Trellix Helix Demo Guide

Trellix Helix Demo Guide
Command of the Demo

(CoD) format
Q2 2022
1
CONTENTS
Read Before You Demo ..................................................................................................................................................4
Demo Script Introduction ..............................................................................................................................................5
Architecture ..................................................................................................................................................................5
Sample Agenda .............................................................................................................................................................6
Customer Challenges .....................................................................................................................................................7
Introducing Trellix XDR to Help Frame The Demo .............................................................................................................8
Deliver The “Initial Visual Demo Map” (IVDM) In PowerPoint ...........................................................................................9
Deliver The "X" “Opening Tell (OT)” In PowerPoint ....................................................................................................... 10
"X" "Show" ................................................................................................................................................................ 11
"X" "Show" ................................................................................................................................................................ 12
"X" "Show" ................................................................................................................................................................ 13
"X" "Show" ................................................................................................................................................................ 14
"X" "Show" ................................................................................................................................................................ 15
Deliver The "X" “Closing Tell” (CT) In PowerPoint .......................................................................................................... 16
Deliver The "D" “Opening Tell” (OT) In PowerPoint ....................................................................................................... 17
"D" "Show" ................................................................................................................................................................ 18
"D" "Show" ................................................................................................................................................................ 19
"D" "Show" ................................................................................................................................................................ 20
"D" "Show" ................................................................................................................................................................ 21
"D" "Show" ................................................................................................................................................................ 22
"D" "Show" ................................................................................................................................................................ 23
"D" "Show" ................................................................................................................................................................ 24
"D" "Show" ................................................................................................................................................................ 25
"D" "Show" ................................................................................................................................................................ 26
"D" "Show" ................................................................................................................................................................ 27
"D" "Show" ................................................................................................................................................................ 28
2
"D" "Show" ................................................................................................................................................................ 29
"D" "Show" ................................................................................................................................................................ 30
Deliver The "D" “Closing Tell” (CT) In PowerPoint.......................................................................................................... 31
Deliver The "R" “Opening Tell” (OT) In PowerPoint ....................................................................................................... 32
"R" "Show" ................................................................................................................................................................ 33
"R" "Show" ................................................................................................................................................................ 34
"R" "Show" ................................................................................................................................................................ 35
"R" "Show" ................................................................................................................................................................ 36
"R" "Show" ................................................................................................................................................................ 37
Deliver The "R" “Closing Tell” (CT) In PowerPoint .......................................................................................................... 38
Demo Instructions Page .............................................................................................................................................. 39
Deliver The "R" “Opening Tell” (OT) In PowerPoint ....................................................................................................... 40
"R" "Show" ................................................................................................................................................................ 41
"R" "Show" ................................................................................................................................................................ 42
"R" "Show" ................................................................................................................................................................ 43
"R" "Show" ................................................................................................................................................................ 44
"R" "Show" ................................................................................................................................................................ 45
"R" "Show" ................................................................................................................................................................ 46
Deliver The "R" “Closing Tell” (CT) In PowerPoint .......................................................................................................... 47
Deliver The Final Visual Demo Map (FVDM) In PowerPoint ............................................................................................ 48
Demo Close - Final Questions ........................................................................................ Error! Bookmark not defined.
3
READ BEFORE YOU DEMO

The slide on this page is not meant to be shared with the Customer.
At a high level, there are total of 4 Demo Scenes.
Scenes 1-3 cover the core Helix use cases and should always be delivered.
Scene 4 is centered around more advanced use cases including hunting & custom rule
creation. This scene is optional as not all of our Customers or Prospects have this need.
So, based on your initial discussions with the Customer, you may opt to only demo
scenes 1-3, or opt to add on scene 4.
For the purposes of this exercise, we will show all scenes 1-4.
Ok, now that we have that out of the way, lets jump into our Customer meeting.
4
DEMO SCRIPT INTRODUCTION
Let’s take a moment to talk about what you’re about to see and what we will go over.
The first demo scenario (Tell-Show-Tell, T-S-T 1) demonstrates how Helix is used to extend
your team's Detection & Response capabilities from a single focus like Endpoint, to one
that is gathered from an EDR technology, and applies this across ALL threat vectors
(Endpoint, Network, Email and Cloud) to protect against today's multi-vector attacks.
The next section, (T-S-T 2) demonstrates Detection and show how Helix correlates and
prioritizes threats and allows you to connect the dots. It provides the necessary context to help
you quickly "understand what happened?", "What assets were involved?" and identify the true
risk to your environment.
Finally, we'll close out with Response (T-S-T 3). Showcasing automated response actions
like quarantining a system, cloud workload, or even disabling a user to mitigate the threat.
And he'll do this all from a Single Unified Platform.
ARCHITECTURE
The below points you to the Helix Enterprise Instance for the demo, Helix Demo 3 (prod).
Eventually Threats preview will move to full release and all of the demo instances will have the
same demo capability.
5
SAMPLE AGENDA
Sample Script
Thanks Mr. Customer, we appreciate your time today. Here's the agenda we'll cover. We'll start off with a quick recap of
the Challenges you shared with us and introduce our Trellix XDR Platform, Helix, and then spend the bulk of our time in
the demo showing the platform in action.
Feel free to ask questions throughout.
6
CUSTOMER CHALLENGES
Sample Script
So, we heard on our last call…
Your team is struggling around correlating and prioritizing alerts from multiple disparate technologies and you're also
looking to automate as much of the response process as possible to speed things up and allow your analysts to be more
efficient.
7
INTRODUCING TRELLIX XDR TO HELP FRAME THE DEMO
Sample Script
Helix connects all Trellix’s technologies and expertise together for a seamless analyst experience, providing customers
with detection across endpoint, network, cloud, and email in a single place.
Our flexible XDR platform also easily integrates a broad range of third-party security tools. Allowing you to tailor the
solution mix to your strategy, with the freedom to choose to use some, or all, of the Trellix Products to take advantage of
Helix.
The Helix platform has been designed to address these vary challenges.
It’s a unified platform arming security operations teams w comprehensive protection across all threat vectors. And smart
automation to accelerate their response capabilities and simplify investigations.
It's also important to note that the platform supports both Trellix products as well as a broad range of third-party security
tools. This allows you to tailor the solution mix to support your solutioning strategy, with the freedom to choose any
combination of Trellix products to work smoothly with your third-party security solutions.
8
DELIVER THE “INITIAL VISUAL DEMO MAP” (IVDM) IN POWERPOINT

Before you start showing the actual demo in Crossfire, be sure to deliver the “Initial Visual
Demo Map” (IVDM) for the demo session. Usually, an IVDM should take < 2 minutes to deliver
and should, in a few sentences, tell the audience what they’ll be seeing during the demo
and tell them how long the demo should take to complete.
Please note: Describe as customer use cases - NOT PRODUCT FEATURES.
Here is an example of what an IVDM might look like for a Helix demo:
Navigation
Delivered in Powerpoint,
before switching over to the
Crossfire environment.
Command of the Demo Instructions:

and of the Command of the Demo Instructions:
Sample Script
Ok, now let's setup this demo.
Over the next 20 minutes, we will walk you through a few demo use cases that if implemented, will help address
the challenges that you shared with us.
We'll start out with the platform's Extended coverage, extending your team's Detection & Response capabilities
from a single focus like Endpoint.. Gathered from an EDR technology.. And applies this across ALL threat
vectors,. Endpoint.. Network.. Email.. And Cloud to protect against today's multi-vector attacks.
Next, we'll cover Detection.. And how Helix correlates & prioritizes threats and allows you to connect the dots,
and provides the necessary context to quickly "understand what happened?".. "What assets were involved?"
and the true risk to your environment
.
Finally, we'll close out with Response.. Showcasing automated response actions that your team may leverage to
minimize the impact of a breach. This includes things like quarantining a system, cloud workload, or even
disabling a user to mitigate the threat.
And we'll do this all from a Single Unified Platform.
9
DELIVER THE "X" “OPENING TELL (OT)” IN POWERPOINT

Before you start showing the actual demo in Crossfire, be sure to deliver the “Opening Tell”
(OT) for this T-S-T Loop. Usually, an OT should take < 30 seconds to deliver and should, in a
few sentences, tell the audience what they’ll be seeing in this part of the demo (use
cases - NOT PRODUCT FEATURES).
Here is an example of an Opening Tell for this kind of Tell-Show-Tell Loop.
Navigation
before switching over to
the Crossfire environment.
What is this? This slide is the (Opening Tell for the “X” T-S-T Loop).
The purpose: Provide the audience with a high-level introduction to the specific use case we will showing
during this part of the demo.
Sample Script
Let’s get into our first scene where we will showcase our extended coverage which will help enable our detection
and response capabilities. We’ll touch on coverage across ALL threat vectors including Trellix products as well
as third-party technologies with cloud connect. We’ll be correlating disparate events from multiple tools into
actionable investigations and use our risk scoring to prioritize investigations. This will help us asses the scope
of security events. Alright, let’s take a look.
NOTE: The Correlated threat is located in Helix Demo 3. Keep in mind over time the threat data may
become unavailable but other examples will exist in the environment to provide the demo experience.
Please contact FATE if you do not have permissions to this instance –

https://apps.fireeye.com/helix/id/hexzsq689/
10
"X" "SHOW"
Navigation:
Helix Instance – Demo 3
Start on the summary

dashboard, talk through the
elements, and use the script
below to help.
What is this? This screen is part of the “Show” for the “X” T-S-T Loop.
The purpose: Provide the audience with a demo for the “X” use case
Sample Script
So, we’re going to want to start on our summary dashboard page here and look at a few things. We can see the
Alerts and Asset-Based Alert Correlations, as well as our risk score which will give us a high-level view on our
security posture. Scrolling down we will see the Uncontained Cases, Indexed Events and Event Classes.
We’ll want to scroll down and focus on the Event Classes section which provides a view of the input to Helix. We
can see in this case that we have multiple events being ingested including Endpoint, Network, Threat Intel as well
as many others.
11
"X" "SHOW"
Navigation:
You’ll want to navigate over

to CloudConnect –
Click Configure dropdown

and then select Cloud
Connect. Click “Add Cloud
Connection” to get the view in
the example on the left.
The purpose: Provide the audience with a demo for the “X” use case
Sample Script
We are also utilizing CloudConnect to pull in additional third-party sources to increase our visibility.
You’ll want to navigate over to CloudConnect which will bring up all of the available integrations we can highlight
that will benefit our customers.
Right now, we have 102 native integrations with new sources being added constantly.
NOTE: It helps the flow of your demo if you have this pulled up in a new tab already, so you do not have to wait
for it to pop-up and load.
12
"X" "SHOW"
Navigation:
Back on the Helix page,

select the Dashboards
dropdown, then Threats
(Preview).
The purpose: Provide the audience with a demo for the “X” use case.
Sample Script
Now that we have an idea of our data sources and why they are important let’s look at the risk scoring using the
context card.
13
"X" "SHOW"
Navigation:
You can hover over each of

the threat scores to show this
extended information.
Sample Script
We can hover over a threat which will provide us with some very rich information immediately. This alert has a
critical risk score of 665, and the red color indicates the severity as well. There are 16 unique alerts that were
pulled into this correlated threat, our threat intelligence does indicate confidence that this contained evil.
14
"X" "SHOW"
Navigation:
You can hover over the

affected assets icons to show
this extended information.
Sample Script
We can hover over the affected assets, as well as see if there were some response actions that were already
taken for us.
15
DELIVER THE "X" “CLOSING TELL” (CT) IN POWERPOINT

When you complete the demo “show” for this T-S-T Loop in Crossfire, be sure to switch back
to PowerPoint to deliver the “Closing Tell” (CT). Usually, a Closing Tell should take < 1 minute
to deliver and should, in a few sentences, describe the operational benefits for what they
just saw (rather than simply recapping what they just saw).
This is also known as the “so what” slide!
Operational Benefits Examples: “So you can…” or “Alright, so what does all this mean to
you? What we just saw will help you…”
 Improve SOC analyst’s efficiency

 Increase ability to…
 Reduce false positives
 Reduce number of tools needed…
 Minimize wasted time
 Mitigate risk associated with…
Here is an example of what a “closing tell” for this Tell-Show-Tell Loop might look like.
Navigation:
Delivered in Powerpoint, after

switching back from the

Sample Script
So, what does this mean to you, and why does it matter? By extending our coverage, correlating disparate
events and providing risk scoring to prioritize investigations this will help us with the following.
We’ll be able to
• highlight and reduce our overall risk
• improve prioritization and protection
as well as optimize the deployment mix to meet our needs in a flexible manner
16
DELIVER THE "D" “OPENING TELL” (OT) IN POWERPOINT

If you’ve just completed your “Closing Tell” for the previous T-S-T Loop, be sure stay in
PowerPoint to deliver the “Opening Tell” for this T-S-T Loop. After delivering the OT, switch
back into Crossfire to show the actual demo. Usually, an OT should take < 30 seconds to
deliver and should, in a few sentences, tell the audience what they’ll be seeing in this part
of the demo (use cases - NOT PRODUCT FEATURES). Opening Tell examples for this Tell-
Show-Tell Loop might include the following:
Navigation
before switching back into
to the Crossfire
environment.

Sample Script
Now that we have broad coverage into our security landscape let’s build on that by showing your team world
class detection capabilities. In this use case, we will:
• Use threat analytics which will correlate and prioritize disparate events into actionable investigations
• Help your team to quickly connect the dots across all your threat vectors
Which will give your team situational awareness and help them with root cause analysis.
17
"D" "SHOW"
Navigation:
Pick a threat in advance to

demo. You can use the above
threat by searching for it’s ID
or replacing it in a URL.
Direct link is below –
https://apps.fireeye.com/helix/
id/hexzsq689/threats/28044/o
verview?threat_type=correlati
on_group
What is this? This screen is part of the (“Show” for the “D” T-S-T Loop).
The purpose: Provide the audience with a demo for the “D” use case.
Sample Script
<<No Script, this is picking and preparing an alert you are going to demo on in the following slides>>
18
"D" "SHOW"
Navigation:
Hover over the Tactics to

showcase the MITRE Tactics.
Sample Script
We will click on the correlated threat we spoke about on the previous scene and start off in the investigative
workbench. On the left side of the screen next to the context card, we can see a description of the threat as was
derived from the MITRE tag information.
Hovering over the MITRE icon we can see the tactics and techniques that were used in this threat.
This is a great way to understand from beginning to end what happened and the techniques used.
19
"D" "SHOW"
Navigation:
You can expand each bubble

by clicking the ^ at the bottom
right. You can expand and
collapse all with the buttons in
the upper right.

Sample Script
As we begin our investigation, we need to know what tools and telemetry were involved here?
We can expand this bubble to show precisely that information.
Helix has taken the disparate tools and put this attack together, thus saving us many pivots in the process.
This specific example includes Email, Endpoint, Network, and 3rd party tools such a Windows Event Log, and
SharePoint.
We bring all these telemetries together into one aggregated threat to minimize the pivots an analyst needs to
make.
20
"D" "SHOW"
Navigation:
Click the arrow to expand or

collapse the About section.
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
Sample Script
Another way of getting to this data would be to look at the badging information at the top of the threat, as well as
clicking on the expanded bubble which provides a summary of the telemetries, as well as the related alerts on
the bottom. You can very easily see the telemetry scope of this threat.
21
"D" "SHOW"
Navigation:
When you click directly on an

bubble, it will pull up the
expanded details on the right.
Sample Script
We can see that this threat had email, endpoint, and network information as well.
This capability allows us to see what the scope is and the tools that were involved in a very easy manner .
22
"D" "SHOW"
Navigation:
Expand the Sources bubble.
Sample Script
The next thing we need to understand is the origin of that telemetry data and or the origin of this threat. We can
see this threat has an external email address which is the cause of our phish.
23
"D" "SHOW"
Navigation:
Expand the Alerts bubble.
The purpose: Provide the audience with a demo for the “D” use case
Sample Script
Optional slide to show the overall alerts in both the bubble view, as well as showing all alerts on the right side of
the screen
24
"D" "SHOW"
Navigation:
Click on the expanded bubble
Click on the Email Message

delivered alert
The purpose: Provide the audience with a demo for the “D” use case
Sample Script
As we move to the right, we will see the twelve unique alerts that were pulled together and tied into a single
threat. Clicking on the expanded bubble we can see now on the right side all the alerts that were tied to this
threat. Knowing that this threat originated as part of a phish campaign, we can click on the Email Message
delivered alert which will then connect the initial phisher, to the asset being phished.
25
"D" "SHOW"
Navigation:
Click on our victim asset
Sample Script
We can then click on our victim asset to pull together the endpoint alerts very quickly as well.
26
"D" "SHOW"
Navigation:
Sample Script
The Network detections highlighting lateral movement and exfiltration as well are included here.
27
"D" "SHOW"
Navigation:
Click on the Office365

Analytic
Note: Not all alerts will

contain an Office365 analytic,
this is a sample of other
source data. The sample in
this image is from an older
demonstration.
Sample Script
The final step is clicking on the Office365 Analytic indicating an abnormal SharePoint transfer.
28
"D" "SHOW"
Navigation:
Collapse all bubbles and

expand Assets.
Sample Script
Now let’s collapse our bubbles and move over into the assets tab to get a broader view of the assets that were
involved in this attack. We can see the victim and system user as well as the recipient of the phishing attempt,
we looked at earlier.
29
"D" "SHOW"
Navigation:
Collapse all bubbles and

expand Artifacts.
Sample Script
Then finally, we have the artifacts that were involved in the entire correlated threat brought into one place.
30
DELIVER THE "D" “CLOSING TELL” (CT) IN POWERPOINT


Here’s an example of a “closing tell” for this Tell-Show-Tell Loop.
Navigation
before switching back into to
Sample Script
So, what does this mean to you and why does it matter?
Threat Analytics helped us correlate and prioritize disparate events into

actionable investigations which resulted in a high level of detection efficacy. We
were able to connect the dots which supported root cause analysis, and this
simplified our investigation process. We were able to minimize our blind spots
and expedite root cause analysis as well.
31
DELIVER THE "R" “OPENING TELL” (OT) IN POWERPOINT

Before you start showing the actual demo in Crossfire, be sure to deliver the “Opening Tell” for
this T-S-T Loop. Usually, an Opening Tell should take < 30 seconds to deliver and should, in
a few sentences, tell the audience what they’ll be seeing in this part of the demo (use
case - NOT PRODUCT FEATURES). An Opening Tell example for this Tell-Show-Tell Loop
might look like the following:
Navigation
What is this? This slide is the (Opening Tell for the “R” T-S-T Loop).
during this part of the demo.
Sample Script
So now that we have the data we need coming into the platform and have assessed the severity and scope of
our security incident, let’s go act on it.
In this use case we will walk through smart response actions including remediation, and enrichment.
We’ll also talk about other orchestration capabilities as well to streamline the way analysts are able to response
to security events.
32
"R" "SHOW"
Navigation:
Staying on the same

correlated threat, collapse the
bubbles, and expand the
assets bubble.
Note: Do NOT actually

click on the containment
button but just speak of the
functionality instead.
What is this? This screen is part of the (“Show” for the “R” T-S-T Loop).
The purpose: Provide the audience with a demo for the “R” use case.
Sample Script
OK, so now that we know there is a compromised endpoint, we need to do something about it. Let’s get back to
the threat graph and select the victim endpoint. The first thing we want to do is to contain this endpoint so we
can do further offline forensics, so we’ll select the host and click the Contain button.
33
"R" "SHOW"
Navigation:
Going back under the action

button, we have the trigger
playbooks open.

What is this? This screen is part of the (“Show” for the “R” T-S-T Loop).
The purpose: Provide the audience with a slide for the specific use case we will be showing during this part of
the demo.
Sample Script
Now with the endpoint contained we can start selecting some other artifacts to do some response actions to.
Going back under the action button, we have the trigger playbooks open.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview, but is expected to
be available in the second half of 2022. Once available it will be good to include with the demonstration to show
different response capabilities.>>
34
"R" "SHOW"
Navigation:
Do NOT actually click on

the trigger button, just
speak of the functionality
instead.
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
Sample Script
When we click there, we are presented with some very common playbooks that have been codified and made
accessible for analysts. Cloud assets can be contained, quarantined as well as enriched depending on the
situation.
If you have another ticketing system, such as ServiceNow, you can disposition this event to a case there to
begin working.
Maybe you want to take a hash and enrich it via Trellix’s Detection On Demand, or VirusTotal. These are just
some, but not all the capabilities and actions that can be turned into response actions.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview, but is expected to
35
"R" "SHOW"
Navigation:
Inside of the correlated threat,

click on the orchestration tab
and just select the first
response action that is there.
Any of them will work and will

have data.
Sample Script
Once we run our response actions we may want to look back and get a status update, or even an activity log of
the response actions that were run.
We can click on the orchestration tab and be presented with exactly. We can see every response action that
was run, the activity log, and even a very detailed flow chart of the steps along the way.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview but is expected to
36
"R" "SHOW"
Navigation:
Click on any of the steps

inside of a given response
action.
This will bring up the details

pane on the right side of the
screen which shows the
inputs and outputs of the
response action.
Sample Script
Clicking any of these steps we can drill into the input, and output of that step. This provides us end to end
visibility of our response actions.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview but is expected to
37
DELIVER THE "R" “CLOSING TELL” (CT) IN POWERPOINT


Here an example of a “closing tell” for this Tell-Show-Tell Loop.
Navigation
before switching over to the
Sample Script
So again, what does this mean to you and why does it matter?
Using the response capability of Helix, we reduce our time to respond and move
from attack detection to future threat prevention. We also are removing pivot
points so the analyst can go from detection to response in one location.
38
DEMO INSTRUCTIONS PAGE

Navigation:
SE Instructions Only
DO NOT USE THIS SLIDE

DURING THE DEMO
What is this? This screen is giving us instructions for the 4th T-S-T Loop. Use Case 4 aligns to Advanced XDR
capabilities.
These capabilities include hunting, custom rule creation, customized orchestration playbooks, custom
dashboard & reporting, Extended Retention, and Case Management.
The purpose: If these capabilities are NOT required by your Customer/Prospect, skip this section and
proceed to the “Final Visual Demo Map” section (page 48)
.
Sample Script
No script for this slide.
39
DELIVER THE "R" “OPENING TELL” (OT) IN POWERPOINT

Before you start showing the actual demo in Crossfire, be sure to deliver the “Opening Tell” for
this T-S-T Loop. Usually, an Opening Tell should take < 30 seconds to deliver and should, in
a few sentences, tell the audience what they’ll be seeing in this part of the demo (use
case - NOT PRODUCT FEATURES). An Opening Tell example for this Tell-Show-Tell Loop
might look like the following:
Navigation
What is this? This slide is the (Opening Tell for the “R” T-S-T Loop).
during this part of the demo
Sample Script
To go one step further, let’s say we have a customer who really knows what they are after and wants to perform
some deep dive hunting exercises across all their data in Helix. In this advanced use case, we will demonstrate
how to use Helix to hunt, and then take that hunt into a rule to operationalize that detection the future. Let’s go
take a look.
Helix Demo 3 - https://apps.fireeye.com/helix/id/hexzsq689/

First RDP Hunting Query, 7 day timeframe - dstport:3389 not srcisp:"private*" not action:[deny,denied]
Second RDP Hunting Query 7 day timeframe - dstport:3389 not srcisp:"private*" not
action:[deny,denied] | groupby [srcipv4,dstipv4]
Same queries for archive search at 396 days. It’s recommended to run this search in advance and it can
be accessed via the dropdown, Explore >> Search Jobs. Archive searches can take a while to complete
so it’s good to have it done in advance.
40
"R" "SHOW"
Navigation:
MQL Query - dstport:3389 not

srcisp:"private*" not
action:[deny,denied]
Helix Instance – Demo 3 -

https://apps.fireeye.com/helix/
id/hexzsq689/
Sample Script
Let’s suppose we had a security incident involving RDP. Our internal teams have requested that we find all
instances of RDP traffic, that originated from outside of the organization that resulted in successful connections.
We’ll want to use the query shown here. For the time frame, we are going to start with the last one week.
41
"R" "SHOW"
Navigation:
MQL Query - dstport:3389

not srcisp:"private*" not
action:[deny,denied] |
groupby [srcipv4,dstipv4]
Sample Script
Executing that query, we get 142 responses. What we are looking for is, the source and destination of this
conversation, over the last week. We can add a groupby statement to the end of the query to get information.
Now we have all external, to internal RDP connections, that were NOT denied, and we can clearly see both
sides of the conversation.
42
"R" "SHOW"
Navigation:
MQL Query - dstport:3389 not

srcisp:"private*" not
action:[deny,denied] |
groupby [srcipv4,dstipv4]
In the drop-down box we

want to change to archive
search and select 396 days to
meet their criteria
Sample Script
Now we get a request for an even longer time frame from the internal stakeholders.
They are looking for the last 396 days for this same policy violation.
In the drop-down box we want to change to archive search and select 396 days to meet their criteria. We can
run the same query and the archive search will now run. This search can take a while to complete as it is pulling
13 months of archived data, so I have already run the search in advance.
43
"R" "SHOW"
Navigation:
Go to Explore -> Search Jobs

and click on the query above.
We will be taken over to that
search job and we can
complete this slide, and the
following on this investigation.
Note: Archive searches of a

long period of time can take
some time to complete so it is
recommended to do the
search before your demo so
it’s quickly available.
Sample Script
When the search is completed, we now see that there are 332 total results, that is from all related events not
included in the index. This provides us with the information to bring back to the internal stakeholders to continue
their investigation. Notice how easy it was to get this data from a one-week time window to ultimately, over a
year’s worth of data.
MQL Query - dstport:3389 not srcisp:"private*" not action:[deny,denied] | groupby [srcipv4,dstipv4]
Additional note: Archived data does not include data that is currently in the indexed data. That data has
yet to be archived so it won’t be returned in the archive search.
44
"R" "SHOW"
Navigation:
In the top left of the screen,

we can select “Save As” and
select rule.
Sample Script
Now let’s go back to our index search and turn this ad-hoc hunt, into an operationalized rule that will now alert
us of these policy violations anytime they happen. In the top left of the screen, we can select “Save As” and
select rule.
45
"R" "SHOW"
Navigation:
Click “Create” and you will

now have turned this into a
rule.
Sample Script
We can give our rule a name, description, and the query is already filled out for us.
Simply click “Create” and you will now have turned this into a rule. It is that easy.
46
DELIVER THE "R" “CLOSING TELL” (CT) IN POWERPOINT


Here an example of a “closing tell” for this Tell-Show-Tell Loop.
Navigation
Delivered in Powerpoint.
Sample Script
The hunting capabilities of Helix enable your team to do some advanced forensics, reduce complexity, and
operationalize a threat hunt.
This was just one example but think of the countless examples that come up daily for the average security
analyst. Helix really can help make their lives that easy.
47
DELIVER THE FINAL VISUAL DEMO MAP (FVDM) IN POWERPOINT

Please Note: At this point in the demo session, you’ve completed your live software demo in
Crossfire and the remainder of the demo will be completed using your PowerPoint slides. This
section will describe the delivery of the Final Visual Demo Map only. Once this is completed, it
is recommended that either the SE or the AE deliver the “Value Close”. Please see the
companion PowerPoint slides for additional instructions (the link on page 3).
Once you deliver the final “Closing Tell” for the last T-S-T Loop in Crossfire, be sure to deliver
the “Final Visual Demo Map”. Usually, this should take < 1 minute to deliver and should, in a
few sentences, summarize all the operational benefits, for all the T-S-T Loops for the
entire demo. This should be a cut & paste of the “Closing Tells” from each of the previous
demo T-S-T Loops.
Here is an example of a “Final Visual Demo Map” for this demo.
Navigation:
Delivered in Powerpoint

Sample Script
We covered a lot of ground, so let's take a second to ensure we addressed all of the challenges you shared with
us.
You said you were struggling around correlating and prioritizing alerts from all of your different technologies.
We saw how Trellix XDR can address this in the first 2 scenes we saw. Starting out with the extended coverage
the platform provides and then walking through how our detection threat analytics correlate and prioritize the
risks to your environment.
You also mentioned that you were looking to automate and orchestrate as much of the response process as
possible to speed things up and allow your analysts to be more efficient. Well, Tom covered this in the last 2
scenes. when he showcased the integrated automated response actions to reduce your time to respond and
walked through a quick example of how analysts could easily operationalize their hunts to save time in the
future.
48
Did we miss anything?
So, to net it out, I would say, when we bring together all of these capabilities into a single unified platform, it
results in improved protection against today's sophisticated attacks, and increases Analyst and SOC Efficiency.
At this time, we’d like to address any remaining questions that you may have… and discuss how we should
proceed moving forward. Thank you.
49

Trellix Helix Demo Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Trellix Helix Demo Guide

Uploaded by

Copyright:

Available Formats

Trellix Helix Demo Guide

Command of the Demo

Read Before You Demo ..................................................................................................................................................4

Demo Script Introduction ..............................................................................................................................................5

Sample Agenda .............................................................................................................................................................6

Customer Challenges .....................................................................................................................................................7

Introducing Trellix XDR to Help Frame The Demo .............................................................................................................8

Deliver The “Initial Visual Demo Map” (IVDM) In PowerPoint ...........................................................................................9

Deliver The "X" “Opening Tell (OT)” In PowerPoint ....................................................................................................... 10

"X" "Show" ................................................................................................................................................................ 11

"X" "Show" ................................................................................................................................................................ 12

"X" "Show" ................................................................................................................................................................ 13

"X" "Show" ................................................................................................................................................................ 14

"X" "Show" ................................................................................................................................................................ 15

Deliver The "X" “Closing Tell” (CT) In PowerPoint .......................................................................................................... 16

Deliver The "D" “Opening Tell” (OT) In PowerPoint ....................................................................................................... 17

"D" "Show" ................................................................................................................................................................ 18

"D" "Show" ................................................................................................................................................................ 19

"D" "Show" ................................................................................................................................................................ 20

"D" "Show" ................................................................................................................................................................ 21

"D" "Show" ................................................................................................................................................................ 22

"D" "Show" ................................................................................................................................................................ 23

"D" "Show" ................................................................................................................................................................ 24

"D" "Show" ................................................................................................................................................................ 25

"D" "Show" ................................................................................................................................................................ 26

"D" "Show" ................................................................................................................................................................ 27

"D" "Show" ................................................................................................................................................................ 28

"D" "Show" ................................................................................................................................................................ 29

"D" "Show" ................................................................................................................................................................ 30

Deliver The "D" “Closing Tell” (CT) In PowerPoint.......................................................................................................... 31

Deliver The "R" “Opening Tell” (OT) In PowerPoint ....................................................................................................... 32

"R" "Show" ................................................................................................................................................................ 33

"R" "Show" ................................................................................................................................................................ 34

"R" "Show" ................................................................................................................................................................ 35

"R" "Show" ................................................................................................................................................................ 36

"R" "Show" ................................................................................................................................................................ 37

Deliver The "R" “Closing Tell” (CT) In PowerPoint .......................................................................................................... 38

Demo Instructions Page .............................................................................................................................................. 39

Deliver The "R" “Opening Tell” (OT) In PowerPoint ....................................................................................................... 40

"R" "Show" ................................................................................................................................................................ 41

"R" "Show" ................................................................................................................................................................ 42

"R" "Show" ................................................................................................................................................................ 43

"R" "Show" ................................................................................................................................................................ 44

"R" "Show" ................................................................................................................................................................ 45

"R" "Show" ................................................................................................................................................................ 46

Deliver The "R" “Closing Tell” (CT) In PowerPoint .......................................................................................................... 47

Deliver The Final Visual Demo Map (FVDM) In PowerPoint ............................................................................................ 48

Demo Close - Final Questions ........................................................................................ Error! Bookmark not defined.

READ BEFORE YOU DEMO

At a high level, there are total of 4 Demo Scenes.

DEMO SCRIPT INTRODUCTION

Feel free to ask questions throughout.

So, we heard on our last call…

INTRODUCING TRELLIX XDR TO HELP FRAME THE DEMO

DELIVER THE “INITIAL VISUAL DEMO MAP” (IVDM) IN POWERPOINT

Please note: Describe as customer use cases - NOT PRODUCT FEATURES.

Command of the Demo Instructions:

Ok, now let's setup this demo.

And we'll do this all from a Single Unified Platform.

DELIVER THE "X" “OPENING TELL (OT)” IN POWERPOINT

Here is an example of an Opening Tell for this kind of Tell-Show-Tell Loop.

Command of the Demo Instructions:

Please contact FATE if you do not have permissions to this instance –