It would be nice to be able to differentiate alerting parameters whether it's a compromised mailbox in ITDR or a compromised server in MDR. I want to be called even a sunday for a compromised server, maybe not for a user that clicked on a phishing link.