A number of years ago, I was working to stand up a SOC team, for an organization that was just standing up IDS/IPS and SIEM (obviously, now that you have it, you need people to interpret it. .. )
I had noticed that some of the brute-force SSH assaults were coming so hot and heavy, that they approached saturating some of our smaller circuits and firewalls. So I noted the fact, and included it as part of an argument to enable rate-limitation on the firewalls (a fairly standard measure for dealing with DDOSs and brute force attackers. . . )
I then get called onto the carpet at end of day, a day or two later, where manglement is fretting over my "admission" that we were nearly DDOSed. I told them, no, I saw a potential problem, and wanted to fix it BEFORE it rose to DDOS levels. They would not let me leave until I added nearly a page of weasel-words, to the already-plain statement that this was a PREVENTATIVE measure because I saw the POTENTIAL for some occasional DDOS's in the future.
The same group INSISTED that I had not detected a trojan, that the workstation in question had tested clean, etc.
Until an outside audit group found the Trojan I had detected, AND the email chain of them denying what I had found.
Now, in a NORMAL world, I would have gotten a small bonus and a promotion. . .but what REALLY happened was at the end of the option year, they dropped the SOC Lead position, saying it was un-needed. . . . and so, once again, I found that no good deed goes unpunished. . .