Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA


To attend this webcast, login to your SANS Account or create your Account.

Windows Defender ATP’s Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints

  • Friday, July 27th, 2018 at 1:00 PM EDT (17:00:00 UTC)
  • Matt Bromiley & Jonathan Bar Or
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • Microsoft

You can now attend the webcast using your mobile device!


Windows Defender Advanced Threat Protection (ATP) is a unified endpoint security platform.

Often times SecOps teams would like to perform proactive hunting or perform a deep-dive on alerts, and with Windows Defender ATP they can leverage raw events in order to perform these tasks efficiently.

This Webcast will share how Windows Defender ATP exposes raw events and more importantly - how to query these events efficiently. Learn how to query terabytes of data in matter of seconds to help analysts determine threats and alerts on your network.

Attendees will learn:

* Efficiently hunting for big data using Kusto Query Language

* Dissect and interpret interesting information from attacks

* Perform a live deep-dive on a file-less malware attack and extract important attribution

Speaker Bios

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Jonathan Bar Or

Jonathan Bar Or (“JBO”) is a security researcher in Microsoft, working in the security industry over 10 years.

He has worked mostly on offensive security research on multiple platforms and architectures, and has recently shifted to defensive security research for WDATP.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.