Investigations with FireEye Endpoint Security

This course covers the fundamentals of live analysis forensics and investigation for endpoints.

Hands-on activities span the entire forensics process, beginning with a FireEye-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Analysis of computer systems will be performed using FireEye products and freely available tools.

For FireEye Endpoint Security customers, activities focus on investigation techniques using features such as the Triage Summary and Audit Viewer. Optionally, students can work with the API to automate actions and explore integrating FireEye Endpoint Security with other systems.

Learning Objectives

After completing this course, learners should be able to:

  • Describe methods of live analysis
  • Use core analyst features of Endpoint Security such as alerting, enterprise search, and containing endpoints
  • Demonstrate the ability to plan, execute and report on digital forensic examination
  • Investigate a Redline triage package using a defined methodology
  • Validate and provide further context for FireEye alerts
  • Identify malicious activity hidden among common Windows events

Who Should Attend

Network security professionals and incident responders who must use FireEye Endpoint Security to investigate, identify and stop cyber threats.


A working understanding of networking and network security, the Windows operating system, file system, registry and regular expressions, and experience scripting in Python.

Recommended Pre-Training 

Endpoint Security Deployment eLearning


2 days

Instructor-Led Training Instructor-Led Training

Some courses can be purchased from this site; refer to our public training schedule for more information.

For all other courses, or to arrange a private training session, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1

  1. Threats and Malware Trends
    • Threat Landscape
    • Attack Motivations
    • Targeted Attack Lifecycle
    • Emerging Threat Actors
  2. Initial Alerts
    • FireEye Endpoint Security Alerts
    • Triage and Triage Summary
    • FireEye Network Security Alerts
    • Identifying forensic artifacts in the OS Change detail
    • Mapping artifacts in an alert to host activity
  3. Using Audit Viewer and Redline
    • Access triage and data collections for hosts
    • Navigate a triage collection or acquisition using Redline® or Audit Viewer
    • Apply tags and comments to a triage collection to identify key events


  1. Windows Telemetry and Acquisitions
    • Live Forensic Overview
    • Windows Telemetry:
      • Memory Artifacts
      • System Information
      • Processes
      • File System
      • Configuration Files
      • Services
      • Scheduled Tasks
      • Logging
    • Acquiring Data

Optional Content

  1. Endpoint Security: Extended Capabilities
    • FireEye Market
    • Endpoint Security Modules
    • HXTool

Day 2

  1. Investigation Methodology
    • Areas of Evidence
    • MITRE ATT&CK Framework
    • Mapping evidence to Attacker Activity

Optional Content

  1. Endpoint Security: Extended Capabilities
    • Open IOC Editor
    • Endpoint Security REST API