Visão Geral

O Curso FireEye Helix, abrange o fluxo de trabalho do Helix, desde a triagem de alertas do Helix, criação e escopo de casos e uso de ferramentas Helix e Endpoint Security para conduzir pesquisas investigativas em toda a empresa.

Objetivo

Ao participar do Curso FireEye Helix, você será capaz de:

• Identifique os componentes necessários para implantar o Helix
• Determinar quais fontes de dados são mais úteis para detecção e investigação do Helix
• Localize e use informações críticas em um alerta Helix para avaliar uma ameaça potencial
• Alterne confortavelmente entre o console da web Helix e outras interfaces FireEye
• Validar alertas de segurança de rede e segurança de endpoint
• Use recursos especializados de Segurança de Rede e Segurança de Endpoint para investigar e responder a ameaças potenciais em sistemas empresariais e endpoints

Publico Alvo

• Membros da equipe de resposta a incidentes, caçadores de ameaças e profissionais de segurança da informação.

Pre-Requisitos

• Conhecimento prático de rede e segurança de rede, sistema operacional Windows, sistema de arquivos, registro e uso da CLI.

Materiais

Conteúdo Programatico

Helix Overview and Architecture

1. Helix Web UI
2. Helix workflow
3. Helix Architecture
4. 3rd party data sources
5. FireEye technologies stack
6. Cloud integrations

Helix Fundamentals

1. Features and capabilities
2. Searching and pivoting
3. Event parsing
4. Custom dashboards

Search and MQL (Mandiant Query Language)

1. Searchable fields
2. Anatomy of an MQL search
3. MQL search, directories, and transform clauses

Deployment and IAM

1. User Management
2. Role-based Access
3. Deployment scenarios
4. Configuring 3rd party event collection

Rules & Lists

1. Best practices for writing rules
2. Creating and enabling rules
3. Creating and using lists
4. Using regular expression in rules
5. Multi-stage rules

Initial Alerts

1. Helix Alerts
2. Guided Investigations
3. Network Security Alerts
4. MVX engine
5. Endpoint Security Alerts
6. Triage with Triage Summary
7. Run searches across all hosts in the enterprise

FireEye iSight Intelligence Portal

1. Intelligence Context in Helix
2. Analysis Tools

Case Management

1. Creating a case in Helix
2. Adding events to a case
3. Case workflow

Data Source Selection and the Mandiant Attack Lifecycle

1. Data sources for detection and investigation
2. Attack models to frame data source selection
3. Using the Mandiant Attack Framework
4. Mapping attacker activity to the stages of an APT attack

Knowing Your Operating System

1. Common system processes and attributes
2. Identifying malicious processes
3. Windows Registry
4. Services and Tasks
5. Windows Event Logs
6. Audit Viewer and Redline

Data Acquisitions

1. Acquiring data using Endpoint Security
2. Redline collections
3. Other acquisition methods, such as PowerShell
4. Locations of evidence as they map to the Mandiant Attack Lifecycle

Investigation Methodology

1. Areas of Evidence
2. MITRE ATT&CK
3. Mapping evidence to Attacker Activity

Using Redline

1. Access triage collections for hosts for offline analysis
2. Navigate a data acquisition using Redline®
3. Apply tags and comments

Using Audit Viewer

1. Navigate a data acquisition using Audit Viewer
2. Apply tags and comments

Endpoint Security: Extended Capabiities

1. FireEye Market
2. Open IOC Editor
3. HXTool
4. Endpoint Security REST API