Practice New Skills with 4 Months of Free Core NetWars Continuous - Special Offer Ends 11/4!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Windows Defender ATP’s Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints

  • Friday, July 27, 2018 at 1:00 PM EDT (2018-07-27 17:00:00 UTC)
  • Matt Bromiley, Jonathan Bar Or


  • Microsoft

You can now attend the webcast using your mobile device!



Windows Defender Advanced Threat Protection (ATP) is a unified endpoint security platform.

Often times SecOps teams would like to perform proactive hunting or perform a deep-dive on alerts, and with Windows Defender ATP they can leverage raw events in order to perform these tasks efficiently.

This Webcast will share how Windows Defender ATP exposes raw events and more importantly - how to query these events efficiently. Learn how to query terabytes of data in matter of seconds to help analysts determine threats and alerts on your network.

Attendees will learn:

* Efficiently hunting for big data using Kusto Query Language

* Dissect and interpret interesting information from attacks

* Perform a live deep-dive on a file-less malware attack and extract important attribution

Speaker Bios

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Jonathan Bar Or

Jonathan Bar Or (“JBO”) is a security researcher in Microsoft, working in the security industry over 10 years.

He has worked mostly on offensive security research on multiple platforms and architectures, and has recently shifted to defensive security research for WDATP.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.