Around the information security community, you'll often hear people talking about "implementing best practices". While best practices provide helpful guidance at a high level, I'd argue they can't be "implemented". Implementing something involves wrestling with the realities, nuances, and imperfections of a real enterprise network. This pain is felt particularly acutely when developing reliable and actionable jumping off points for analysis. As I'm sure you're aware, the number of false positives caused by blindly implementing "best practices" is enormous and is enough to stifle any incident response workflow. What I've found over the course of my career is that the best and most reliable jumping off points are created through sweat equity that comes from an iterative cycle of intuition, data-driven refinement, and automation. No manual, white paper, or vendor can sell you the secret sauce.
So how does one get there? By using analysis (of real data) to navigate the difficult path from conception to implementation. Know your network.