SOLVED

Threat hunting vs Analytics rule?

%3CLINGO-SUB%20id%3D%22lingo-sub-1217252%22%20slang%3D%22en-US%22%3EThreat%20hunting%20vs%20Analytics%20rule%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1217252%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20the%20main%20difference%20between%20Threat%20hunting%20and%20analytics%20rules%3F%20they%20both%20work%20with%20queries%20and%20alerts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20difference%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1217465%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20hunting%20vs%20Analytics%20rule%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1217465%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567396%22%20target%3D%22_blank%22%3E%40FeintBE%3C%2FA%3E%26nbsp%3BWhile%20there%20are%20many%20differences%2C%20I%20would%20say%20the%20main%20one%20would%20be%20that%20Analytic%20rules%20are%20run%20on%20a%20schedule%20or%20when%20another%20event%20occurs%20(like%20MCAS%20raising%20an%20alert).%26nbsp%3B%20%26nbsp%3BHunting%20queries%20are%20run%20manually%20(without%20getting%20too%20much%20into%20LiveStream%20discussions).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20also%20heard%20that%20Hunting%20queries%20will%20usually%20require%20a%20human%20to%20interpret%20the%20results%20and%20if%20they%20were%20made%20into%20Analytic%20rules%20there%20would%20be%20a%20lot%20of%20false%20positives.%20For%20example%2C%20there%20is%20a%20Hunting%20query%20called%20%22Preview%20-%20TI%20map%20File%20entity%20to%20OfficeActivity%20Event%22%20with%20the%20description%20%22%3CSPAN%3EIdentifies%20a%20match%20in%20OfficeActivity%20Event%20data%20from%20any%20FileName%20IOC%20from%20TI.%20As%20File%20name%20matches%20can%20create%20noise%2C%20this%20is%20best%20as%20hunting%20query'%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20am%20sure%20there%20are%20other%20differences%20that%20I%20am%20missing.%26nbsp%3B%20Hope%20this%20helps.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

What's the main difference between Threat hunting and analytics rules? they both work with queries and alerts.

 

Is there a difference?

 

Thanks

 

 

1 Reply
Best Response confirmed by rodtrent (Microsoft)
Solution

@FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert).   Hunting queries are run manually (without getting too much into LiveStream discussions).

 

I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"

 

I am sure there are other differences that I am missing.  Hope this helps.