Forum Discussion
Threat hunting vs Analytics rule?
FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert). Hunting queries are run manually (without getting too much into LiveStream discussions).
I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"
I am sure there are other differences that I am missing. Hope this helps.
FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert). Hunting queries are run manually (without getting too much into LiveStream discussions).
I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"
I am sure there are other differences that I am missing. Hope this helps.