Helix Video - Investigative Tips

Version 1





    Video Transcript:


    ...Today I'll be talking about the investigative tips feature and how it can help analysts answer the Now What. Every alert in Helix provides you the capability to be able to enter the What Now by giving you some questions around the alert and answers back for that specific alert. So in this situation we're looking at an NX alert that came from a network device. Questions always get asked by an analyst where they're looking at an NX alert or any alert it could be. And they really don't know what to do from there. So in this situation we've got a virus, backdoor.generic, Destination IP, Source IP, Destination Port, and some other information that would be called indicators of compromise. But what do I do from here. The analyst many times wants those questions answered. So in order to answer that Now What you want to go into investigative tips. So I can collapse all these queries, which I have already collapsed, and what you see here is specific questions asked from specifically that alert. Every investigative tip maybe different with different questions provided depending on the vector of attack. So you may have a different set of questions that were asked if it was a network based alert versus an endpoint or versus an e-mail. Think of this as having an actual Mandiant incident responder helping you with the incident providing you some questions and then you can use Helix to provide the answers back. So let's look at these questions here. So were there any other rules that were fired for the source IP? It sounds like there was. We're looking at a 60 minute time off set and there was specifically four other detect rules that were fired off around that timeframe. There are some other questions here. We'll jump into the were there any other related AV hits and there were other specific AV hits as well. So we've got some other evidence that you may want to pivot off of and then we'll move down into the actual host connected to the command and control host. Looks like there's two here. And then lastly the what are other hosts who were found with the same threat. You'll find that there is three specific IP addresses with virus backdoor.generic. So it looks like that it's definitely not just one host in question here. There's a couple of hosts. Looks like those two or three different hosts that you may want to look at and we can then pivot into those specific hosts and do further hunting for evil once you go into the platform and start searching for that data. So now that you have the answer to the Now What you can successfully kick out the adversary from your network. Be sure to check back for more product tips and insights from FireEye.