How do you differentiate between a false positive and a legitimate threat when reviewing security alerts?