Getting alerts is only as good as the response to them. Without a response, they are just acting as a smoke screen for the penetrators. Those alerts should be converted into automatic actions of blocking, limiting access or quarantine of suspected devices. For blocking mechanism, the closer you do the blocking to the actual network infrastructure, like shutting down the actual Ethernet port, the more secure and affective you are.
MORE: 7 ways to avoid alert fatigue