Organizations are increasingly moving toward custom alerting systems in log-based threat detection, allowing them to tailor their security responses. Traditional methods often lead to overwhelming numbers of false positives, which can bog down security teams. A common example is the use of the net.exe command for group enumeration. This command is frequently benign but can signal malicious activity. The challenge lies in distinguishing the benign from the harmful without triggering unnecessary alerts. Haylee Mills at Splunk introduced the concept of risk-based alerting (RBA), which focuses on alerting only when a risk score surpasses a certain threshold. This approach minimizes noise and directs analyst attention to more critical threats. Key terms include telemetry (raw log data), signals (meaningful patterns), and alerts (aggregated signals exceeding risk thresholds). By implementing RBA, analysts can monitor potentially concerning behavior, like using net.exe, but only receive alerts when context suggests it's worth investigating. For practical implementation in Microsoft Sentinel, the article outlines a specific process. Analysts should create low-fidelity analytics rules for visibility on behaviors of interest without generating alerts initially. Each rule is assigned a risk score, which, when aggregated across multiple signals, can generate an incident for review if it exceeds a defined threshold. The article emphasizes the importance of mapping observables accurately and provides an ARM template example for triggering alerts based on specific behaviors, such as executing AdFind, a tool often used for benign and malicious purposes alike. This structured approach is aimed at refining detection capabilities while reducing alert fatigue for security teams.