Great point! Defenders should consider their process post initial indicator when creating detections. Often a single indicator is not a smoking gun and requires some follow up. RT detections will typically be easier to follow up than HDT, as you point out, because the activity may no longer be present.