We have quite a few built-in directives (they come out-of-the-box with the AlienVault installation) which we cloned and modified according to our need. Common reason for doing this is that the directives generate false positives, or that we need to exclude certain usernames or IPs from generating alerts, etc. I'm sure we're not the only users of AlienVault who clone existing directives.
When we're cloning a directive the original built-in directive gets disabled, which is expected, and the cloned directive moves to User Contributed directive section. The problem with this is that the User Contributed directives don't benefit from the regular AlienVault updates.
For example, let's say I cloned the AV Malware, Phishing activity directive and modified it under the User Contributed directive. When the original built-in AV Malware, Phishing activity directive (which is disabled) gets updated, the User Contributed one doesn't.
AlienVault confirmed this behavior (I logged a case with TAC earlier) and made me realize that we might be stuck with out-of-date User Contributed directives, which isn't good. We depend a lot on the User Contributed directives for bringing the noise down in the SOC and for having better quality alarms for our environment. Out-of-the-box directives can't fit all environments, it's crazy to think that.
So the options now are to either stop cloning directives and use the built-in ones, or continue using custom (User Contributed) directives and face the fact that they might be very out of date (meaning not having the latest SIDs, etc).