FireEye Alert Analysis and Endpoint Investigations

This 3-day course examines how to triage alerts generated by FireEye Network Security, derive actionable information from those alerts, and apply the fundamentals of live analysis and investigation to investigate associated endpoints.

Hands-on activities span the entire analysis and live investigation process, beginning with a FireEye-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Analysis will be performed using FireEye products and freely available tools.

For FireEye Endpoint Security customers, activities focus on investigation techniques using features such as the Triage Summary and Audit Viewer.

Learning Objectives

After completing this course, learners should be able to:

  • Recognize current malware threats and trends
  • Interpret alerts from FireEye Network and Endpoint Security products
  • Locate and use critical information in FireEye alerts to assess a potential threat
  • Define IOCs based on a FireEye alert and identify compromised hosts
  • Describe methods of live analysis
  • Create and request data acquisitions to conduct an investigation
  • Define common characteristics of Windows processes and services
  • Investigate a Redline® triage collection using a defined methodology
  • Identify malicious activity hidden among common Windows events
  • Validate and provide further context for alerts using Redline®

Who Should Attend

Network security professionals and incident responders who must use FireEye to detect, investigate, and prevent cyber threats.

Prerequisites

A working understanding of networking and network security, the Windows operating system, file system, registry and regular expressions, and experience scripting in Python.

Recommended Pretraining

FireEye Network Security Deployment eLearning
*FireEye Endpoint Security Deployment eLearning

Duration

3 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1

  1. Threats and Malware Trends
    • Threat Landscape
    • Using the Mandiant Attack Framework
    • Threat Profiles and Fin7 Case Study
    • Mapping attacker activity to the stages of an APT attack.
  2. Initial Alerts
    • FireEye Endpoint Security Alerts
    • Triage with Triage Summary
    • FireEye Network Security Alerts
    • MVX engine
    • Mapping artifacts in an alert to events recorded by the FireEye agent
  3. MVX Alerts
    • FireEye alert types
    • Identifying forensic artifacts in the OS Change alert detail
    • Callbacks
    • SmartVision
    • Threat Assessment

Day 2

  1. Knowing Your Operating System
    • Common system processes and attributes
    • Identifying malicious processes
    • Windows Registry
    • Services and Tasks
    • Windows Event Logs
    • Audit Viewer and Redline
  2. Data Acquisitions
    • Live Forensics Overview
    • Data Collection Options
    • Choosing Data to Acquire
  3. FireEye Intelligence
    • Intelligence Context for FireEye Alerts
    • Analysis Tools in the FireEye Intelligence Portal

 

 

 

  • Optional Content
  •  

     

    1. Malware Analysis
      • Static Analysis
      • Dynamic Analysis
      • MVX Malware Analysis
    2. Custom Detection Rules
      • Yara Malware Framework
      • Snort Rules 

    Day 3

    1. Investigation Methodology
      • Areas of Evidence
      • MITRE ATT&CK Framework
      • Mapping evidence to Attacker Activity

     

  • Optional Content
  •  

    1. Memory Analysis
      • Collating evidence
      • Memory Analysis
    2. Using Redline® and Audit Viewer
      • Navigate a data acquisition using Redline®
      • Navigate a data acquisition using Audit Viewer*
    3. FireEye: Extended Capabiities
      • FireEye Market
      • Open IOC Editor
      • HXTool*
      • Endpoint Security REST API*

    *Content only included for customers with FireEye Endpoint Security