Even with a well tuned system, at times it is difficult to spot the bad guys quickly among all the alerts. This is especially true in SOC type environments where one may have many sensors across many clients or environments generating many alerts.
Types of interesting attacks
How to find them?
An effective technique is to use the Historical Alert Viewer and do some alert and source sorting. e.g.:
There should be a list of typically around 20 IP's that are in the range of 20 to 200 Alerts.
Drill down in to each one of these and / or sort by "Alert Type" again. If they triggered multiple alerts, and fit one of the above profiles, you probably found a suspicious host that is up to no good.
MFR: Please add this type of sorting logic to the ISM to automatically show any hosts that trigger multiple alerts over time and trigger a High severity Alert.