How do you balance the need for aggressive threat detection with the risk of creating too many false positives for the SOC team?