Elastic's Threat Detection and Response team, part of the organization's Infosec team, focuses on optimizing security detections to prevent attacks on Elastic systems, including the expansive Elastic Cloud environment. A significant challenge for security operations centers (SOCs) is managing the high volume of alerts, which can often include numerous false positives due to legitimate software activities triggering alerts. To combat this, Elastic uses cardinality threshold rules to create high-severity alerts when multiple low-severity alerts occur for the same entity, thereby reducing noise and alert fatigue among analysts. This approach prioritizes alerts that are more likely to signify genuine threats, allowing analysts to focus on the most critical incidents. Elastic's prebuilt detection rules help identify suspicious activities, such as attempts to intercept encrypted network traffic, by setting low-severity rules and escalating them when certain conditions are met, such as multiple alerts on a single host. By implementing threshold rules, Elastic effectively reduces the number of alerts requiring analyst attention while maintaining visibility into potential threats.