I often speak about how streamlining the CIRC/SOC workflow and producing high reliability, high fidelity, low noise alerts is a key element to an organization's success in this arena. The question I often get asked after this is "Where do the alerts come from?".
Well, that is a very good question. The answer is that it can vary. One thing that's for sure though is that the process that leads to the alerts -- content development -- is extremely important. It's important to assess your organization's risk and exposure, and then determine what you would like to look for (conceptually) to monitor/address that risk. Once you define what you want to look for, then a careful study of the data needs to be performed in order to guide the organization to alerting that will identify activity of concern with low noise.
It's an art, rather than a science, but allowing the data, risk/exposure, and operational requirements to guide the content development process will produce better results than any other approach I've seen.