OSSEC Email Alert Suggestions

[Buddha Man]

If you were going to create a top ten alerts email from OSSEC logs, I just wondering what folks would alert on?

What's the best way to detect fraudulent privileged account usage? I find it very challenging  to pick it out from legit activity. Maybe authentication without a password to detect hash usage / mimikatz?

What are some of the other queries folks try to pick out evil from all the noise?