Our analysts are empowered to safelist any field and value they deem not worthy of investigation. It’s a great tool to manage #alert_fatigue, but also very easy to fuck up. We have audit scripts for the worst of cases, but so many discussions brought to the team revolve around noise rather than impact of the detection. Wrong viewpoint in the big picture, but very relevant in this case.