FireEye Helix

This four and a half-day entry-level primer on FireEye Helix covers the Helix workflow, from triaging Helix alerts, creating and scoping cases and using Helix and Endpoint Security tools to conduct investigative searches across the enterprise. Hands-on activities include writing MQL searches as well as analyzing and validating Helix, Network Security and Endpoint Security alerts.

Learning Objectives

After completing this course, learners should be able to:

  • Identify the components needed to deploy Helix
  • Determine which data sources are most useful for Helix detection and investigation
  • Locate and use critical information in a Helix alert to assess a potential threat
  • Comfortably switch between the Helix web console to other FireEye interfaces
  • Validate Network Security and Endpoint Security alerts
  • Use specialized features of Network Security and Endpoint Security to investigate and respond to potential threats across enterprise systems and endpoints
  • Create and request data acquisitions to conduct an investigation
  • Investigate a Redline triage collection using a defined methodology
  • Identify malicious activity hidden among common Windows events
  • Actively hunt for unknown attackers

Who Should Attend

Incident response team members, threat hunters and information security professionals.


Completion of three FireEye web-based training courses prior to the instructor-led portion of the course: Network Security for Helix, Central Management for Helix, Endpoint Security for Helix. Details on these courses will be provided to registrants of the FireEye Helix instructor-led training course. Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.


4.5 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

E-Learning Modules

To be completed prior to Day 1 of instructor-led class sessions

Network Security (NX) for Helix
Estimated duration: 40 minutes

  • Appliance Introduction
  • Threat Management
  • FireEye NX series Platform with IPS Features

Central Management (CM) for Helix 
Estimated duration: 30 minutes

  • Appliance Introduction
  • CM Threat Management

FireEye Endpoint Security (HX) for Helix
Estimated duration: 60 minutes

  • HX Appliance Introduction
  • Deployment
  • Threat Management
  • Containment
  • Searches and Acquisitions

Day 1

  1. Helix Overview and Architecture
    • Helix Web UI
    • Helix workflow
    • Helix Architecture
    • 3rd party event collection
    • FireEye technologies stack
    • Cloud integrations
    • User management and role-based access via IAM
  2. Helix Fundamentals
    • Features and capabilities
    • Searching and pivoting
    • Event parsing
    • Custom dashboards
  3. Search and MQL (Mandiant Query Language)
    • Searchable fields
    • Anatomy of an MQL search
    • MQL search, directories, and transform clauses

Day 2

  1. Rules & Lists
    • Best practices for writing rules
    • Creating and enabling rules 
    • Creating and using lists
    • Using regular expression in rules
    • Multi-stage rules
  2. Initial Alerts
    • Helix Alerts
    • Guided Investigations
    • Network Security Alerts
    • Using regular expression in rules
    • MVX engine
    • Endpoint Security Alerts
    • Triage with Triage Summary
    • Run searches across all hosts in the enterprise
  3. OS Change Detail
    • API's
    • File and folder actions 
    • Processes
    • Windows Registry events 
    • Network access 
    • User Account Access (UAC)
  4. Network Security Alert Types
    • Web Infection alerts
    • Identifying 2nd-stage payloads
    • Malware Object alerts
    • Tracing downloads 
    • Determine origin of the malware object downloaded
    • Malware Callback alerts
    • Encoded and encrypted traffic 
    • Triaging hosts with alerts

Day 3

  1. FireEye Intelligence
    • Intelligence Context in Helix
    • Analysis Tools in the FireEye Intelligence Portal
  2. Helix Case Management
    • Creating a case in Helix
    • Adding events to a case
    • Case workflow
  3. Data Source Selection and the Mandiant Attack Lifecycle
    • Data sources for detection and investigation
    • Attack models to frame data source selection
    • Mandiant Attack Model
  4. Knowing Your Operating System
    • Navigate evidence acquired by Endpoint Security
    • Identify characteristics of malicious processes
    • Identify suspicious files
    • Alternate Data Streams (ADS)
    • Alternate data streams
    • Windows Prefetch 
    • Windows Registry
    • Services

Day 4

  1. Data Acquisitions with HX
    • Customizing and creating data acquisition to conduct investigations
    • Acquire files, triage packages, other built-in acquisitions from hosts
  2. Investigation Methodology for endpoint alerts
    • Areas of Evidence
    • Mapping artifacts to attacker activity
      • Initial Compromise
      •  Establish Foothold
      • Escalate Privileges
      • Internal Recon
      • Move Laterally
      • Maintain Presence
      • Complete Mission
    • Timeline and reporting

Day 5

The final day of training is a half-day.

  1. Introduction to Hunting
    • Begin to craft more complex Helix queries
    • Proactively hunt for evil without relying on alerts

 Optional Content:

  • Audit Viewer
  • Using Redline
  • FireEye Endpoint Security Extended Capabilities
    • HXTool
    • Endpoint Security API
    • FireEye Market Tools
  • Registry Keys of Interest