Investigations with FireEye Endpoint Security

This course covers the fundamentals of live analysis forensics and investigation for endpoints.

Hands-on activities span the entire forensics process, beginning with a FireEye-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Analysis of computer systems will be performed using FireEye products and freely available tools.

For FireEye Endpoint Security customers, activities focus on investigation techniques using features such as the Triage Summary and Audit Viewer. Optionally, students can work with the API to automate actions and explore integrating FireEye Endpoint Security with other systems

Learning Objectives

After completing this course, learners should be able to:

  • Describe methods of live analysis
  • Use core analyst features of Endpoint Security such as alerting, enterprise search, and containing endpoints
  • Investigate a Redline triage package using a defined methodology
  • Validate and provide further context for FireEye alerts
  • Identify malicious activity hidden among common Windows events

 Instructor-Led Training

Seats for our public ILT sessions can be purchased online; refer to our public training schedule for more information.

Private training sessions are available for teams of 5 or more. Please contact your FireEye account manager for availability and pricing.

Who Should Attend

Network security professionals and incident responders who must use FireEye Endpoint Security to investigate, identify and stop cyber threats.


2 days


Completion of the Endpoint Security Deployment course. A working understanding of networking and network security, the Windows operating system, file system, registry and regular expressions, and experience scripting in Python.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1

  1. Framing an Investigation: Mandiant Attack Lifecycle and Fin7 Case Study
    • Using the Mandiant Attack Framework
    • Mapping attacker activity to the stages of an APT attack
  2. Initial Alerts
    • Helix Alerts
    • FireEye Endpoint Security Alerts
    • Triage and Triage Summary
    • FireEye Network Security Alerts
    • Identifying forensic artifacts in the OS Change detail
    • Mapping artifacts in an alert to events recorded by the FireEye agent
  3. Knowing Your Operating System
    • Common system processes and attributes
    • Identifying malicious processes
    • Windows Registry
    • Services and Tasks
    • Window Event Logs
    • Audit Viewer and Redline

Day 2

  1. Investigation Methodology
    • Areas of Evidence
    • MITRE ATT&CK Framework
    • Mapping evidence to Attacker Activity
  2. Data Acquisitions
    • Acquiring data using Endpoint Security 
    • Redline collections
    • Other acquisition methods, such as PowerShell
    • Locations of evidence as they map to the Mandiant Attack Lifecycle

Optional Content

  1. Using Redline
    • Access triage collections for hosts for offline analysis
    • Navigate a data acquisition using Redline*
    • Apply tags and comments
  2. Using Audit Viewer
    • Navigate a data acquisition using Audit Viewer
    • Apply tags and comments
  3. Endpoint Security: Extended Capabilities
    • FireEye Market
    • Open IOC Editor
    • HXTool
    • Endpoint Security REST API
  4. Memory Analysis
    • Collating evidence
    • Memory Analysis
Scroll to Top