FireEye Helix

This four-day entry-level primer on FireEye Helix covers the Helix workflow, from triaging Helix alerts, creating and scoping cases and using Helix and Endpoint Security tools to conduct investigative searches across the enterprise.

Hands-on activities include writing MQL searches as well as analyzing and validating Helix, Network Security and Endpoint Security alerts

Learning Objectives

After completing this course, learners should be able to:

  • Identify the components needed to deploy Helix
  • Determine which data sources are most useful for Helix detection and investigation
  • Locate and use critical information in a Helix alert to assess a potential threat
  • Comfortably switch between the Helix web console to other FireEye interfaces
  • Validate Network Security and Endpoint Security alerts
  • Use specialized features of Network Security and Endpoint Security to investigate and respond to potential threats across enterprise systems and endpoints

Who Should Attend

Incident response team members, threat hunters and information security professionals.


Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.


4 days

Note: The online courses must be completed prior to the start of the instructor-led sessions

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

E-Learning Modules

To be completed prior to Day 1 of instructor-led class sessions

Network Security (NX) for Helix
Estimated duration: 40 minutes

  • Appliance Introduction
  • Threat Management
  • FireEye NX series Platform with IPS Features

Central Management (CM) for Helix 
Estimated duration: 30 minutes

  • Appliance Introduction
  • CM Threat Management

FireEye Endpoint Security forAnalysts
Estimated duration: 60 minutes

  • Introduction to FireEye Endpoint Security
  • Alerts and Rules
  • Containment
  • Searches and Acquisitions

Day 1

  1. Helix Overview and Architecture
    • Helix Web UI
    • Helix workflow
    • Helix Architecture
    • 3rd party data sources
    • FireEye technologies stack
    • Cloud integrations
  2. Helix Fundamentals
    • Features and capabilities
    • Searching and pivoting
    • Event parsing
    • Custom dashboards
  3. Search and MQL (Mandiant Query Language)
    • Searchable fields
    • Anatomy of an MQL search
    • MQL search, directories, and transform clauses

Optional Content:

  1. Deployment and IAM
    • User Management
    • Role-based Access
    • Deployment scenarios
    • Configuring 3rd party event collection

Day 2

  1. Rules & Lists
    • Best practices for writing rules
    • Creating and enabling rules 
    • Creating and using lists
    • Using regular expression in rules
    • Multi-stage rules
  2. Initial Alerts
    • Helix Alerts
    • Guided Investigations
    • Network Security Alerts
    • MVX engine
    • Endpoint Security Alerts
    • Triage with Triage Summary
    • Run searches across all hosts in the enterprise
  3. FireEye iSight Intelligence Portal
    • Intelligence Context in Helix
    • Analysis Tools
  4. Case Management
    • Creating a case in Helix
    • Adding events to a case
    • Case workflow

Day 3

  1. Data Source Selection and the Mandiant Attack Lifecycle
    • Data sources for detection and investigation
    • Attack models to frame data source selection
    • Using the Mandiant Attack Framework
    • Mapping attacker activity to the stages of an APT attack
  2. Knowing Your Operating System
    • Common system processes and attributes
    •  Identifying malicious processes
    •  Windows Registry
    • Services and Tasks
    • Windows Event Logs
    • Audit Viewer and Redline
  3. Data Acquisitions
    • Acquiring data using Endpoint Security 
    • Redline collections
    • Other acquisition methods, such as PowerShell
    • Locations of evidence as they map to the Mandiant Attack Lifecycle

Day 4

  1. Investigation Methodology
    • Areas of Evidence
    • Mapping evidence to Attacker Activity
 Optional Content:
  1. Using Redline®
    • Access triage collections for hosts for offline analysis
    • Navigate a data acquisition using Redline®
    • Apply tags and comments 
  2. Using Audit Viewer
    • Navigate a data acquisition using Audit Viewer
    • Apply tags and comments 
  3. Endpoint Security: Extended Capabiities
    • FireEye Market
    • Open IOC Editor
    • HXTool
    • Endpoint Security REST API