My “Aha!” Moment – Methods, Tips, & Lessons Learned in Threat Hunting – SANS THIR Summit 2019

This presentation is designed as a personal journey through threat hunting to inspire others to embrace certain methods, tips, and lessons learned. When John Stoner joined this Splunk team in 2017, the team started working on the second version of what it called “Boss of the SOC” (BOTS). John will share his team’s journey in threat hunting as it attempted to figure out where to start, at times found itself getting tangled in the data, and overcame distractions encountered during the hunting process. He’ll cover how the team was able to conduct hunts, and he’ll share some thoughts on gap analysis and operationalizing these findings. The presentation will also include some cautionary tales to help the threat hunting community assist security operations with operationalizing hunt data and not take all the great work that is out there and oversimplify it in such a way that it loses its impact. Attendees will come away with a better understanding of how to create a hunting hypothesis, build “guard rails” into your hunt to stay focused, and take hunting output and operationalize it. We’ll also examine the importance of conducting gap analysis as part of the hunting activity to support the efforts of operations. Attendees will receive a data set and instructional application that they can take home and play with!

John Stoner @stonerpsu, Principal Security Strategist, Splunk


  1. Jupiter Black on December 9, 2020 at 10:21 pm

    Thank you he explain CTI at a 5th grade level for me. Good presentation

  2. Nishanth iz on December 9, 2020 at 10:22 pm

    Is it advisable to enable FTP access to open internet.I have never seen its open unless its to a Dedicated client.Hence wanted to know how the FTP access worked fine.

  3. John Doe on December 9, 2020 at 10:35 pm

    Excellent information. Thank you for sharing!

Leave a Comment