[potatohead00]

where will this good field data come from? using what context? a low risk alert for one org might be seen as something else in another.

[asynchronous]

If you look at the current major offerings like SentinelOne, they start off with a generic best practice baseline, then slowly “learn” the normal traffic on the network to be able to better define the abnormal incidents to the IDS.

[nonrandomstring]

You make a good point. What occurred to me is that some more standardised method for coding threat events is needed first. But that seems tractable given existing CVE taxonomies etc.