FireEye Alert Analysis and Endpoint Investigations

This 3-day course examines how to triage alerts generated by FireEye Network Security, derive actionable information from those alerts, and apply the fundamentals of live analysis and investigation to investigate associated endpoints.

Hands-on activities span the entire analysis and live investigation process, beginning with a FireEye-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Analysis will be performed using FireEye products and freely available tools.

For FireEye Endpoint Security customers, activities focus on investigation techniques using features such as the Triage Summary and Audit Viewer.

Learning Objectives

After completing this course, learners should be able to:

  • Recognize current malware threats and trends
  • Interpret alerts from FireEye Network and Endpoint Security products
  • Locate and use critical information in FireEye alerts to assess a potential threat
  • Define IOCs based on a FireEye alert and identify compromised hosts
  • Describe methods of live analysis
  • Create and request data acquisitions to conduct an investigation
  • Define common characteristics of Windows processes and services
  • Investigate a Redline® triage collection using a defined methodology
  • Identify malicious activity hidden among common Windows events
  • Validate and provide further context for alerts using Redline®

 Instructor-Led Training

Seats for our public ILT sessions can be purchased online; refer to our public training schedule for more information.

Private training sessions are available for teams of 5 or more. Please contact your FireEye account manager for availability and pricing.

Who Should Attend

Network security professionals and incident responders who must use FireEye to detect, investigate, and prevent cyber threats.

Duration

3 days

Prerequisites

A working understanding of networking and network security, the Windows operating system, file system, registry and regular expressions, and experience scripting in Python.

Recommended Pretraining

FireEye Network Security Deployment eLearning
*FireEye Endpoint Security Deployment eLearning

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1

  1. Threats and Malware Trends
    • Threat Landscape
    • Using the Mandiant Attack Framework
    • Threat Profiles and Fin7 Case Study
    • Mapping attacker activity to the stages of an APT attack.
  2. Initial Alerts
    • FireEye Endpoint Security Alerts
    • Triage with Triage Summary
    • FireEye Network Security Alerts
    • MVX engine
    • Mapping artifacts in an alert to events recorded by the FireEye agent
  3. MVX Alerts
    • FireEye alert types
    • Identifying forensic artifacts in the OS Change alert detail
    • Callbacks
    • SmartVision
    • Threat Assessment

Day 2

  1. Knowing Your Operating System
    • Common system processes and attributes
    • Identifying malicious processes
    • Windows Registry
    • Services and Tasks
    • Windows Event Logs
    • Audit Viewer and Redline
  2. Data Acquisitions
    • Live Forensics Overview
    • Data Collection Options
    • Choosing Data to Acquire
  3. FireEye Intelligence
    • Intelligence Context for FireEye Alerts
    • Analysis Tools in the FireEye Intelligence Portal

Optional Content

  1. Malware Analysis
    • Static Analysis
    • Dynamic Analysis
    • MVX Malware Analysis
  2. Custom Detection Rules
    • Yara Malware Framework
    • Snort Rules 

Day 3

  1. Investigation Methodology
    • Areas of Evidence
    • MITRE ATT&CK Framework
    • Mapping evidence to Attacker Activity

Optional Content

  1. Memory Analysis
    • Collating evidence
    • Memory Analysis
  2. Using Redline® and Audit Viewer
    • Navigate a data acquisition using Redline®
    • Navigate a data acquisition using Audit Viewer*
  3. FireEye: Extended Capabilities
    • FireEye Market
    • Open IOC Editor
    • HXTool*
    • Endpoint Security REST API*

*Content only included for customers with FireEye Endpoint Security

Scroll to Top