We know that SOC/IR teams suffer from alert overload on a daily basis.  Too many cyber security tools resulting in too much data being passed to the teams.  In reviewing those alerts, these folks need to review tons of data to confirm or disprove the alert validity.  SOC and IR pros look for ways to limit the data that they have to review.

Active Defense Overview