Going beyond basic perimeter defense, Threat Hunting is a proactive approach to finding nation state-level Advanced Persistent Threats (APTs) that hide below the alert threshold of traditional network defenses. Learn how to overcome the legacy challenge of relying upon voluminous and often encrypted network data, like Packet Captures (PCAP), to detect adversaries and transform Hunt operations by leveraging Endpoint Detection and Response (EDR) telemetry data, and knowledge of APT behaviors, to find advance threat actors targeting your organization. Vendor-agnostic use cases and analytics from both private and public sector hunts will provide context for relevant application to any organization. In this talk, we will provide a framework for planning and executing hunts and discuss why focusing on EDR telemetry data can add more value than network data. We’ll also demonstrate how to use intelligence sources to inform collection management and threat hunting use cases, while providing insight on how to scale your threat hunting operations through automation. The techniques covered in this talk can be used against a variety of data sources and are vendor agnostic. Because Threat Hunting can be both an art and a science, the barrier for entry for many organizations is high. Even when a mature state has been reached, some are left thinking “now what?”. Hunters must balance intuition with reputability by documenting hunts and applying the MITRE ATT&CK framework, but they must also feed the beast by constantly leaning on and learning from Cyber Threat Intelligence (CTI), Incident Response (IR), and Red Teaming operations to inform analytical use cases to drive their hunt focus. Key Takeaways • An understanding of what endpoint threat hunting is and is not • How to identify and create threat hunting analytics • Detailed analyses of six (6) vendor-agnostic hunt use cases and the associated analytics that attendees can take back and implement in their own environments.