How do you find malicious activity? We often resort to the cliche, “you know it when you see it”, but how do you even “see it”, without drowning in data? MITRE’s ATT&CK organizes adversary behavior and orients our approach to telemetry. With the Event Query Language (EQL), a security analyst can naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic. In this talk, I will demonstrate the iterative process of establishing situational awareness, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.