Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

Author: Samirbous

rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

@@ -84,6 +84,7 @@ This rule correlate any Elastic Defend alert with suspicious events from Network
 
 ### False positive analysis
 
+- IP address ranges overlap where the host.ip value from the Elastic Defend alert is unrelated to the source.ip value from the Network Security alert.
 - Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance.
 - Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise.
 - Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.