Helix Threat Analytics [ILT]

Version 11

    Courses cannot be purchased or accessed from this site. If you would like to register for this course, please contact your FireEye account manager.

    This information is also available as a downloadable data sheet.

    FireEye Helix is a comprehensive detection and response platform designed to simplify, integrate and automate security operations.


    This two-day course is a primer on Helix Threat Analytics, covering the Helix workflow, triaging Helix alerts, creating and scoping cases from an alert, and using Helix Threat Analytics during investigation. Hands-on activities include writing MQL searches, as well as analyzing and validating Helix alerts.


    This course is the recommended starting point for anyone who uses FireEye Helix.



    Course Objectives

    Upon completion of the course the learner should be able to:

    • Determine which data sources are most useful for Helix detection and investigation
    • Search log events across the enterprise
    • Locate and use critical information in a Helix alert to assess a potential threat
    • Create a case from events of interest
    • Create and manage IAM users


    Course Outline

    Day 1

    1. Helix Overview
      • The changing threat landscape
      • Challenges with contemporary security operations
      • Threat Analytics Web UI
      • Helix workflow
    2. Helix Architecture
      • Cloud Collector; event ingestion from logs
      • FireEye technologies stack
      • Amazon Web Services and Helix
      • Deployment scenarios
    3. Helix Fundamentals
      • Features and capabilities
      • Searching and pivoting
      • Event parsing
      • Custom dashboards
    4. Data Source Selection
      • Data sources for detection and investigation
      • Attack models to frame data source selection
      • Mandiant Attack Model
      • Silent log detection


    Day 2

    1. Search and MQL (Mandiant Query Language)
      • Searchable fields
      • Anatomy of an MQL search
      • MQL search, directive, and transform clauses
    2. Rules & Lists
      • Best practices for writing rules
      • Creating and enabling rules
      • Creating and using lists
      • Using regular expression in rules
      • Multi-stage rules
    3. Alerts
      • Alerting
      • Alert Components
      • Guided Investigations
      • Managing alerts
    4. Helix Case Management
      • Creating a case in Helix
      • Adding events to a case
      • Case workflow
    5. Helix Management
      • Identity and Access Management (IAM) single-sign on (SSO)
      • User management and role-based access
      • IAM enrollment
      • Helix settings


    Lessons are typically a blend of lecture and hands-on lab activities.



    Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.


    Who should attend

    Network security professionals and incident responders.