Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Open Season: Building a Threat Hunting Program with Open Source Tools

  • Friday, May 22, 2020 at 10:30 AM EDT (2020-05-22 14:30:00 UTC)
  • James Schweitzer, Ken Westin


  • Corelight

You can now attend the webcast using your mobile device!



Threat hunting has been a hot topic for the past few years, yet many organizations have yet to build a threat hunting program. For some the challenge has been associated with cost, or getting access to the right data sources. In this talk we will discuss open source data sources including key data sources such as Zeek/Bro that can be used along with Elasticsearch to build a hunting program. We will also highlight several open source threat hunting projects to help speed up the development of your program.

Speaker Bios

James Schweitzer

James Schweitzer is the East and Federal SE Director at Corelight. Previously, he worked at The MITRE Corporation in the security center for over a decade supporting multiple US Government agencies. James is a graduate of Virginia Tech and The George Washington University.

Ken Westin

Ken Westin is currently Director of ITOA and Security Solutions at Elastic ( He has spent his career helping organizations aggregate, analyze and operationalize disparate security data sources to identify and mitigate threats in various forms. In his past he has developed and utilized tools and techniques to hunt criminals, even unveiling multiple organized crime groups in the process. He has presented at DEFCON, Black Hat, RSA, many BSides and other security conferences around the world. His work has been featured by Wired, Forbes, Bloomberg, Good Morning America and many other media outlets.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.