Many of the alerts our team received could have been completely avoided if all city devices were protected behind an enterprise-grade firewall configured to allow only essential ports such as 53 (DNS), 80 (HTTP), 443 (HTTPS), and the specific ports required for Kibana and Suricata. In my experience, internet connectivity and most web applications perform reliably & often more efficiently when only the essential ports are open. With a precisely architected & configured network, I estimate that 10% to 30% of the low-value or irrelevant alerts would never have appeared. This reduction in noise would elevate the visibility of high-priority alerts in the logs, making them significantly easier to detect and act upon.