I'm happy to see how the security community is realizing the importance of detection and monitoring. I'm reading a lot of good stuff recently, but as there's a lot of "re-discovering" happening it's important to know the results of research done in the past to avoid falling into the same mistakes. That's why it's so important to whoever is thinking about security monitoring to consider the "base-rate fallacy". This paper written by Axelsson dates back to 1999, but the basic idea is still valid and must be always considered when we are designing a detection system. 

I won't write here about it, you can read it directly from Axelsson's paper. The basic lesson is to not spend too much time on being able to find every possible attack, the must important thing is to reduce false positives as much as possible. Otherwise, you'll end up with a huge team looking for needles in montains of hay.