I like to use a '3 strike' concept.
(lol I just realized that's what you're doing, but with a more granular approach).
So using dcount you can set a threshold of the number of DISTINCT alerts seen by waf against a single destination.
From my past experience with waf, when you do a vuln/app scan the waf alerts light up like a christmas tree, and there's never just 1 or 2 distinct alerts, it's many more.
So you set a threshold above that of your typical false positives per hour and you're off (3 strikes is my starting point, but kql can suggest a better number for your environment).
Deception techniques are also great - eg. honeypots, fake user accounts etc.
Updated Aug 11, 2023
Version 4.0