I think the alert taxonomy is the piece that is the most confusing and often the invisible part of the process, it wasn't until weeks after using the product and a call to support before I was even aware the policies were there (I admittedly am one of the people that will read the manual only as a last resort). Correct me if I am but isn't the taxonomy the Policies part?
The connectors I completely understand, those are basically templates on how to collect and and normalize (parse) the logs.
I often also think that the way LEM defines an alert can be confusing at times but I think that ultimately goes back to the taxonomy since those seem to be the "containers" that are the alerts. When you go into the Policies they have explanations as to what they mean; however, technical folks like myself are often trying to understand exactly what it would capture.
Not sure if this helped or not, was basically me thinking out loud about the issue.