For example, assume that an endpoint is under an active breach, and Rule Id 4290642353 detected an attempt to execute a suspicious PowerShell command.  After some time, another attempt was made to execute a different Powershell command, but this attempt was detected by a different rule (Rule Id 4290642301). Both of these detections are communicated to Symantec EDR as separate events but with the same rule ID (Rule Id 4294926711) and the description "Trusted process attempted to run suspicious command line". This scenario is true for execution attempt detections of over a 100 different types of script/commands.  This is why the Weekly Est. value can be especially high.   

Conversely, consider the same example above, but this time Rule Id 4290642353 is considered a true positive and Rule Id 4290642301 is considered a false positive.  Both of these appear as Rule Id 4294926711, since they were detected during attempted executions.  Disabling the "Trusted process attempted to run suspicious command line" rule (Rule Id 4294926711) prevents either detection from generating an incident.