CypherCon 2023

Defender Advanced Threat Hunting: More than meets the Eye

Michael “Shecky” Kavka 


Everyone knows about Microsoft Defender by now. It is an EDR that is pretty effective. Inside of it there is the Advanced Hunting Query area, meant to allow for creating detections Using the Kusto Query Language(KQL). The same language is used in Microsoft Sentinel, Azure Log Analytics and other Microsoft Products. There is more to it though.

I am going over some basics using Queries I have created. Through this we will see that you can use Microsoft Defender for more than just Threat Hunting, but say finding missing security software on a machine. We will also talk about some of the downsides of Defender’s data.

Michael “Shecky” Kavka

CypherCon Lifer!

Michael “Shecky” Kavka has been in the professional world of IT for over 25 years and focused specifically on Information Security – Blue Team Disciplines for the past 6 and has earned the CISSP and GCIH certifications. He started programing computers as a child in the early 80’s and by 1986 found a love of cyber security which his High School Computer Administrator (of the PDP 11+ system they had) encouraged, having him and a friend do a 6-week teaching of security after finishing the AP Computer exam his senior year. Besides currently working as a Senior Security Engineer and SOC analyst for a privately owned trading company, Shecky has spoken at B-Sides Chicago, Cyphercon, CircleCityCon, and PancakesCon. He is a volunteer for Hak4Kidz, working with the next generation of cyber security practitioners and is an organizer of Chicago’s Burbsec and Chicago Loop Infosec meetups. Outside of the world if information security you will find him with his family and enjoying his hobbies of photography and model trains. You can find him on Twitter @SiliconShecky and his blog at