Professional Documents
Culture Documents
Trellix Helix Demo Guide
Trellix Helix Demo Guide
Q2 2022
1
Trellix Helix Demo Guide
CONTENTS
Architecture ..................................................................................................................................................................5
2
Trellix Helix Demo Guide
3
Trellix Helix Demo Guide
Scenes 1-3 cover the core Helix use cases and should always be delivered.
Scene 4 is centered around more advanced use cases including hunting & custom rule
creation. This scene is optional as not all of our Customers or Prospects have this need.
So, based on your initial discussions with the Customer, you may opt to only demo
scenes 1-3, or opt to add on scene 4.
For the purposes of this exercise, we will show all scenes 1-4.
Ok, now that we have that out of the way, lets jump into our Customer meeting.
4
Trellix Helix Demo Guide
Let’s take a moment to talk about what you’re about to see and what we will go over.
The first demo scenario (Tell-Show-Tell, T-S-T 1) demonstrates how Helix is used to extend
your team's Detection & Response capabilities from a single focus like Endpoint, to one
that is gathered from an EDR technology, and applies this across ALL threat vectors
(Endpoint, Network, Email and Cloud) to protect against today's multi-vector attacks.
The next section, (T-S-T 2) demonstrates Detection and show how Helix correlates and
prioritizes threats and allows you to connect the dots. It provides the necessary context to help
you quickly "understand what happened?", "What assets were involved?" and identify the true
risk to your environment.
Finally, we'll close out with Response (T-S-T 3). Showcasing automated response actions
like quarantining a system, cloud workload, or even disabling a user to mitigate the threat.
And he'll do this all from a Single Unified Platform.
ARCHITECTURE
The below points you to the Helix Enterprise Instance for the demo, Helix Demo 3 (prod).
Eventually Threats preview will move to full release and all of the demo instances will have the
same demo capability.
5
Trellix Helix Demo Guide
SAMPLE AGENDA
Sample Script
Thanks Mr. Customer, we appreciate your time today. Here's the agenda we'll cover. We'll start off with a quick recap of
the Challenges you shared with us and introduce our Trellix XDR Platform, Helix, and then spend the bulk of our time in
the demo showing the platform in action.
6
Trellix Helix Demo Guide
CUSTOMER CHALLENGES
Sample Script
Your team is struggling around correlating and prioritizing alerts from multiple disparate technologies and you're also
looking to automate as much of the response process as possible to speed things up and allow your analysts to be more
efficient.
7
Trellix Helix Demo Guide
Sample Script
Helix connects all Trellix’s technologies and expertise together for a seamless analyst experience, providing customers
with detection across endpoint, network, cloud, and email in a single place.
Our flexible XDR platform also easily integrates a broad range of third-party security tools. Allowing you to tailor the
solution mix to your strategy, with the freedom to choose to use some, or all, of the Trellix Products to take advantage of
Helix.
The Helix platform has been designed to address these vary challenges.
It’s a unified platform arming security operations teams w comprehensive protection across all threat vectors. And smart
automation to accelerate their response capabilities and simplify investigations.
It's also important to note that the platform supports both Trellix products as well as a broad range of third-party security
tools. This allows you to tailor the solution mix to support your solutioning strategy, with the freedom to choose any
combination of Trellix products to work smoothly with your third-party security solutions.
8
Trellix Helix Demo Guide
Here is an example of what an IVDM might look like for a Helix demo:
Navigation
Delivered in Powerpoint,
before switching over to the
Crossfire environment.
Sample Script
Over the next 20 minutes, we will walk you through a few demo use cases that if implemented, will help address
the challenges that you shared with us.
We'll start out with the platform's Extended coverage, extending your team's Detection & Response capabilities
from a single focus like Endpoint.. Gathered from an EDR technology.. And applies this across ALL threat
vectors,. Endpoint.. Network.. Email.. And Cloud to protect against today's multi-vector attacks.
Next, we'll cover Detection.. And how Helix correlates & prioritizes threats and allows you to connect the dots,
and provides the necessary context to quickly "understand what happened?".. "What assets were involved?"
and the true risk to your environment
.
Finally, we'll close out with Response.. Showcasing automated response actions that your team may leverage to
minimize the impact of a breach. This includes things like quarantining a system, cloud workload, or even
disabling a user to mitigate the threat.
9
Trellix Helix Demo Guide
Navigation
Delivered in Powerpoint,
before switching over to
the Crossfire environment.
What is this? This slide is the (Opening Tell for the “X” T-S-T Loop).
The purpose: Provide the audience with a high-level introduction to the specific use case we will showing
during this part of the demo.
and of the Command of the Demo Instructions:
Sample Script
Let’s get into our first scene where we will showcase our extended coverage which will help enable our detection
and response capabilities. We’ll touch on coverage across ALL threat vectors including Trellix products as well
as third-party technologies with cloud connect. We’ll be correlating disparate events from multiple tools into
actionable investigations and use our risk scoring to prioritize investigations. This will help us asses the scope
of security events. Alright, let’s take a look.
NOTE: The Correlated threat is located in Helix Demo 3. Keep in mind over time the threat data may
become unavailable but other examples will exist in the environment to provide the demo experience.
10
Trellix Helix Demo Guide
"X" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “X” T-S-T Loop.
The purpose: Provide the audience with a demo for the “X” use case
and of the Command of the Demo Instructions:
Sample Script
So, we’re going to want to start on our summary dashboard page here and look at a few things. We can see the
Alerts and Asset-Based Alert Correlations, as well as our risk score which will give us a high-level view on our
security posture. Scrolling down we will see the Uncontained Cases, Indexed Events and Event Classes.
We’ll want to scroll down and focus on the Event Classes section which provides a view of the input to Helix. We
can see in this case that we have multiple events being ingested including Endpoint, Network, Threat Intel as well
as many others.
11
Trellix Helix Demo Guide
"X" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “X” T-S-T Loop.
The purpose: Provide the audience with a demo for the “X” use case
and of the Command of the Demo Instructions:
Sample Script
We are also utilizing CloudConnect to pull in additional third-party sources to increase our visibility.
You’ll want to navigate over to CloudConnect which will bring up all of the available integrations we can highlight
that will benefit our customers.
Right now, we have 102 native integrations with new sources being added constantly.
NOTE: It helps the flow of your demo if you have this pulled up in a new tab already, so you do not have to wait
for it to pop-up and load.
12
Trellix Helix Demo Guide
"X" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “X” T-S-T Loop.
The purpose: Provide the audience with a demo for the “X” use case.
and of the Command of the Demo Instructions:
Sample Script
Now that we have an idea of our data sources and why they are important let’s look at the risk scoring using the
context card.
13
Trellix Helix Demo Guide
"X" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “X” T-S-T Loop.
The purpose: Provide the audience with a demo for the “X” use case.
and of the Command of the Demo Instructions:
Sample Script
We can hover over a threat which will provide us with some very rich information immediately. This alert has a
critical risk score of 665, and the red color indicates the severity as well. There are 16 unique alerts that were
pulled into this correlated threat, our threat intelligence does indicate confidence that this contained evil.
14
Trellix Helix Demo Guide
"X" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “X” T-S-T Loop.
The purpose: Provide the audience with a demo for the “X” use case.
and of the Command of the Demo Instructions:
Sample Script
We can hover over the affected assets, as well as see if there were some response actions that were already
taken for us.
15
Trellix Helix Demo Guide
Operational Benefits Examples: “So you can…” or “Alright, so what does all this mean to
you? What we just saw will help you…”
Here is an example of what a “closing tell” for this Tell-Show-Tell Loop might look like.
Navigation:
Sample Script
So, what does this mean to you, and why does it matter? By extending our coverage, correlating disparate
events and providing risk scoring to prioritize investigations this will help us with the following.
We’ll be able to
• highlight and reduce our overall risk
• improve prioritization and protection
as well as optimize the deployment mix to meet our needs in a flexible manner
16
Trellix Helix Demo Guide
Navigation
Delivered in Powerpoint,
before switching back into
to the Crossfire
environment.
Sample Script
Now that we have broad coverage into our security landscape let’s build on that by showing your team world
class detection capabilities. In this use case, we will:
• Use threat analytics which will correlate and prioritize disparate events into actionable investigations
• Help your team to quickly connect the dots across all your threat vectors
Which will give your team situational awareness and help them with root cause analysis.
17
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
https://apps.fireeye.com/helix/
id/hexzsq689/threats/28044/o
verview?threat_type=correlati
on_group
What is this? This screen is part of the (“Show” for the “D” T-S-T Loop).
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
<<No Script, this is picking and preparing an alert you are going to demo on in the following slides>>
18
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the (“Show” for the “D” T-S-T Loop).
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
We will click on the correlated threat we spoke about on the previous scene and start off in the investigative
workbench. On the left side of the screen next to the context card, we can see a description of the threat as was
derived from the MITRE tag information.
Hovering over the MITRE icon we can see the tactics and techniques that were used in this threat.
This is a great way to understand from beginning to end what happened and the techniques used.
19
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
As we begin our investigation, we need to know what tools and telemetry were involved here?
Helix has taken the disparate tools and put this attack together, thus saving us many pivots in the process.
This specific example includes Email, Endpoint, Network, and 3rd party tools such a Windows Event Log, and
SharePoint.
We bring all these telemetries together into one aggregated threat to minimize the pivots an analyst needs to
make.
20
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
Another way of getting to this data would be to look at the badging information at the top of the threat, as well as
clicking on the expanded bubble which provides a summary of the telemetries, as well as the related alerts on
the bottom. You can very easily see the telemetry scope of this threat.
21
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
We can see that this threat had email, endpoint, and network information as well.
This capability allows us to see what the scope is and the tools that were involved in a very easy manner .
22
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
The next thing we need to understand is the origin of that telemetry data and or the origin of this threat. We can
see this threat has an external email address which is the cause of our phish.
23
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case
and of the Command of the Demo Instructions:
Sample Script
Optional slide to show the overall alerts in both the bubble view, as well as showing all alerts on the right side of
the screen
24
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case
and of the Command of the Demo Instructions:
Sample Script
As we move to the right, we will see the twelve unique alerts that were pulled together and tied into a single
threat. Clicking on the expanded bubble we can see now on the right side all the alerts that were tied to this
threat. Knowing that this threat originated as part of a phish campaign, we can click on the Email Message
delivered alert which will then connect the initial phisher, to the asset being phished.
25
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
We can then click on our victim asset to pull together the endpoint alerts very quickly as well.
26
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
The Network detections highlighting lateral movement and exfiltration as well are included here.
27
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
The final step is clicking on the Office365 Analytic indicating an abnormal SharePoint transfer.
28
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
Now let’s collapse our bubbles and move over into the assets tab to get a broader view of the assets that were
involved in this attack. We can see the victim and system user as well as the recipient of the phishing attempt,
we looked at earlier.
29
Trellix Helix Demo Guide
"D" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “D” T-S-T Loop.
The purpose: Provide the audience with a demo for the “D” use case.
and of the Command of the Demo Instructions:
Sample Script
Then finally, we have the artifacts that were involved in the entire correlated threat brought into one place.
30
Trellix Helix Demo Guide
Operational Benefits Examples: “So you can…” or “Alright, so what does all this mean to
you? What we just saw will help you…”
Navigation
Delivered in Powerpoint,
before switching back into to
the Crossfire environment.
Sample Script
So, what does this mean to you and why does it matter?
31
Trellix Helix Demo Guide
Navigation
Delivered in Powerpoint,
before switching over to
the Crossfire environment.
What is this? This slide is the (Opening Tell for the “R” T-S-T Loop).
The purpose: Provide the audience with a high-level introduction to the specific use case we will showing
during this part of the demo.
Sample Script
So now that we have the data we need coming into the platform and have assessed the severity and scope of
our security incident, let’s go act on it.
In this use case we will walk through smart response actions including remediation, and enrichment.
We’ll also talk about other orchestration capabilities as well to streamline the way analysts are able to response
to security events.
32
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the (“Show” for the “R” T-S-T Loop).
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
OK, so now that we know there is a compromised endpoint, we need to do something about it. Let’s get back to
the threat graph and select the victim endpoint. The first thing we want to do is to contain this endpoint so we
can do further offline forensics, so we’ll select the host and click the Contain button.
33
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
The purpose: Provide the audience with a slide for the specific use case we will be showing during this part of
the demo.
Sample Script
Now with the endpoint contained we can start selecting some other artifacts to do some response actions to.
Going back under the action button, we have the trigger playbooks open.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview, but is expected to
be available in the second half of 2022. Once available it will be good to include with the demonstration to show
different response capabilities.>>
34
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
When we click there, we are presented with some very common playbooks that have been codified and made
accessible for analysts. Cloud assets can be contained, quarantined as well as enriched depending on the
situation.
If you have another ticketing system, such as ServiceNow, you can disposition this event to a case there to
begin working.
Maybe you want to take a hash and enrich it via Trellix’s Detection On Demand, or VirusTotal. These are just
some, but not all the capabilities and actions that can be turned into response actions.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview, but is expected to
be available in the second half of 2022. Once available it will be good to include with the demonstration to show
different response capabilities.>>
35
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
Once we run our response actions we may want to look back and get a status update, or even an activity log of
the response actions that were run.
We can click on the orchestration tab and be presented with exactly. We can see every response action that
was run, the activity log, and even a very detailed flow chart of the steps along the way.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview but is expected to
be available in the second half of 2022. Once available it will be good to include with the demonstration to show
different response capabilities.>>
36
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
Clicking any of these steps we can drill into the input, and output of that step. This provides us end to end
visibility of our response actions.
<<NOTE: This functionality is not yet available in the current release of Helix Threats Preview but is expected to
be available in the second half of 2022. Once available it will be good to include with the demonstration to show
different response capabilities.>>
37
Trellix Helix Demo Guide
Operational Benefits Examples: “So you can…” or “Alright, so what does all this mean to
you? What we just saw will help you…”
Navigation
Delivered in Powerpoint,
before switching over to the
Crossfire environment.
Sample Script
So again, what does this mean to you and why does it matter?
Using the response capability of Helix, we reduce our time to respond and move
from attack detection to future threat prevention. We also are removing pivot
points so the analyst can go from detection to response in one location.
38
Trellix Helix Demo Guide
SE Instructions Only
What is this? This screen is giving us instructions for the 4th T-S-T Loop. Use Case 4 aligns to Advanced XDR
capabilities.
These capabilities include hunting, custom rule creation, customized orchestration playbooks, custom
dashboard & reporting, Extended Retention, and Case Management.
The purpose: If these capabilities are NOT required by your Customer/Prospect, skip this section and
proceed to the “Final Visual Demo Map” section (page 48)
.
and of the Command of the Demo Instructions:
Sample Script
39
Trellix Helix Demo Guide
Navigation
Delivered in Powerpoint,
before switching over to
the Crossfire environment.
What is this? This slide is the (Opening Tell for the “R” T-S-T Loop).
The purpose: Provide the audience with a high-level introduction to the specific use case we will showing
during this part of the demo
and of the Command of the Demo Instructions:
Sample Script
To go one step further, let’s say we have a customer who really knows what they are after and wants to perform
some deep dive hunting exercises across all their data in Helix. In this advanced use case, we will demonstrate
how to use Helix to hunt, and then take that hunt into a rule to operationalize that detection the future. Let’s go
take a look.
40
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
Let’s suppose we had a security incident involving RDP. Our internal teams have requested that we find all
instances of RDP traffic, that originated from outside of the organization that resulted in successful connections.
We’ll want to use the query shown here. For the time frame, we are going to start with the last one week.
41
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
Executing that query, we get 142 responses. What we are looking for is, the source and destination of this
conversation, over the last week. We can add a groupby statement to the end of the query to get information.
Now we have all external, to internal RDP connections, that were NOT denied, and we can clearly see both
sides of the conversation.
42
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
Now we get a request for an even longer time frame from the internal stakeholders.
They are looking for the last 396 days for this same policy violation.
In the drop-down box we want to change to archive search and select 396 days to meet their criteria. We can
run the same query and the archive search will now run. This search can take a while to complete as it is pulling
13 months of archived data, so I have already run the search in advance.
43
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
When the search is completed, we now see that there are 332 total results, that is from all related events not
included in the index. This provides us with the information to bring back to the internal stakeholders to continue
their investigation. Notice how easy it was to get this data from a one-week time window to ultimately, over a
year’s worth of data.
Additional note: Archived data does not include data that is currently in the indexed data. That data has
yet to be archived so it won’t be returned in the archive search.
44
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
Now let’s go back to our index search and turn this ad-hoc hunt, into an operationalized rule that will now alert
us of these policy violations anytime they happen. In the top left of the screen, we can select “Save As” and
select rule.
45
Trellix Helix Demo Guide
"R" "SHOW"
Navigation:
What is this? This screen is part of the “Show” for the “R” T-S-T Loop.
The purpose: Provide the audience with a demo for the “R” use case.
and of the Command of the Demo Instructions:
Sample Script
We can give our rule a name, description, and the query is already filled out for us.
Simply click “Create” and you will now have turned this into a rule. It is that easy.
46
Trellix Helix Demo Guide
Operational Benefits Examples: “So you can…” or “Alright, so what does all this mean to
you? What we just saw will help you…”
Navigation
Delivered in Powerpoint.
Sample Script
The hunting capabilities of Helix enable your team to do some advanced forensics, reduce complexity, and
operationalize a threat hunt.
This was just one example but think of the countless examples that come up daily for the average security
analyst. Helix really can help make their lives that easy.
47
Trellix Helix Demo Guide
Once you deliver the final “Closing Tell” for the last T-S-T Loop in Crossfire, be sure to deliver
the “Final Visual Demo Map”. Usually, this should take < 1 minute to deliver and should, in a
few sentences, summarize all the operational benefits, for all the T-S-T Loops for the
entire demo. This should be a cut & paste of the “Closing Tells” from each of the previous
demo T-S-T Loops.
Navigation:
Delivered in Powerpoint
Sample Script
We covered a lot of ground, so let's take a second to ensure we addressed all of the challenges you shared with
us.
You said you were struggling around correlating and prioritizing alerts from all of your different technologies.
We saw how Trellix XDR can address this in the first 2 scenes we saw. Starting out with the extended coverage
the platform provides and then walking through how our detection threat analytics correlate and prioritize the
risks to your environment.
You also mentioned that you were looking to automate and orchestrate as much of the response process as
possible to speed things up and allow your analysts to be more efficient. Well, Tom covered this in the last 2
scenes. when he showcased the integrated automated response actions to reduce your time to respond and
walked through a quick example of how analysts could easily operationalize their hunts to save time in the
future.
48
Trellix Helix Demo Guide
Did we miss anything?
So, to net it out, I would say, when we bring together all of these capabilities into a single unified platform, it
results in improved protection against today's sophisticated attacks, and increases Analyst and SOC Efficiency.
At this time, we’d like to address any remaining questions that you may have… and discuss how we should
proceed moving forward. Thank you.
49