Forum Discussion
Solved
Threat hunting vs Analytics rule?
Hello,
What's the main difference between Threat hunting and analytics rules? they both work with queries and alerts.
Is there a difference?
Thanks
FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert). Hunting queries are run manually (without getting too much into LiveStream discussions).
I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"
I am sure there are other differences that I am missing. Hope this helps.
1 Reply
FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert). Hunting queries are run manually (without getting too much into LiveStream discussions).
I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"
I am sure there are other differences that I am missing. Hope this helps.