Enterprise threat detection (ETD) typically collects and stores a large amount/large sets of log data associated with various heterogeneous computing systems (often referred to as “big data”). The collected log data from source computing systems is extracted as events into an ETD system and analyzed/evaluated using forensic-type data analysis tools to identify suspicious behavior and to allow an appropriate response. Among the central functionalities of ETD is the use of patterns to evaluate extracted events. The patterns specify what event characteristics (such as types, numbers, etc.—for example, if a certain number of failed logon events for a particular user are observed in the system) cause an alert to be raise by the ETD system. However, for the same user, the same type of observation (for example, each time a pattern's criteria is met) can result in various alerts reporting a similar issue, which can result in a large number of false positive alerts. This increases the total cost of ownership (TCO) for the ETD system, as the same effort for closing each alert is required, even if the alert is a false positive.