I am on the incident response team in my place. Well, we were a small startup (bigger now), so we were responsible for everything.oh, agreed. i work for a company which gets nation state level attention so a lot of our security guys are shit hot. but we're spread across the world, which means there's always going to be rogue systems unpatched and forgotten about knocking around the place.
i'm responsible for the AV on approx 120k systems but thankfully i'm not on the incident management side of cyber security (means i don't get woken at 2am over an incident). it's more my job to worry about a duff IPS engine update bluescreening systems than it is to worry about what the software is actually detecting.
I remember going to the 2019 all-ireland final and getting paged while I was in the Ilac Center, about to head to Croke Park. Thankfully someone covered for me, but talk about poxy timing.
Incidentally, that alert was triggered by an ssh attack from a 'known rogue actor', and was interpreted by our system as an attempted data exfiltration attack. Basically, an 'ssh' to a linux system caused a reverse DNS lookup of the source of the ssh attempt. A DNS lookup of a 'known rogue actor', triggers the highest severity security alert, even though its totally a false alarm. Still reassuring to know all the same.