Helix Threat Analytics

This course covers the Helix work flow, triaging Helix alerts, creating and scoping cases from an alert, and using Helix Threat Analytics during investigation.

Hands-on activities include writing MQL searches, as well as analyzing and validating Helix alerts.

Learning Objectives

After completing this course, learners should be able to:

  • Determine which data sources are most useful for Helix detection and investigation
  • Search log events across the enterprise
  • Locate and use critical information in a Helix alert to assess a potential threat
  • Create a case from events of interest
  • Create and manage IAM users

 Instructor-Led Training

Seats for our public ILT sessions can be purchased online; refer to our public training schedule for more information.

Private training sessions are available for teams of 5 or more. Please contact your FireEye account manager for availability and pricing.

Who Should Attend

Network security professionals, incident responders and FireEye administrators and analysts who must work with Threat Analytics to analyze data in noisy event streams.


2 days


A working understanding of networking and network security, the Windows operating system, file system, registry, and use of the command line interface (CLI).

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1
  1. Helix Overview
    • The changing threat landscape
    • Challenges with contemporary security operations
    • Threat Analytics Web UI
    • Helix workflow
  2. Helix Architecture
    • Cloud Collector; event ingestion from logs
    • FireEye technologies stack
    • Amazon Web Services and Helix
    • Deployment scenarios
  3. Identity and Access Management (IAM)
    • Single-sign on options
    • User management and role-based access
    • IAM enrollment
    • Helix settings
  4. Helix Fundamentals
    • Features and capabilities
    • Searching and pivoting
    • Event parsing
    • Custom dashboards
  5. Data Source Selection
    • Data sources for detection and investigation
    • Attack models to frame data source selection
    • Mandiant Attack Model
    • Silent log detection
Day 2
  1. Search and MQL (Mandiant Query Language)
    • Searchable fields
    • Anatomy of an MQL search
    • MQL search, directive, and transform clauses
  2. Rules & Lists
    • Best practices for writing rules
    • Creating and enabling rules
    • Creating and using lists
    • Using regular expression in rules
    • Multi-stage rules
  3. Alerts
    • Alerting
    • Alert Components
    • Guided Investigations
    • Managing alerts
  4. FireEye iSight Intelligence Portal
    • Intelligence Context in Helix
    • Analysis Tools
  5. Helix Case Management
    • Creating a case in Helix
    • Adding events to a case
    • Case workflow
  6. Hunting with Helix
    • Begin to craft more complex Helix queries
    • Proactively hunt for evil without relying on alerts
Scroll to Top