Do you disable alarms that have a lot of false positives or do you condition your soc team to just ignore them because they can still be potential IOCs?

I'm a soc analyst and I've been tasked with reporting on the alerts our soc team is receiving.

Our infosec team has an app called varonis which has all these monitoring rules in place.

I'm doing a 90 day audit of the alerts that come from this app. We've gotten ~2000 alerts in 90 days and not a single one seems to have been a real attack unless we just suck and are currently pwned.

One specific monitoring rule is …

alarms alerts analyst app called cybersecurity false positives infosec iocs lot monitoring reporting soc soc analyst team varonis