Introduction to FireEye Security Orchestrator (FSO) [WBT]

Version 1

    Courses cannot be purchased or accessed from this site. If you would like to register for this course, please contact your FireEye account manager.

    FireEye Security Orchestrator (FSO) helps you improve response times, reduce risk exposure, and maintain process consistency across your security program. It unifies disparate technologies and incident handling processes into a single console that codifies experiences from the frontlines to deliver real-time guided responses.


    This self-paced online course provides an introduction to the FireEye Security Orchestrator product, including plug-ins used to interface with external applications, courses of action (COA) used to for security process implementation, and managing cases generated from a COA.



    Course Objectives

    Upon completion of the course the learner should be able to:

    • Provide an overview of FSO
    • Describe the components that enable FSO to interface with external applications
    • Provide an analysis of a COA by describing the function of each component of the COA
    • Manage cases that are generated as a result of the execution of a COA


    Target Audience

    • Tier 1 and Tier 2 security managers, incident responders, and/or analysts


    Course Outline


    1. FSO Overview
      • What is FSO?
      • Benefits of orchestration
      • FSO architecture and components
      • Logging into the FSO Web UI
      • The FSO dashboard
      • FSO Web UI Pages Overview
    2. Interfacing With External Applications
      • Introduction
      • Demo: Configuring FSO to interface with external applications
      • Characteristics of a plug-in
      • Plug-In commands
      • Verify commands
      • Create a device
      • Create an adapter
    3. Courses of Action
      • COA components
      • Demo: Configuring a simple COA
      • The Abuse Mailbox example
      • Device tasks
      • Operator-initiated tasks
      • Gateways and conditions
    4. Managing Cases
      • Demo: Triggering a COA and viewing case results
      • Case summary components
      • Case detail panels
      • Detailed case information
      • Tasks views and Flows views



    Students should have:

    • completed at least one of FireEye’s Deployment courses (ILT or eLearning) or possess experience administrating one of FireEye’s appliances
    • familiarity with networking, network security



    This course is self-paced, so duration may vary. On average, this course should take about two to three hours to complete. The course does not need to be completed in a single sitting.


    Browser requirements

    This course was designed to work in all modern desktop browsers (Chrome, Firefox, Safari, Internet Explorer 10+, Microsoft Edge) and tablets (such as iPad). While it may work on mobile phones, we do not officially support phones and suggest using a desktop or tablet to view the course.



    Please contact your FireEye account manager for details.