FireEye Helix

This four-day entry-level primer on FireEye Helix covers the Helix workflow, from triaging Helix alerts, creating and scoping cases and using Helix and Endpoint Security tools to conduct investigative searches across the enterprise.

Hands-on activities include writing MQL searches as well as analyzing and validating Helix, Network Security and Endpoint Security alerts

Learning Objectives

After completing this course, learners should be able to:

  • Identify the components needed to deploy Helix
  • Determine which data sources are most useful for Helix detection and investigation
  • Locate and use critical information in a Helix alert to assess a potential threat
  • Comfortably switch between the Helix web console to other FireEye interfaces
  • Validate Network Security and Endpoint Security alerts
  • Use specialized features of Network Security and Endpoint Security to investigate and respond to potential threats across enterprise systems and endpoints

Who Should Attend

Incident response team members, threat hunters and information security professionals.


Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.


4 days

Note: The online courses must be completed prior to the start of the instructor-led sessions

Instructor-Led Training Instructor-Led Training

Some courses can be purchased from this site; refer to our public training schedule for more information.

For all other courses, or to arrange a private training session, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

E-Learning Modules

To be completed prior to Day 1 of instructor-led class sessions

Network Security (NX) for Helix
Estimated duration: 40 minutes

  • Appliance Introduction
  • Threat Management
  • Features and Core Functionality

Central Management (CM) for Helix
Estimated duration: 30 minutes

  • Appliance Introduction
  • CM Threat Management

FireEye Endpoint Security for Analysts
Estimated duration: 60 minutes

  • Introduction to FireEye Endpoint Security
  • Alerts and Rules
  • Containment
  • Searches and Acquisitions

Instructor-led sessions

Day 1

  1. Helix Overview and Architecture
    • Helix Web UI
    • Helix workflow
    • Helix architecture
    • 3rd party data sources
    • FireEye technologies stack
    • Cloud integrations
  2. Helix Fundamentals
    • Features and capabilities
    • Searching and pivoting
    • Event parsing
    • Custom dashboards
  3. Search, MQL (Mandiant Query Language), and Lists
    • Searchable fields
    • Anatomy of an MQL search
    • MQL search, directive, and transform clauses
    • Creating and using lists

Optional Content Deployment and IAM

  • User management
  • Role-based Access
  • Deployment scenarios
  • Configuring 3rd party event collection

Day 2

  1. Rules
    • Best practices for writing rules
    • Creating and enabling rules
    • Using regular expression in rules
    • Helix Analytics
    • Multi-stage rules
  2. Initial Alerts
    • Helix Alerts
    • Guided Investigations
    • FireEye Endpoint Security Alerts
    • Triage with Triage Summary
    • FireEye Network Security Alerts
    • Identifying forensic artifacts in the OS Change detail
    • Mapping artifacts in an alert to host activity
  3. FireEye Intelligence Portal
    • Intelligence Context in Helix
    • Analysis Tools
  4. Helix Case Management
    • Creating a case in Helix
    • Adding events to a case
    • Case workflow

Day 3

  1. Threats and Malware Trends
    • Threat Landscape
    • Attack Motivations
    • Targeted Attack Lifecycle
    • Emerging Threat Actors
  2. Using Audit Viewer and Redline
    • Access triage and data collections for hosts.
    • Navigate a triage collection or acquisition using Redline® or Audit Viewer
    • • Apply tags and comments to a triage collection to identify key events
  3. Windows Telemetry and Acquisitions
    • Live Forensic Overview
    • Windows Telemetry:
      • Memory Artifacts
      • System Information
      • Processes
      • File System
      • Configuration Files
      • Services
      • Scheduled Tasks
      • Logging
    • Acquiring Data

Optional Content
Endpoint Security: Extended Capabilities

  • FireEye Market
  • Endpoint Security Modules
  • HXTool

Day 4

  1. Investigation Methodology
    • Areas of Evidence
    • MITRE ATT&CK Framework
    • Mapping evidence to Attacker Activity

Optional Content
Endpoint Security: Extended Capabilities

  • Open IOC Editor
  • Endpoint Security REST API