Alert Analysis

This course is designed to prepare analysts to triage and derive meaningful, actionable information from FireEye alerts on the following FireEye Enterprise Security solutions:

  • Network Security
  • Email Security
  • File Protect

In a hands-on lab environment, learners will be presented with various alert types and real-world scenarios in which they will conduct in-depth analysis on the behavior and attributes of malware to assess real-world threats. 

Learning Objectives

After completing this course, learners should be able to:

  • Recognize current malware threats and trends
  • Understand the threat detection and prevention capabilities of your FireEye Security Solution
  • Locate and use critical information in a FireEye alert to assess a potential threat
  • Examine OS and file changes in alert details to identify malware behaviors
  • Identify IOC’s in a FireEye and use them to identify compromised hosts

Who Should Attend

Network security professionals, incident responders and FireEye  analysts .

Prerequisites

Completion of at least one instructor-led or web-based FireEye deployment training course or experience administering FireEye appliances. A working understanding of networking and network security, the Windows operating system, file system, registry and use of the command line interface (CLI).

Duration

2 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

  1. FireEye Core Technology
    • Malware infection lifecycle
    • MVX engine
    • Appliance analysis phases
  2. Malware Landscape
    • Malware overview and definition
    • Motivations of malware
    • Mandiant Attack Lifecycle
    • Types of malware
  3. Threat Management
    • Primary NX functions
    • Event types
    • Web UI and dashboard
    • Managing alerts
  4. OS Changes
    • APIs
    • File and folder actions
    • Processes
    • Mutexes
    • Windows Registry events
    • Network access
    • User Account Access (UAC)
  5.  Malware Objects
    • Malware Object alerts
    • BOT Communication Details
    • OS Change Details – Objects
    • Malware Object origin analysis
  1. Web Infections & Exploits (Network Security only)
    • Web Infection alerts
    • OS Change Details – Web infections
    • Honey binary
    • Second stage payloads
    • Triaging Web Infection
  2. Callbacks (Network Security only)
    • Malware Callback alerts
    • Callback Behavior
    • Encrypted Callbacks
    • Callback Payload
    • Domain Match
    • Threat Assessment
  3. Case Study: Backdoor.Netwire (Network Security only)
    • OS Change detail
    • Windows API
    • Windows registry
    • Code injection
    • Alternate data streams
    • Processes and Network Activity
    • Mutexes
    • Registry Run Keys
    • User Account Control
  1. Malware Analysis (optional)
    • MVX Engine Review
    • Static Analysis
    • Dynamic Analysis
    • MVX Malware Analysis
  2. Custom Detection Rules – YARA and Snort (optional)
    • Yara Malware Framework File Signatures
    • YARA on FireEye Appliances
    • YARA Hexadecimal
    • Regular Expressions
    • Conditions
    • Snort Rule Processing
    • Enabling Snort Rules
    • Creating a Snort Rule