Data-driven alert prioritization

What is claimed is: 1. A method of providing alert prioritization, the method comprising: selecting, by processing circuitry, attributes to use as alert scoring factors; for an incoming alert having particular attribute values for the selected attributes, updating, by the processing circuitry, count data to represent encounter of the incoming alert from perspectives of the selected attributes; and generating, by the processing circuitry, an overall significance score for the incoming alert based on the updated count data, the overall significance score being a measure of alert significance relative to other alerts, wherein a list of current alerts includes other alerts and overall significance scores generated for the other alerts, and wherein the method further comprises: adding the incoming alert and the overall significance score to the list of current alerts; and sorting alerts of the list of current alerts based on overall significance score to form a prioritized list of alerts to investigate. 2. A method as in claim 1 wherein generating the overall significance score for the incoming alert based on the updated count data includes: combining individual partial significance scores to form the overall significance score, each partial significance score being a measure of alert significance from a perspective of a particular selected attribute. 3. A method as in claim 2 wherein generating the overall significance score for the incoming alert based on the updated count data further includes: prior to combining the individual partial significance scores to form the overall significance score, combining internal scores to form the individual partial significance scores, each internal score being based on metrics derived from the updated count data. 4. A method as in claim 3 wherein generating the overall significance score for the incoming alert based on the updated count data further includes: prior to combining the internal scores to form the individual partial significance scores, (i) computing sets of raw measures per attribute from the updated count data and (ii) deriving the metrics from the sets of raw measures computed per attribute. 5. A method as in claim 4 wherein computing the sets of raw measures per attribute from the updated count data includes: calculating a count-in-short-days measure based on a number of encountered occurrences of a particular attribute value in the last X days, X being an integer which is less than or equal to eight. 6. A method as in claim 5 wherein computing the sets of raw measures per attribute from the updated count data further includes: calculating a count-in-long-days measure based on a number of encountered occurrences of the particular attribute value in the last 10X days. 7. A method as in claim 6 wherein computing the sets of raw measures per attribute from the updated count data further includes: dividing the count-in-long-days measure by the count-in-short-days measure to provide, as a raw measure, a count ratio for the particular attribute value. 8. A method as in claim 4 wherein computing the sets of raw measures per attribute from the updated count data includes: calculating, as a period-of-short-count measure, a minimum time period containing two occurrences of the particular attribute value among two different alerts. 9. A method as in claim 8 wherein computing the sets of raw measures per attribute from the updated count data further includes: calculating, as a period-of-long-count measure, a minimum time period containing 10 occurrences of the particular attribute value among 10 different alerts. 10. A method as in claim 9 wherein computing the sets of raw measures per attribute from the updated count data further includes: dividing the period-of-short-count measure by the period-of-long-count measure to provide, as a raw measure, a period ratio for the particular attribute value. 11. A method as in claim 4 wherein computing the sets of raw measures per attribute from the updated count data includes: calculating a count-in-short-days measure based on a number of encountered occurrences of a particular attribute value in the last X days, calculating a count-in-long-days measure based on a number of encountered occurrences of the particular attribute value in the last 10X days, dividing the count-in-long-days measure by the count-in-short-days measure to provide, as a raw measure, a count ratio for the particular attribute value, calculating, as a period-of-short-count measure, a minimum time period containing two occurrences of the particular attribute value among two different alerts, calculating, as a period-of-long-count measure, a minimum time period containing 10 occurrences of the particular attribute value among 10 different alerts, and dividing the period-of-short-count measure by the period-of-long-count measure to provide, as a raw measure, a period ratio for the particular attribute value. 12. A method as in claim 11 wherein computing the sets of raw measures per attribute from the updated count data includes: calculating a count-in-short-days measure based on a number of encountered occurrences of another attribute value in the last X days, calculating a count-in-long-days measure based on a number of encountered occurrences of the other attribute value in the last 10X days, dividing the count-in-long-days measure by the count-in-short-days measure to provide, as a raw measure, a count ratio for the other attribute value, calculating, as a period-of-short-count measure, a minimum time period containing two occurrences of the other attribute value among two different alerts, calculating, as a period-of-long-count measure, a minimum time period containing 10 occurrences of the other attribute value among 10 different alerts, and dividing the period-of-short-count measure by the period-of-long-count measure to provide, as a raw measure, a period ratio for the other attribute value. 13. A method as in claim 1 , further comprising: sorting alerts of the list of current alerts based on overall significance score to form a prioritized list of alerts to investigate. 14. A method as in claim 13 , further comprising: rendering a top portion of the prioritized list of alerts to an investigator to prioritize alert investigation. 15. A method as in claim 1 , further comprising: combining alerts of the list of current alerts based on a common attribute to form a consolidated list of alerts to investigate. 16. A method as in claim 1 , further comprising: prior to updating the count data to represent the encounter of the incoming alert from the perspectives of the selected attributes, receiving the incoming alert from an adaptive authentication engine which is constructed and arranged to perform an adaptive authentication operation to authenticate a user based on a numerical risk score which indicates a measurement of risk that the user is not authentic. 17. A method as in claim 1 , further comprising: prior to updating the count data to represent the encounter of the incoming alert from the perspectives of the selected attributes, receiving the incoming alert from a Security Information and Event Management (SIEM) system which is constructed and arranged to provide real-time security alerts from a network environment. 18. An electronic apparatus, comprising: memory; and processing circuitry coupled to the memory, the memory storing instructions which, when carried out by the processing circuitry, cause the processing circuitry to: select a