Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Threat hunting vs Analytics rule?

Copper Contributor

Hello,

 

What's the main difference between Threat hunting and analytics rules? they both work with queries and alerts.

 

Is there a difference?

 

Thanks

 

 

1 Reply
best response confirmed by Rod_Trent (Microsoft)
Solution

@FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert).   Hunting queries are run manually (without getting too much into LiveStream discussions).

 

I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"

 

I am sure there are other differences that I am missing.  Hope this helps.

1 best response

Accepted Solutions
best response confirmed by Rod_Trent (Microsoft)
Solution

@FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert).   Hunting queries are run manually (without getting too much into LiveStream discussions).

 

I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"

 

I am sure there are other differences that I am missing.  Hope this helps.

View solution in original post