Hunts Vs Detections

My Perspective

Hunts

Correlations that could not be converted into a SIEM/Monitoring Uses-cases and would require an Analyst to evaluate the dataset to identify the anomaly/malicious occurring. These Cannot be written as rules and if written would yield highest degree of False Positives.These are Hunts. You might know what you are looking for but you cannot write an alerting rule on it.

Detections

Correlations that could bleed into a SIEM/Monitoring use-case to work as a trigger for malicious action yielding high confidence & true-Positive Ratio is something that i would call a Detection.

And the Thin line in between

To write a successful detection , you need to baseline, understand, correlate, define the strategy, negate benign activity, arrive at a triggering criteria, convert into a System understandable Query. Most of this also happens when you drive a Hunt,So there are times when your Hunts could bleed into a detection use-case and thus your Hunting Team becomes a Continuous research team that feeds quality detections to your Detection Engineering team.

This doesn't mean your Hunting team is idle or not working,Your Hunting Team is designed to work Proactively far-ahead of your detection team, They are picking up early signs that are not visible to detection team. Both of them are supposed to be working a harmony, but serve up different purpose of the SOC.

Last updated