Investigations with Endpoint Security (HX)

This course covers the fundamentals of live analysis forensics and investigation for endpoints.

Hands-on activities span the entire forensics process, beginning with a FireEye-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Analysis of computer systems will be performed using FireEye products and freely available tools.

For FireEye Endpoint Security (HX) customers, activities focus on investigation techniques using HX features such as the Triage Summary and Audit Viewer. Optionally, students can work with the HX API to automate actions and explore integrating HX with other systems.

Learning Objectives

After completing this course, learners should be able to:

  • Describe methods of live analysis
  • Demonstrate the ability to plan, execute and report on a digital forensic examination
  • Investigate a Redline triage package using a defined methodology
  • Validate and provide further context for FireEye alerts
  • Identify malicious activity hidden among common Windows events

Who Should Attend

Network security professionals and incident responders who must use FireEye Endpoint Security to investigate, identify and stop cyber threats.


Completion of the Endpoint Security Deployment course. A working understanding of networking and network security, the Windows operating system, file system, registry and regular expressions, and experience scripting in Python.


2 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1
  1. Endpoint Security: Threat Detection
    • Threat sources & indicators
    • Appliance integration
    • Alerts
    • Triage with Triage Summary
    • Acquire files, triage packages, other built-in acquisitions from hosts
    • Run searches across all hosts in the enterprise
  2. Knowing Normal Across Your Environment
    • Common system processes and attributes
    • Identifying malicious processes
    • Audit Viewer and Redline
  3. FireEye Source Alerts and Integration
    • Identifying forensic artifacts in the OS Change detail
    • Mapping artifacts to actual events recorded by the agent
    • Pcap analysis
  4. Data Acquisitions
    • Acquiring data using Endpoint Security
    • Redline collections
    • Other acquisition methods, such as Powershell
    • Locations of evidence as they map to the Mandiant Attack Lifecycle
Day 2
  1. Investigation Methodology
    • Defining hypothesis from an alert
    • Validating an alert
    • Pivoting and expanding the scope of investigation
    • Identifying network activity
    • Tracking processes
    • Identifying human-driven activity
    • Documenting findings
  2. Memory Analysis
    • Collating evidence
    • Memory Analysis
Optional Content
    • Conditions, indicators, and alerts
    • Containment requests
    • File acquisitions
    • Scripts
  2. Legal and Ethical Principles
    • What is Forensics?
    • Overview of the legal requirements and authority to proceed