Endpoint Triage

In this installment of the Tips and Insights series, Jason Forcht explains how to read a FireEye Endpoint triage report. These reports allow a security analyst to easily investigate a possible compromise.

Hello I’m Jason Forcht and I’m a Consulting Systems Engineer at FireEye. I’d like to give you a quick tip on how to read a FireEye Endpoint triage report. If you’re a security analyst the FireEye triage report provides a very easy way to investigate the events around a compromise and increase the speed at which the analysts can determine whether a compromise actually occurred. When the triage summary comes up it gives us the triage summary name and the computer name that this is a triage our summary for. As we read down the left hand side of the screen we can see the alerting process. In this case Internet Explorer is the alerting process where we detected exploit code. We can also see any descendant processes that were spun up by Internet Explorer. We can also see the parent processes that actually called Internet Explorer and we could see that as exploit code there and we can see exploit code in one of the descendants. When we read the triage summary we can see Internet Explorer is the process we’re reading. When and the date and time that it was started. As well as the command line that was used in order to spin it up. Below that we have the swim lanes . The swim lanes signify the different events that occurred within the endpoint security log file. The swim lanes are an easy way to read those log files which give us a focused timeline of events which show us the exploit code, the actual alerts that occurred which are signified with the red dot. And the events that occurred immediately before as well as the events that occurred immediately after the alert. This gives us a focused timeline of events so we can see everything that occurred. In this case we see exploit code occurred. We see exploit occurred in a process. But we also see that this device made some network communications immediately before the code. If we click on the network swim lane it brings us up the network traffic. So I can see any network communications that this machine made immediately before the exploit occurred. This gives you an overview of how you can find the most important information more FireEye products tips and insights.

Scroll to Top