false positives can occur because the rules may be mapped to a few mitre att&ck tactics. use the attached timeline to determine which detections were triggered on the host.

cross-platform
elastic

Techniques

Sample rules

Multiple Alerts in Different ATT&CK Tactics on a Single Host

source: elastic
technicques:

Description

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

Detection logic

signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*