Threat hunting vs Analytics rule?

Occasional Contributor



What's the main difference between Threat hunting and analytics rules? they both work with queries and alerts.


Is there a difference?





1 Reply
best response confirmed by rodtrent (Microsoft)

@FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert).   Hunting queries are run manually (without getting too much into LiveStream discussions).


I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"


I am sure there are other differences that I am missing.  Hope this helps.