Alert Analysis and Diagnostics with FireEye Email Security – Server Edition

This is a two-day instructor-led class designed for analysts and email administrators.

Day 1 introduces FireEye Email Security – Server Edition and its key components, including detection of malicious files and URLs, email alerts and quarantine used for containment. This course is designed primarily for analysts who will derive meaningful, actionable information from FireEye alerts to assess and triage threats to their environment.

Day 2 is a workshop that introduces a framework for administration and diagnostics for FireEye Email Security – Server Edition. It includes checklists, case studies, lab challenges and guidance for transitioning difficult cases to the FireEye Support team. This workshop is experiential, hands-on and will give learners experience in administering an appliance and diagnosing common issues.

Learning Objectives

After completing this course, learners should be able to

Alert Analysis Course

  • Recognize current malware threats and trends
  • Understand the threat detection and prevention capabilities of your FireEye Email Security – Server Edition
  • Locate and use critical information in a FireEye alert to assess a potential threat
  • Examine OS and file changes in alert details to identify malware behaviors
  • Identify Indicators of Compromise (IOCs) in a FireEye alert and use them to identify compromised hosts

 Diagnostics Workshop

  • Identify common issues and steps for resolution with Email Security deployment
  • Perform administration tasks on the Email Security – Server Edition appliance
  •  Recognize underlying technology and protocols of SMTP email transfer
  • Using logs, determine status of email transfer and analysis
  • Know when to escalate issues and obtain further asssistance from FireEye

Who Should Attend

Security professionals, incident responders and email administrators. 

Prerequisites

A working understanding of networking, email security and email support).

Duration

2 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1: Alert Analysis Course Outline
  1. FireEye Core Technology
    • Malware infection lifecycle
    • MVX engine
    • Appliance analysis phases
  2. Threats and Malware Trends
    • Malware overview and definition
    • Motivations of malware
    • Mandiant Attack Lifecycle
    • Types of Malware
  3. Threat Management 
    • Single-sign on options
    • User management and role-based access
    • IAM enrollment
    • Helix settings
  4. OS Changes
    • APIs
    • File and folder actions
    • Code injection
    • Processes
    • Mutexes
    • Windows Registry events
    • Network access
    • User Account Access (UAC)
  5. Malware Objects
    • Malware object alerts
    • BOT Communication Details
    • OS Change Details for malware objects
    • Malware object origin analysis
  6. Malware Analysis (optional)
    • MVX Engine Review
    • Static Analysis
    • Dynamic Analysis
    • MVX Malware Analysis
  7. Custom Detection Rules – YARA and Snort (optional)
    • Yara Malware Framework File Signatures
    • YARA on FireEye Appliances
    • YARA Hexadecimal
    • Regular Expressions
    • Conditions
    • Snort Rule Processing
    • Enabling Snort Rules
Day 2: Diagnostics Workshop Outline
  1. Common FireEye Administration and Diagnostics
    • Troubleshooting process
    • Basic troubleshooting
    • Best practice
    • Common issues:
      • Licensing
      • Admin
      • Operation
      • Notifications
      • Boot
      • Performance
      • Upgrade
  2. Email Security - Server Edition Diagnostics
    • Health Check
    • Server Logs
  3. Hardware Diagnostics
    • Troubleshooting PSU and HDD issues
    • Universal LED
  4. Virtual Email Security Server Diagnostics
    • Licensing
    •  DTI Configuration
  5. Diagnostics of Email Protocols
    • The process of email and the FireEye Email Security Server Edition SMTP /ESMTP
      •  POP3 / IMAP
      • MTA
      • DNS
      • MX
      • Postfix
      • FireEye Email Security Server Edition Modes
      • Reporting
      • Email Logs
  6. Administration and Diagnostics of Email Security Appliances
    • Processing Interface
    • Domains
    • Next-Hop
    • Receiving Mail
    • Analysis
    • Mail Delivery
    • Delay and Latency
    • Understanding Queues
  7. Transition
    • Transition a case to FireEye Customer Support
    • Using the FireEye Customer Portal