Endpoint Security (HX Series) Comprehensive Investigation [ILT]

Version 18

    Courses cannot be purchased or accessed from this site. If you would like to register for this course, please contact your FireEye account manager.

    This information is also available as a downloadable data sheet.

    FireEye Endpoint Security (HX Series) offers industry-leading threat and exploit detection capabilities. HX enables endpoint visibility for a more flexible and adaptive defense against known and unknown threats.


    This one-day course dives into investigation techniques using HX. A methodology is prescribed for investigating security alerts using both the HX triage summary and Redline.


    Hands-on activities include validating alerts, examining event details using HX and Redline, using the HX API to automate actions, and integrating HX with other systems.



    Course Objectives

    Upon completion of the course the learner should be able to:

    • Investigate a Redline triage package using a defined methodology
    • Validate and provide further context for alerts using Redline
    • Identify malicious activity hidden among common Windows events recorded in the look-back cache
    • Use the API to automate HX functionality


    Course Outline

    1. Knowing Normal
      • Common Windows system processes
      • Identifying malicious processes
    2. FireEye Source Alerts and Integration
      • Identifying forensic artifacts in the OS Change detail
      • Mapping artifacts to actual events recorded by the agent
    3. HX Investigation Methodology
      • Defining hypothesis from an alert
      • Validating an alert
      • Pivoting and expanding the scope of investigation
      • Identifying network activity
      • Tracking processes
      • Identifying human-driven activity
      • Documenting findings
    4. Data Acquisitions
      • Customizing and creating data acquisition to conduct investigations
      • Requesting data acquisitions from a host
    5. HX REST API
      • Conditions, indicators, and alerts
      • Containment requests
      • File acquisitions
      • Scripts


    Lessons are typically a blend of lecture and hands-on lab activities.



    Students should have

    • A working understanding of networking and network security, the Windows operating system, file system, registry, regular expressions, and experience scripting in Python.
    • Completed the course Endpoint Security (HX Series) Deployment and Administration.


    Target Audience

    Network security professionals and incident responders.