FireEye Helix

This primer on FireEye Helix covers the Helix workflow, from triaging Helix alerts, creating and scoping cases and using Helix and Endpoint Security tools to conduct investigative searches across the enterprise. Hands-on activities include writing MQL searches as well as analyzing and validating Helix, Network Security and Endpoint Security alerts.

Learning Objectives

After completing this course, learners should be able to:

  • Identify the components needed to deploy Helix
  • Determine which data sources are most useful for Helix detection and investigation
  • Search log events across the enterprise
  • Locate and use critical information in a Helix alert to assess a potential threat
  • Pivot between the Helix web console and FireEye Network and Endpoint Security platforms
  • Validate Network Security and Endpoint Security alerts
  • Use specialized features of Network Security and Endpoint Security to investigate and respond to potential threats across enterprise systems and endpoints
  • Actively hunt for unknown attackers

Who Should Attend

Incident response team members, threat hunters and information security professionals.


Completion of three FireEye web-based training courses prior to the instructor-led portion of the course: Network Security for Helix, Central Management for Helix, Endpoint Security for Helix. Details on these courses will be provided to registrants of the FireEye Helix instructor-led training course. Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.


4.5 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

E-Learning Modules

To be completed prior to Day 1 of instructor-led class sessions

Network Security (NX) for Helix
Estimated duration: 40 minutes

  • Appliance Introduction
  • Threat Management
  • FireEye NX series Platform with IPS Features

Central Management (CM) for Helix 
Estimated duration: 30 minutes

  • Appliance Introduction
  • CM Threat Management

FireEye Endpoint Security (HX) for Helix
Estimated duration: 60 minutes

  • HX Appliance Introduction
  • Deployment
  • Threat Management
  • Containment
  • Searches and Acquisitions
Day 1
  1. Helix Overview
    • The changing threat landscape
    • Challenges with contemporary security operations
    • Helix Web UI
    • Helix workflow
  2. Helix Architecture
    • Cloud Collector; event ingestion from logs
    • FireEye technologies stack
    • Amazon Web Services and Helix
    • Deployment scenarios
  3. Identity and Access Management (IAM)
    • Single-sign on options
    • User management and role-based access
    • IAM enrollment
    • Helix settings
  4. Helix Fundamentals
    • Features and capabilities
    • Searching and pivoting
    • Event parsing
    • Custom dashboards
  5. Data Source Selection
    • Data sources for detection and investigation
    • Attack models to frame data source selection
    • Mandiant Attack Model
    • Silent log detection
Day 2
  1. Search and MQL (Mandiant Query Language)
    • Searchable fields
    • Anatomy of an MQL search
    • MQL search, directive, and transform clauses
  2. Rules & Lists
    • Best practices for writing rules
    • Creating and enabling rules
    • Creating and using lists
    • Using regular expression in rules
    • Multi-stage rules
  3. Alerts
    • Alerting
    • Alert Components
    • Guided Investigations
  4. FireEye iSight Intelligence Portal
    • Intelligence Context in Helix
    • Analysis Tools
  5. FireEye Core Technology
    • Malware infection cycle
    • MVX engine
    • Appliance analysis phases
  6. NX Alerts and Threat Management
    • Pivoting to NX alerts from Helix
    • Alert types
    • Managing alerts
Day 3
  1. Web Infections & Exploits
    • Web Infection alerts
    • Honey binary
    • Second-stage payloads
  2. Malware Objects
    • Malware Object alerts
    • MVX engine binary analysis of files
    • Tracing downloads through HTTP headers
    • Determine origin of the malware object downloaded
  3. Callbacks
    • Malware Callback alerts
    • Domain Match alerts
    • Encoded traffic
  4. Case Study: Backdoor.Netwire
    • OS Change detail
    • Windows API
    • Windows registry
    • Code injection
    • Alternate data streams
    • Auto-run behavior
    • Driver loading
    • User Account Control
Day 4
  1. Endpoint Alerts and HX Threat Management
    • Pivoting to HX alerts from Helix
    • HX intelligence (indicators)
    • HX alerts
    • Triage with Triage Summary
    • Acquire files, triage packages, other built-in acquisitions from hosts
    • Run searches across all hosts in the enterprise
  2. Knowing Normal for Windows
    • Common Windows system processes
    • Identifying malicious processes
  3. Investigation Methodology for endpoint alerts
    • Defining hypothesis
    • Validating an alert
    • Pivoting and expanding the scope of investigation
    • Identifying network activity
    • Tracking processes
    • Identifying human-driven activity
  4. Data Acquisitions with HX
    • Customizing and creating data acquisition to conduct investigations
    • Requesting data acquisitions from a host
Day 5

The final day of training is a half-day.

  1. Helix Case Management
    • Creating a case in Helix
    • Adding events to a case
    • Case workflow
  2. Validating Alerts
    • Building context for cases
    • Pivoting and expanding the scope of investigation
  3. Helix Management
    • Identity and Access Management (IAM) single-sign on (SSO)
    • User management and role-based access
    • IAM enrollment
    • Helix settings
  4. Hunting
    • Begin to craft more complex Helix queries
    • Proactively hunt for evil without relying on alerts