FireEye Helix

This four-day entry-level primer on FireEye Helix covers the Helix workflow, from triaging Helix alerts, creating and scoping cases and using Helix and Endpoint Security tools to conduct investigative searches across the enterprise.

Hands-on activities include writing MQL searches as well as analyzing and validating Helix, Network Security and Endpoint Security alerts

Learning Objectives

After completing this course, learners should be able to:

  • Identify the components needed to deploy Helix
  • Determine which data sources are most useful for Helix detection and investigation
  • Locate and use critical information in a Helix alert to assess a potential threat
  • Comfortably switch between the Helix web console to other FireEye interfaces
  • Validate Network Security and Endpoint Security alerts
  • Use specialized features of Network Security and Endpoint Security to investigate and respond to potential threats across enterprise systems and endpoints

 Instructor-Led Training

Seats for our public ILT sessions can be purchased online; refer to our public training schedule for more information.

Private training sessions are available for teams of 5 or more. Please contact your FireEye account manager for availability and pricing.

Who Should Attend

Incident response team members, threat hunters and information security professionals.


4 days

Note: The online courses must be completed prior to the start of the instructor-led sessions


A working understanding of networking and network security, the Windows operating system, file system, registry, and use of the command line interface (CLI).

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

E-Learning Modules

To be completed prior to Day 1 of instructor-led class sessions

Network Security (NX) for Helix
Estimated duration: 40 minutes

  • Appliance Introduction
  • Threat Management
  • FireEye NX series Platform with IPS Features

Central Management (CM) for Helix 
Estimated duration: 30 minutes

  • Appliance Introduction
  • CM Threat Management

FireEye Endpoint Security forAnalysts
Estimated duration: 60 minutes

  • Introduction to FireEye Endpoint Security
  • Alerts and Rules
  • Containment
  • Searches and Acquisitions

Day 1

  1. Helix Overview and Architecture
    • Helix Web UI
    • Helix workflow
    • Helix Architecture
    • 3rd party data sources
    • FireEye technologies stack
    • Cloud integrations
  2. Helix Fundamentals
    • Features and capabilities
    • Searching and pivoting
    • Event parsing
    • Custom dashboards
  3. Search and MQL (Mandiant Query Language)
    • Searchable fields
    • Anatomy of an MQL search
    • MQL search, directories, and transform clauses

Optional Content:

  1. Deployment and IAM
    • User Management
    • Role-based Access
    • Deployment scenarios
    • Configuring 3rd party event collection

Day 2

  1. Rules & Lists
    • Best practices for writing rules
    • Creating and enabling rules 
    • Creating and using lists
    • Using regular expression in rules
    • Multi-stage rules
  2. Initial Alerts
    • Helix Alerts
    • Guided Investigations
    • Network Security Alerts
    • MVX engine
    • Endpoint Security Alerts
    • Triage with Triage Summary
    • Run searches across all hosts in the enterprise
  3. FireEye iSight Intelligence Portal
    • Intelligence Context in Helix
    • Analysis Tools
  4. Case Management
    • Creating a case in Helix
    • Adding events to a case
    • Case workflow

Day 3

  1. Data Source Selection and the Mandiant Attack Lifecycle
    • Data sources for detection and investigation
    • Attack models to frame data source selection
    • Using the Mandiant Attack Framework
    • Mapping attacker activity to the stages of an APT attack
  2. Knowing Your Operating System
    • Common system processes and attributes
    •  Identifying malicious processes
    •  Windows Registry
    • Services and Tasks
    • Windows Event Logs
    • Audit Viewer and Redline
  3. Data Acquisitions
    • Acquiring data using Endpoint Security 
    • Redline collections
    • Other acquisition methods, such as PowerShell
    • Locations of evidence as they map to the Mandiant Attack Lifecycle

Day 4

  1. Investigation Methodology
    • Areas of Evidence
    • Mapping evidence to Attacker Activity

 Optional Content: 

  1. Using Redline®
    • Access triage collections for hosts for offline analysis
    • Navigate a data acquisition using Redline®
    • Apply tags and comments 
  2. Using Audit Viewer
    • Navigate a data acquisition using Audit Viewer
    • Apply tags and comments 
  3. Endpoint Security: Extended Capabilities
    • FireEye Market
    • Open IOC Editor
    • HXTool
    • Endpoint Security REST API
Scroll to Top