Alert Analysis [ILT]

Version 17

    Courses cannot be purchased or accessed from this site. If you would like to register for this course, please contact your FireEye account manager.

    This information is also available as a downloadable data sheet.

    This two-day, instructor-led course introduces learners to FireEye-generated alerts. The course provides a framework on how to interpret callbacks and how to interpret results of malware binary analysis.


    Hands-on activities include analyzing alert data to determine the significance of the alerts.



    Course Objectives

    Upon completion of the course the learner should be able to:

    • Distinguish FireEye alert types
    • Locate and use critical information in a FireEye alert to assess a potential threat
    • Use Indicators of Compromise (IOCs) in a FireEye alert to identify the threat on compromised hosts


    Course Outline


    1. FireEye Core Technology
      • Malware infection lifecycle
      • MVX engine
      • Appliance analysis phases
    2. Malware Landscape
      • Malware overview and definition
      • Motivations of malware
      • Types of malware
      • Spear phishing
      • Stages of an APT attack
    3. Threat Management
      • Primary NX functions
      • Event types
      • Web UI and dashboard
      • Managing alerts
    4. Web Infections & Exploits
      • Web Infection alerts
      • Honey binary
      • Second-stage payloads
    5. Malware Objects
      • Malware Object alerts
      • MVX engine binary analysis of files
      • Tracing downloads through HTTP headers
      • Determine origin of the downloaded malware object
    6. Callbacks
      • Malware Callback alerts
      • Domain Match alerts
      • Encoded traffic
    7. Case Study: Backdoor.Netwire
      • OS Change detail
      • Windows API
      • Windows registry
      • Code injection
      • Alternate data streams
      • Processes and Network Activity
      • Mutexes
      • Registry Run Keys
      • User Account Control


    Lessons are typically a blend of lecture and hands-on lab activities.



    Students should have:

    • completed at least one FireEye Deployment course (ILT or eLearning) or possess experience administrating FireEye appliances.
    • have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.


    Target Audience

    Network security professionals and incident responders; FireEye admin and analyst users.