FireEye Helix [WBT & ILT]

Version 4

    Courses cannot be purchased or accessed from this site. If you would like to register for this course, please contact your FireEye account manager.

    This information is also available as a downloadable data sheet.

    FireEye Helix is a comprehensive detection and response platform designed to simplify, integrate and automate security operations.


    This five-day course is a primer on Helix, covering the Helix workflow, triaging Helix alerts, creating and scoping cases from an alert, and using Helix and HX tools during investigation to conduct search across the enterprise. Hands-on activities include writing MQL searches, as well as analyzing and validating Helix, NX, and HX alerts.


    This course is the recommended starting point for anyone who uses FireEye Helix. The course begins with three self-paced e-learning modules followed by four and a half days of instructor-led training.



    Course Objectives

    Upon completion of the course the learner should be able to:

    • Identify the components needed for Helix deployment
    • Determine which data sources are most useful for Helix detection and investigation
    • Search log events across the enterprise
    • Locate and use critical information in a Helix alert to assess a potential threat
    • Pivot from Helix Web UI console to other FireEye platforms, such as NX, HX, and CM
    • Validate a network alert (NX alert)
    • Use Indicators of Compromise (IOCs) in a FireEye NX alert to identify other systems affected by an incident
    • Validate an endpoint alert (HX alert)
    • Investigate the Triage Summary and Audit Viewer for an HX alert using a defined methodology
    • Conduct live response using HX enterprise search
    • Acquire files and other artifacts of interest by performing an HX acquisition
    • Actively hunt for unknown attackers


    Who Should Attend

    Network security professionals and incident responders.



    Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.


    Course Outline

    E-Learning Modules

    To be completed prior to Day 1 of instructor-led class sessions


    Network Security (NX) for Helix

    Estimated duration: 40 minutes

    1. Appliance Introduction
    2. Threat Management
    3. FireEye NX series Platform with IPS Features


    Central Management (CM) for Helix

    Estimated duration: 30 minutes

    1. Appliance Introduction
    2. CM Threat Management


    FireEye Endpoint Security (HX) for Helix

    Estimated duration: 60 minutes

    1. HX Appliance Introduction
    2. Deployment
    3. Threat Management
    4. Containment
    5. Searches and Acquisitions


    Instructor-led Sessions

    Day 1

    1. Helix Overview
      • The changing threat landscape
      • Challenges with contemporary security operations
      • Helix Web UI
      • Helix workflow
    2. Helix Architecture
      • Cloud Collector; event ingestion from logs
      • FireEye technologies stack
      • Amazon Web Services and Helix
      • Deployment scenarios
    3. Helix Fundamentals
      • Features and capabilities
      • Searching and pivoting
      • Event parsing
      • Custom dashboards
    4. Data Source Selection
      • Data sources for detection and investigation
      • Attack models to frame data source selection
      • Mandiant Attack Model
      • Silent log detection


    Day 2

    1. Search and MQL (Mandiant Query Language)
      • Searchable fields
      • Anatomy of an MQL search
      • MQL search, directive, and transform clauses
    2. Rules & Lists
      • Best practices for writing rules
      • Creating and enabling rules
      • Creating and using lists
      • Using regular expression in rules
      • Multi-stage rules
    3. Alerts
      • Alerting
      • Alert Components
      • Guided Investigations
    4. FireEye Core Technology
      • Malware infection cycle
      • MVX engine
      • Appliance analysis phases
    5. NX Alerts and Threat Management
      • Pivoting to NX alerts from Helix
      • Alert types
      • Managing alerts


    Day 3

    1. Malware Landscape
      • Malware overview and definition, current trends
      • Motivations of malware
      • Types of malware
    2. Web Infections & Exploits
      • Web Infection alerts
      • Honey binary
      • Second-stage payloads
    3. Malware Objects
      • Malware Object alerts
      • MVX engine binary analysis of files
      • Tracing downloads through HTTP headers
      • Determine origin of the malware object downloaded
    4. Callbacks
      • Malware Callback alerts
      • Domain Match alerts
      • Encoded traffic
    5. Case Study: Backdoor.Netwire
      • OS Change detail
      • Windows API
      • Windows registry
      • Code injection
      • Alternate data streams
      • Auto-run behavior
      • Driver loading
      • User Account Control


    Day 4

    1. Endpoint Alerts and HX Threat Management
      • Pivoting to HX alerts from Helix
      • HX intelligence (indicators)
      • HX alerts
      • Triage with Triage Summary
      • Acquire files, triage packages, other built-in acquisitions from hosts
      • Run searches across all hosts in the enterprise
    2. Knowing Normal for Windows
      • Common Windows system processes
      • Identifying malicious processes
    3. Investigation Methodology for endpoint alerts
      • Defining hypothesis
      • Validating an alert
      • Pivoting and expanding the scope of investigation
      • Identifying network activity
      • Tracking processes
      • Identifying human-driven activity
    4. Data Acquisitions with HX
      • Customizing and creating data acquisition to conduct investigations
      • Requesting data acquisitions from a host


    Day 5

    The final day of training is a half-day.

    1. Helix Case Management
      • Creating a case in Helix
      • Adding events to a case
      • Case workflow
    2. Validating Alerts
      • Building context for cases
      • Pivoting and expanding the scope of investigation
    3. Helix Management
      • Identity and Access Management (IAM) single-sign on (SSO)
      • User management and role-based access
      • IAM enrollment
      • Helix settings
    4. Hunting
      • Begin to craft more complex Helix queries
      • Proactively hunt for evil without relying on alerts



    Instructor-led sessions are typically a blend of lecture and hands-on lab activities.