To determine which D&R rule triggered a command on an endpoint, navigate to the Platform Logs (audit). If the command was triggered by a detection & response rule, the audit log will show the name of the rule that triggered it.

If the command was sent via the API, the Platform Logs (audit) will show the API key name.

You will want to search Platform Logs (audit) for "Tasking".

Did this answer your question?