Reviewing Endpoint Alerts

In this installment of the Tips and Insights series, Jason Forcht provides insight into a FireEye Endpoint alert to help you better understand what you’re seeing in the FireEye Endpoint console.

Hi I’m Jason Forcht and I’m a Consulting Systems Engineer at FireEye. I’d like to give you some insight into a FireEye Endpoint alert. This should help you better understand what you’re seeing in the FireEye Endpoint console. When you take a look at the alert within the FireEye security console we see the computer name. The current IP address. The operating system. The workgroup or domain that it was joined to. And the current agent version. As we move down the left hand side we can see the actual events that occurred within this machine. So we can see some exploit attempts occurred. Some actual exploit occurred. And lower down on this well used machine are some actual malware alerts which signified just general malware going on on this computer. In the middle of the screen we can see the observed behavior for each of these events. For example the exploit activity in Internet Explorer. We could see memory manipulation. Exploit Shellcode. Suspicious HTTP request attempts. All of which signify that this machine has been attempted to be exploited. When we scroll down to acquisitions we can see the actual acquisition. What it was. In this case it was an automatic full triage which pulls down all the information about this machine. From here we can view the triage summary. You can take this into another screen which gives us a lot more detail about what happened here. Back at the top of the screen an easy to miss tab is “Host Details”. When we click on that it gives us an enormous amount of information about this particular computer. The operating system. Any patches. Domain. As we scroll down. We could see the users that was signed onto it. The subnet mask. Any patches that were in there. Even the bios of this computer. And below that we can see exploit and any other alerts that we need to triage and go into.

Once we’ve determined that this machine has been compromised we can simply request containment which would lock this computer down and it would only be able to communicate back with the FireEye Endpoint Security console. Hopefully this provides context around the endpoint alert as your investigation moves forward into the triage summary. Check back for more FireEye products tips and insights.

Scroll to Top