Enterprise Incident Response with MIR [ILT]

Version 13

    Courses cannot be purchased or accessed from this site. If you would like to register for this course, please contact your FireEye account manager.

    This information is also available as a downloadable data sheet.

    The Mandiant Intelligent Response (MIR) appliance finds evidence of compromise and forensic artifacts on your endpoints left behind by attacker activity. With MIR you can rapidly sweep tens of thousands of endpoints using Mandiant's latest intelligence about advanced attacker activity.


    This two-day instructor-led course provides an introduction to using Mandiant for Intelligent Response (MIR) as an incident response tool. Labs take students through a breach, teaching how to perform sweep hit analysis, build live response scripts, basic unknown binary analysis, and basic Indicator of Compromise (IOC) creation.



    Course Objectives

    Upon completion of the course the learner should be able to:

    • Perform a hit review after a sweep
    • Build and use live response host audit scripts
    • Perform basic malware analysis using FireEye AX
    • Build simple IOCs


    Course Outline

    1. MIR Core Concepts
      • Incident types and incident response requirements
      • MIR basics: architecture, sweeps, scripts, jobs, and IOCs
    2. Sweeping
      • Building sweeps
      • Tuning monthly sweeps
      • Hit review
    3. Binary Analysis
      • FireEye AX
      • Strings analysis
    4. Live Response
      • Live response methodology
      • Live response audit scripts
      • Interpreting live response data Pivoting / Searching
    5. IOCs
      • IOC architecture within MIR Building IOCs
      • Testing IOCs
      • Sweeping with custom IOCs


    Lessons are typically a blend of lecture and hands-on lab activities.



    Students should have a working understanding of networking and network security, the Windows OS, file system, registry, and use of the CLI.


    Target Audience

    Network security professionals and incident responders.