FireEye Endpoint Security (HX Series) offers industry-leading threat and exploit detection capabilities. HX enables endpoint visibility for a more flexible and adaptive defense against known and unknown threats.
This one-day course dives into investigation techniques using HX. A methodology is prescribed for investigating security alerts using both the HX triage summary and Redline.
Hands-on activities include validating alerts, examining event details using HX and Redline, using the HX API to automate actions, and integrating HX with other systems.
Upon completion of the course the learner should be able to:
- Investigate a Redline triage package using a defined methodology
- Validate and provide further context for alerts using Redline
- Identify malicious activity hidden among common Windows events recorded in the look-back cache
- Use the API to automate HX functionality
- Knowing Normal
- Common Windows system processes
- Identifying malicious processes
- FireEye Source Alerts and Integration
- Identifying forensic artifacts in the OS Change detail
- Mapping artifacts to actual events recorded by the agent
- HX Investigation Methodology
- Defining hypothesis from an alert
- Validating an alert
- Pivoting and expanding the scope of investigation
- Identifying network activity
- Tracking processes
- Identifying human-driven activity
- Documenting findings
- Data Acquisitions
- Customizing and creating data acquisition to conduct investigations
- Requesting data acquisitions from a host
- HX REST API
- Conditions, indicators, and alerts
- Containment requests
- File acquisitions
Lessons are typically a blend of lecture and hands-on lab activities.
Students should have
- A working understanding of networking and network security, the Windows operating system, file system, registry, regular expressions, and experience scripting in Python.
- Completed the course Endpoint Security (HX Series) Deployment and Administration.
Network security professionals and incident responders.