The optimal defensive actions in cyber security are required to minimize the impact of the attacks. To this end, identifying the attackers' progressions and privileges (i.e., the cyber situational awareness) is necessary but hard since legitimate users access the network and may trigger false alerts. The defender can denoise the false alerts by manual investigations on alerts, but investigating all alerts is impossible since it consumes excessive time. Hence, the defender needs to find a small subset of the most informative alerts and investigate the subset. In this project, we will develop an algorithm to estimate the information behind each alert and help choose the informative alerts. To evaluate the algorithm, we will use Dardel to simulate the attacker by hidden Markov models (HMMs). Considering the observations from the HMMs to be the alerts, we will collect alerts from the simulations and evaluate our algorithm by quantifying the defender's estimation error.