigger a High severity Alert.