Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27


To attend this webcast, login to your SANS Account or create your Account.

Open Season: Building a Threat Hunting Program with Open Source Tools

  • Friday, May 22, 2020 at 10:30 AM EDT (2020-05-22 14:30:00 UTC)
  • James Schweitzer, Ken Westin


  • Corelight

You can now attend the webcast using your mobile device!



Threat hunting has been a hot topic for the past few years, yet many organizations have yet to build a threat hunting program. For some the challenge has been associated with cost, or getting access to the right data sources. In this talk we will discuss open source data sources including key data sources such as Zeek/Bro that can be used along with Elasticsearch to build a hunting program. We will also highlight several open source threat hunting projects to help speed up the development of your program.

Speaker Bios

James Schweitzer

James Schweitzer is the East and Federal SE Director at Corelight. Previously, he worked at The MITRE Corporation in the security center for over a decade supporting multiple US Government agencies. James is a graduate of Virginia Tech and The George Washington University.

Ken Westin

Ken Westin is currently Director of ITOA and Security Solutions at Elastic (elastic.co). He has spent his career helping organizations aggregate, analyze and operationalize disparate security data sources to identify and mitigate threats in various forms. In his past he has developed and utilized tools and techniques to hunt criminals, even unveiling multiple organized crime groups in the process. He has presented at DEFCON, Black Hat, RSA, many BSides and other security conferences around the world. His work has been featured by Wired, Forbes, Bloomberg, Good Morning America and many other media outlets.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.