This course examines how to triage alerts generated by the Trellix Network Security and Endpoint Security (HX) platforms, derive actionable information from those alerts, and inspect affected endpoints using live analysis and investigation fundamentals.Hands-on activities span the entire analysis and live investigation process, beginning with a Trellix-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Endpoint analysis focuses on investigation techniques using features of Endpoint Security (HX), such as the Triage Summary, Audit Viewer, and Acquisitions.
Contact Us
We would love to hear from you. Please complete this form to pre-book or request further information about our delivery options.
Duration
4 Days
4 Days
Delivery
(Online and onsite)
(Online and onsite)
Price
Price Upon Request
Price Upon Request
- Recognize current malware threats and trends
- Interpret alerts from Network Security and Endpoint Security (HX) products
- Locate and use critical information in Trellix alerts to assess a potential threat
- Define indicators of compromise based on an alert and identify compromised hosts
- Describe methods of live analysis
- Create and request data acquisitions to conduct an investigation
- Define common characteristics of Windows processes and services
- Investigate a data collection from Endpoint Security (HX) using a defined methodology
- Identify malicious activity hidden among common Windows events
Day 1
Threats and Malware Trends
- Threat landscape
- Attack motivations
- MITRE ATT&CK framework
- Emerging threat actors
Initial Alerts
- Endpoint Security (HX) alerts
- Triage with Triage Summary
- Network Security alerts
- Identifying forensic artifacts in the OS Change Detail
MVX Alerts
- Trellix alert types
- Identifying forensic artifacts in the OS Change Detail
- Callbacks
- SmartVision
- Threat assessment
Day 2
Using Audit Viewer and Redline®
- Access triage and data collections for hosts
- Navigate a triage collection or acquisition using Redline® or Audit Viewer
- Apply tags and comments to a triage collection to identify key events
Windows Telemetry and Acquisitions
- Live forensic overview
- Windows telemetry
- Acquiring data
Day 3
Acquisitions
- Triage and real-time events
- Live system acquisitions
- Bulk acquisitions
- Endpoint Security (HX) REST API
Modules
- Administration
- Detection and protection
- Response
Day 4
Investigation Methodology
- MITRE ATT&CK framework
- Mapping evidence to attacker activity
Capstone: Capture the Flag (CTF)
This course is intended for security analysts, incident responders, and threat hunters who use Network Security or Endpoint Security (HX) to detect, investigate, and prevent cyber threats.
Students taking this course should have a working knowledge of Windows operating systems, networking and network security, file system, registry and regular expressions, and experience scripting in Python.
This course examines how to triage alerts generated by the Trellix Network Security and Endpoint Security (HX) platforms, derive actionable information from those alerts, and inspect affected endpoints using live analysis and investigation fundamentals.Hands-on activities span the entire analysis and live investigation process, beginning with a Trellix-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion. Endpoint analysis focuses on investigation techniques using features of Endpoint Security (HX), such as the Triage Summary, Audit Viewer, and Acquisitions.
- Recognize current malware threats and trends
- Interpret alerts from Network Security and Endpoint Security (HX) products
- Locate and use critical information in Trellix alerts to assess a potential threat
- Define indicators of compromise based on an alert and identify compromised hosts
- Describe methods of live analysis
- Create and request data acquisitions to conduct an investigation
- Define common characteristics of Windows processes and services
- Investigate a data collection from Endpoint Security (HX) using a defined methodology
- Identify malicious activity hidden among common Windows events
Day 1
Threats and Malware Trends
- Threat landscape
- Attack motivations
- MITRE ATT&CK framework
- Emerging threat actors
Initial Alerts
- Endpoint Security (HX) alerts
- Triage with Triage Summary
- Network Security alerts
- Identifying forensic artifacts in the OS Change Detail
MVX Alerts
- Trellix alert types
- Identifying forensic artifacts in the OS Change Detail
- Callbacks
- SmartVision
- Threat assessment
Day 2
Using Audit Viewer and Redline®
- Access triage and data collections for hosts
- Navigate a triage collection or acquisition using Redline® or Audit Viewer
- Apply tags and comments to a triage collection to identify key events
Windows Telemetry and Acquisitions
- Live forensic overview
- Windows telemetry
- Acquiring data
Day 3
Acquisitions
- Triage and real-time events
- Live system acquisitions
- Bulk acquisitions
- Endpoint Security (HX) REST API
Modules
- Administration
- Detection and protection
- Response
Day 4
Investigation Methodology
- MITRE ATT&CK framework
- Mapping evidence to attacker activity
Capstone: Capture the Flag (CTF)
This course is intended for security analysts, incident responders, and threat hunters who use Network Security or Endpoint Security (HX) to detect, investigate, and prevent cyber threats.
Students taking this course should have a working knowledge of Windows operating systems, networking and network security, file system, registry and regular expressions, and experience scripting in Python.