Training Overview
This three-day training examines how to triage alerts generated by Trellix Network Security, derive actionable information from those alerts, & apply the fundamentals of live analysis & investigation to investigate associated endpoints.
Duration: 3 days
Prerequisites
A working understanding of networking & network security, the Windows operating system, file system, registry & regular expressions, & experience scripting in Python.
Audience Profile
Security analysts, incident responders, & network security professionals who use Trellix Network Security to detect, investigate, & prevent cyber threats
Learning Objectives:
After completing this training, learners should be able to:
- Recognize current malware threats & trends
- Interpret alerts from Network Security & Endpoint Security (HX) products
- Locate & use critical information in Trellix alerts to assess a potential threat
- Define indicators of compromise based on an alert & identify compromised hosts
- Describe methods of live analysis
- Create & request data acquisitions to conduct an investigation
- Define common characteristics of Windows processes & services
- Investigate a Redline® triage collection using a defined methodology
- Identify malicious activity hidden among common Windows events
- Validate & provide further context for alerts using Redline®
Content Outline
1. Threats & Malware Trends
- Threat landscape
- Attack motivations
- MITRE ATT&CK framework
- Emerging threat actors
2. Initial Alerts
- Endpoint Security (HX) alerts
- Triage with Triage Summary
- Network Security Alerts
- Identifying forensic artifacts in the OS Change Detail
3. MVX Alerts
- Trellix alert types
- Identifying forensic artifacts in the OS Change Detail
- Callbacks
- SmartVision
- Threat assessment
1. Using Audit Viewer & Redline®
- Access triage & data collection for hosts
- Navigate a triage collection or acquisition using Redline® or Audit Viewer
- Apply tags & comments to a triage collection to identify key events
2. Windows Telemetry & Acquisitions
- Live forensic overview
- Windows telemetry
– Memory artifacts
– System information
– Processes
– File system
– Configuration files
– Services
– Scheduled tasks
– Logging
- Acquiring data
1. Investigation Methodology
- Areas of Evidence
- MITRE ATT&CK framework
- Mapping Evidence of attacker activity
– Evidence of initial compromise
– Evidence of persistence
– Evidence of lateral movement
– Evidence of internal reconnaissance
– Evidence of data exfiltration
2. Capstone: Capture the Flag (CTF)
FAQs
This three-day training examines how to triage alerts generated by Trellix Network Security, derive actionable information from those alerts, & apply the fundamentals of live analysis & investigation to investigate associated endpoints.
Endpoint Detection & Response (EDR), also referred to as endpoint detection & threat response (EDTR), is an endpoint security solution that continuously monitors end user devices to detect & respond to cyber threats like ransomware & malware.
Security analysts, incident responders, & network security professionals who use Trellix Network Security to detect, investigate, & prevent cyber threats
Yes, you can.
We use the best standards in Internet security. Any data retained isn't shared with third parties
It is recommended but not mandatory. Being acquainted with the primary training material will enable professionals & the trainer to move at the desired pace during classes. You can access training for most vendors
You can buy online from the page by clicking on "Buy Now". You can view alternate payment methods on the payment options page.
Yes, professionals can pay from the training page.
The training completion certification will be awarded to all the professionals who've completed the training program & the project assignment given by your instructor. You may use the certificate in your future job interviews will surely help you to l& your dream job.