cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Threat hunting vs Analytics rule?

FeintBE
Copper Contributor

‎Mar 09 2020 02:16 AM

‎Mar 09 2020 02:16 AM

Threat hunting vs Analytics rule?

Hello,

 

What's the main difference between Threat hunting and analytics rules? they both work with queries and alerts.

 

Is there a difference?

 

Thanks

 

 

3,165 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Rod_Trent (Microsoft)
Gary Bushey

‎Mar 09 2020 05:18 AM

‎Mar 09 2020 05:18 AM

Solution

Re: Threat hunting vs Analytics rule?

@FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert).   Hunting queries are run manually (without getting too much into LiveStream discussions).

 

I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"

 

I am sure there are other differences that I am missing.  Hope this helps.

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Rod_Trent (Microsoft)
Gary Bushey

‎Mar 09 2020 05:18 AM

‎Mar 09 2020 05:18 AM

Solution

Re: Threat hunting vs Analytics rule?

@FeintBE While there are many differences, I would say the main one would be that Analytic rules are run on a schedule or when another event occurs (like MCAS raising an alert).   Hunting queries are run manually (without getting too much into LiveStream discussions).

 

I have also heard that Hunting queries will usually require a human to interpret the results and if they were made into Analytic rules there would be a lot of false positives. For example, there is a Hunting query called "Preview - TI map File entity to OfficeActivity Event" with the description "Identifies a match in OfficeActivity Event data from any FileName IOC from TI. As File name matches can create noise, this is best as hunting query'"

 

I am sure there are other differences that I am missing.  Hope this helps.

View solution in original post

2 Likes
Reply