Fidelis XPS User Manual

User Guide

Version 6.0

Users are granted permission to copy and/or distribute this document in its original electronic form and print copies for personal use. This document cannot be modified or converted to any other electronic or machine-readable form in whole or in part without prior written approval of Fidelis Security Systems, Inc.

While we have done our best to ensure that the material found in this document is accurate, Fidelis

Security Systems, Inc. makes no guarantee that the information contained herein is error free.

Fidelis XPS includes GeoLite data created by MaxMind, available from http://www.maxmind.com/

Fidelis Security Systems 4416 East West Highway, Suite 310 Bethesda, MD 20814

Preface............................................................................................................................................. 1

Intended Audience....................................................................................................................... 1

Technical Support........................................................................................................................ 2

Available Guides.......................................................................................................................... 2

Fidelis XPS™ Overview.................................................................................................................. 3

Fidelis XPS Modules.................................................................................................................... 3

CommandPost ........................................................................................................................ 4

Direct....................................................................................................................................... 4

Internal.................................................................................................................................... 4

Proxy....................................................................................................................................... 4

Mail.......................................................................................................................................... 5

Web Walker............................................................................................................................. 5

Connect................................................................................................................................... 5

Fidelis XPS Policies..................................................................................................................... 5

Prebuilt Policies....................................................................................................................... 5

Custom Policies ...................................................................................................................... 6

Chapter 1 Getting Started.............................................................................................................. 7

Access CommandPost................................................................................................................. 7

Change your Account .................................................................................................................. 7

Access the Guides....................................................................................................................... 8

Lock Icon ..................................................................................................................................... 8

CommandPost Navigation........................................................................................................... 8

System Status.............................................................................................................................. 8

Logout.........................................................................................................................................10

Using Non-ASCII Characters in Fidelis XPS...............................................................................10

Chapter 2 The Dashboard.............................................................................................................11

The Radar Page .........................................................................................................................11

What is an event? ..................................................................................................................11

What is an alert? ....................................................................................................................11

What is alert radar?................................................................................................................11

Uses of Alert Radar................................................................................................................12

Current Status Frame.............................................................................................................13

Information Flow Map™ Page ....................................................................................................14

The Information Flow Map......................................................................................................15

Controls in the Left Panel.......................................................................................................17

Fidelis XPS User Guide Version 6.0 Table of Contents iii

Filtering and Sorting Criteria...................................................................................................19

Chapter 3 Understand and Manage Alert Workflows .................................................................22

Access to Alerts and Quarantined E-Mails..................................................................................22

Handle Alerts..............................................................................................................................22

The Alert Workflow Log...............................................................................................................23

Manage a Single Alert.................................................................................................................23

Change Status .......................................................................................................................23

Change Alert Group ...............................................................................................................24

Manage Multiple Alerts ...............................................................................................................24

Chapter 4 Understand and Manage Alerts ..................................................................................25

Alert Report.................................................................................................................................26

Alert Quick Summary .............................................................................................................26

Filter Alerts.............................................................................................................................27

Navigate Alert Pages..................................................................................................................27

Alert Actions................................................................................................................................28

Alert Labels............................................................................................................................28

Export Alerts to Excel.............................................................................................................28

Purge Alerts ...........................................................................................................................29

Alert Report Page Controls.........................................................................................................29

System Reports for Alerts ......................................................................................................30

Search for Alerts ....................................................................................................................30

Duration..................................................................................................................................35

Include or Exclude Incoming Alerts........................................................................................35

Customize Alert Report...............................................................................................................36

Group.....................................................................................................................................36

Group Details.........................................................................................................................38

Create PDF Reports for Alerts....................................................................................................38

Trending......................................................................................................................................39

Alert Details ................................................................................................................................41

Alert Highlighting....................................................................................................................43

Scroll through Alert Details.....................................................................................................44

Download Text File.................................................................................................................44

Find Similar Alerts..................................................................................................................44

Manage Label ........................................................................................................................45

Purge this Alert.......................................................................................................................45

Alert Compression..................................................................................................................45

Decoding Path and Channel Attributes ..................................................................................45

Forensic Data.........................................................................................................................47

Recorded TCP Session..........................................................................................................47

Tune Rules from an Alert............................................................................................................49

Fidelis XPS User Guide Version 6.0 Table of Contents iv

Chapter 5 Understand and Manage Quarantined E-Mails..........................................................52

Understand Fidelis XPS Mail Quarantine....................................................................................52

The Quarantine Report...............................................................................................................53

Take Actions on Quarantined E-Mails.........................................................................................54

Deliver or Discard Quarantined E-Mail........................................................................................54

Search Quarantined E-Mails.......................................................................................................54

Search Quarantined E-Mails using Duration...............................................................................56

Advanced Search for Quarantined E-Mails.................................................................................57

Quarantine Details......................................................................................................................58

Chapter 6 Manage Reports ...........................................................................................................59

Create Custom Reports..............................................................................................................60

Search ....................................................................................................................................60

Filters .....................................................................................................................................62

Duration..................................................................................................................................63

Columns.................................................................................................................................64

Group By................................................................................................................................66

Custom Report Controls.........................................................................................................66

Run Custom Reports ..................................................................................................................67

Edit Custom Reports...................................................................................................................67

Copy Custom Reports.................................................................................................................67

Save and Schedule Reports.......................................................................................................68

Save.......................................................................................................................................68

Save and Schedule................................................................................................................68

Delete Reports............................................................................................................................69

Chapter 7 Create and Use Quick Reports....................................................................................70

Define Quick Reports..................................................................................................................70

Create Quick Reports .................................................................................................................73

Create PDFs for Quick Reports..................................................................................................74

Schedule Quick Reports.............................................................................................................74

Chapter 8 Network Reports ..........................................................................................................75

TCP Resets ................................................................................................................................77

Application Protocols ..................................................................................................................78

IP Defragmenter .........................................................................................................................79

Inline Module ..............................................................................................................................80

Network Statistics .......................................................................................................................81

TCP Processor ...........................................................................................................................82

Proxy...........................................................................................................................................83

Mail.............................................................................................................................................84

Connect ......................................................................................................................................85

Web Walker................................................................................................................................85

Fidelis XPS User Guide Version 6.0 Table of Contents v

Chapter 9 Manage Users, Roles, and Groups.............................................................................86

Access Control in CommandPost...............................................................................................87

Small Security Teams.................................................................................................................88

Define User Profiles....................................................................................................................88

Add or Edit a Local User.............................................................................................................89

Delete a User..............................................................................................................................91

Define Alert Management Groups ..............................................................................................92

Add or Edit an Alert Management Group ...............................................................................92

Delete an Alert Management Group.......................................................................................93

Define User Roles.......................................................................................................................93

Access Roles .........................................................................................................................94

Add or Edit a Custom Role.....................................................................................................95

Delete a Custom Role............................................................................................................96

Chapter 10 Configure Fidelis XPS Components.........................................................................97

The Component Page.................................................................................................................97

Component Information ..............................................................................................................97

Status Lights ..........................................................................................................................97

Details....................................................................................................................................97

License Messages..................................................................................................................98

Component Buttons................................................................................................................98

Add a Sensor..............................................................................................................................99

Edit a Sensor..............................................................................................................................99

License ...................................................................................................................................99

Expiration.............................................................................................................................100

System Monitor....................................................................................................................100

Logs .....................................................................................................................................102

Configure CommandPost..........................................................................................................103

User Authentication..............................................................................................................103

Email Configuration..............................................................................................................107

User Notification...................................................................................................................108

LDAP Configuration..............................................................................................................109

LDAP Reports ......................................................................................................................111

Alert Storage ........................................................................................................................112

CommandPost Language Configuration ..............................................................................113

Diagnostics...........................................................................................................................114

Archive.................................................................................................................................115

Configure Sensors....................................................................................................................116

Sensor Run Time Information ..............................................................................................116

Sensor Config Page.............................................................................................................116

Direct and Internal................................................................................................................117

Fidelis XPS User Guide Version 6.0 Table of Contents vi

Proxy....................................................................................................................................122

Mail.......................................................................................................................................123

Web Walker..........................................................................................................................125

Connect................................................................................................................................127

EMail Relayhost ...................................................................................................................129

Sensor Language Configuration...........................................................................................129

Chapter 11 Version Control ........................................................................................................131

Fidelis Release Naming Conventions.......................................................................................131

Update Fidelis XPS...................................................................................................................132

Prepare to Update................................................................................................................132

Run Update..........................................................................................................................132

Update Progress..................................................................................................................133

Schedule Update ......................................................................................................................134

Cancel Scheduled Jobs............................................................................................................135

Chapter 12 Configure Exports....................................................................................................136

Export Methods.........................................................................................................................136

Fidelis Archive......................................................................................................................136

EMail and Syslog .................................................................................................................136

SNMP Trap and ArcSight.....................................................................................................138

Verdasys Digital Guardian....................................................................................................138

IBM SiteProtector.................................................................................................................138

Define Exports..........................................................................................................................139

Available Export Buttons......................................................................................................140

Testing Export Communication ............................................................................................140

Delete Exports ..........................................................................................................................140

Chapter 13 Audit..........................................................................................................................141

Access Audit.............................................................................................................................141

Search for Audit Entries............................................................................................................142

Search Terms.......................................................................................................................142

Notes about Search Options................................................................................................143

Time Periods........................................................................................................................143

Chapter 14 Backup and Restore.................................................................................................144

Accessing the Command Line Interface ...................................................................................144

Backup and Restore CommandPost.........................................................................................144

Backup CommandPost.........................................................................................................144

Restore CommandPost........................................................................................................145

Backup and Restore a Sensor..................................................................................................146

Chapter 15 Archive......................................................................................................................147

Export Archive Data .............................................................................................................147

Import Archive Data..............................................................................................................147

Fidelis XPS User Guide Version 6.0 Table of Contents vii

Index.............................................................................................................................................149

List of Tables

Table 1. Critical conditions................................................................................................................ 9

Table 2. High severity conditions...................................................................................................... 9

Table 3. Controls .............................................................................................................................16

Table 4. Filter Lists ..........................................................................................................................20

Table 5. Actions list options.............................................................................................................24

Table 6. System Reports.................................................................................................................30

Table 7. Alert search fields..............................................................................................................32

Table 8. Sections in Alert Details.....................................................................................................42

Table 9. Decoding paths..................................................................................................................46

Table 10. Quarantined E-mail: search fields....................................................................................55

Table 11. Quarantined E-mail: advanced search fields ...................................................................57

Table 12. Search Fields...................................................................................................................60

Table 13. Filters...............................................................................................................................62

Table 14. System report columns....................................................................................................64

Table 15. Quick reports ...................................................................................................................71

Table 16. Determine user access....................................................................................................90

Table 17. User access levels...........................................................................................................94

Table 18. General parameters.......................................................................................................119

Table 19. Advanced parameters....................................................................................................120

Table 20. Proxy parameters ..........................................................................................................122

Table 21. Mail parameters.............................................................................................................124

Table 22. Web Walker parameters................................................................................................125

Table 23. Connect: General parameters........................................................................................127

Table 24. Alert Export keywords....................................................................................................137

Table 25. Audit Log columns .........................................................................................................142

Fidelis XPS User Guide Version 6.0 Table of Contents viii

Preface

This guide describes how to use the Fidelis XPS™CommandPost™ console to monitor and manage security alerts, to configure sensors, and to create and maintain CommandPost users

This guide contains the following chapters: The Overview

moudules. This section also briefly describes prebuilt and custom policies. Chapter 1 Getting Started

information, and access more information. Chapter 2 describes the and how to use alert radar Chapter 3 describes how to manage alert workflows Chapter 4 describes the alert report and how to use alert features Chapter 5 describes the quarantine management Chapter 6 describes how to manage Custom Reports Chapter 7 describes how to create and use Quick Reports

Chapter 8 describes how to use network reports Chapter 9 describes how to create and modify user information.

Chapter 10 describes how to configure CommandPost Chapter 11 descries how to update and manage Fidelis XPS versions. Chapter 12 describes how to configure exports Chapter 13 describes the Audit Chapter 14 describes how to backup and restore Chapter 15 describes how to Archive

describes Fidelis XPS: the CommandPost Management Console and other

describes how to access and navigate CommandPost, change account

and Information Flow Map.

list and how to manage quarantined e-mails.

and Fidelis XPS sensors.

feature and how to run it from the CommandPost GUI.

CommandPost and sensors.

alert and session data on the CommandPost.

Intended Audience

This information is intended for network system administrators familiar with networking, computer security, and with the security requirements and practices of their enterprises. This help system and related guides are intended for users that fit into at least one of the following major categories:

• The alert and quarantine managers are frequent users of the system, likely to visit the CommandPost GUI several times each day. Both roles are usually filled by system administrators responsible for reviewing alerts (or quarantined e-mails) and managin g any action required within the enterprise. Alert and quarantine management require high level data analysis and the ability to delve into the details of any single violation.

• The network IT manager will be the first to touch the CommandPost, but is expected to rarely use Fidelis XPS after initial installation. The IT manager might need to adjust sensor network settings and CommandPost to sensor communications, manage CommandPost users and their credentials, and monitor network statistics to verify connectivity.

Fidelis XPS User Guide Version 6.0 Preface 1

Technical Support

For all technical support related to this product, check with your site administrator to determine support contract details. Contact your reseller or if you have a direct support contract, contact the Fidelis Security support team at:

Phone: +1 301.652.7190* Toll-free in the US: 1.800.652.4020* *Use the customer support option. E-mail: support@fidelissecurity.com Web: https://portal.fidelissecurity.com

Available Guides

The following guides are available: The Guide to Creating Policies describes how to define policies and the rule s and fingerprints that

policies contain. The Guide to Prebuilt Policies describes policies that ship with Fidelis XPS and the rules and

fingerprints that these policies contain. This guide also indicates which rules and fingerprints might need to be configured for your enterprise.

The Enterprise Setup and Configuration Guide describes how to set up and configure Fidelis XPS hardware.

Release Notes are updated with each release to provide information about new features, major changes, and bugs corrected.

Fidelis XPS User Guide Version 6.0 Preface 2

Fidelis XPS™ Overview

Since 2002, organizations have chosen the Fidelis Extrusion Prevention System®, Fidelis XPS™, to solve their biggest data leakage challenges—safeguarding intellectual propert y and identity information, complying with government and industry privacy regulations, a nd enabling visibility and control of their networks. Built on a patented deep session inspection™ platform, Fidelis XPS is the industry's only next-generation data leakage prevention sol ution with the power to deliver comprehensive prevention over all 65,535 ports and all channels, complete visibi lity and control, and the lowest total cost-of-ownership to stop network data leakage on gigabit-speed networks. Simply deployed as a context-aware network appliance, Fidelis XPS gives global enterprises unequalled accuracy, security, and performance.

Enterprises use Fidelis XPS to protect against leakage of sensitive information and to enforce corporate network usage policies. Sensitive information examples include trade secrets, budgets, contracts, merger and acquisition activity, consumer information, research, and many other forms. Enforcement of network usage policies includes usage of corporate resources for personal activities, proper handling of sensitive data, and proper usage of network security measures in place for web proxies, e-mail gateways, and more.

The Fidelis Extrusion Prevention System product family includes multiple Fidelis XPS sensors— each designed to address the most demanding network environments—and the CommandPost™ management console. Refer to Fidelis XPS Modules

DLP or extrusion prevention is also done through the use of policies that map Fidelis XPS technology to laws and regulations so that business infrastructure requirements are met. Refer to

Fidelis XPS Policies.

Fidelis XPS Modules

Fidelis XPS modules and the appliances on which they reside include several types of sensors placed within your network and a management console. The sensors can be depl oyed to specific areas of the network to provide control and visibility as needed. This section describes how an enterprise might deploy Fidelis XPS modules and provides an overvie w of all av ailable sensors and the CommandPost console.

Figure 1. Fidelis XPS Modules

Fidelis XPS User Guide Version 6.0 Overview 3

CommandPost

The CommandPost module is the management console and offers web-based enterprise administration and strong third-party product integration. CommandPost collects, aggregates, and stores data from multiple sensors.

You can access the web-based, CommandPost GUI from anywhere on your network to:

• Visually monitor and analyze network alerts and other data in real time.

• Enable, disable, or customize policies and rules as required.

• Add, configure, and manage sensors and the console itself.

• Create CommandPost users using the granular access control capabilities in several user

authentication mechanisms including integration with a user director y server.

• Export information to a third party network alert aggregation system.

• Use the built-in reports or customize reports to your requirements. Reports can be scheduled

for automatic delivery or run in real time with click-through drill down capabilit y.

For information about setting up CommandPost, refer to chapters 2 and 4 in the Enterprise Setup and Configuration Guide. To get started using CommandPost, refer to Getting Started information about CommandPost's configuration features, refer to Configure CommandPost

. For more

Direct

The Direct module is used to monitor direct-to-Internet traffic and provides prevention on all ports and all application protocols. Products with the Direct module are typically deployed at the network perimeter, inline or out-of-band to monitor applications and protocols at multi-gigabit speed.

Fidelis offers products with the Direct module ranging from 25 Mb/s to 2.5Gb/s. For more details, refer to Direct and Internal

Direct, refer to chapter 5 in the Enterprise Setup and Configuration Guide.

. For information about setting up and configuring

Internal

The Internal module addresses internal traffic to ensure protection for your enterprise's databases, file shares, and user directories. Products with Internal capability are typically deployed in the network core to provide visibility and control of information leaving data centers or transmitted between divisions. The Internal provides prevention on all ports and all pro tocols.

Fidelis XPS offers products with Internal modules ranging from 25 Mb/s to 2.5 Gb/s. For more details, refer to Direct and Internal.

sensor, refer to chapter 5 in the Enterprise Setup and Configuration Guide.

For information about setting up and configuring this

Proxy

The Proxy module offers an interface to a third party HTTP proxy using the Internet Content Adaptation Protocol (ICAP). ICAP is a lightweight and extensible point-to-point protocol used for requesting services for content inspection.

The Proxy module offers the following advantages for HTTP traffic:

• Prevention can be accomplished by redirecting the user to a customizable web page that states their violation and other applicable information.

• When combined with an ICAP-enabled SSL proxy, the Proxy module can access unencry pted data destined to secure web sites.

Refer to Proxy the Enterprise Setup and Configuration Guide.

. For information about setting up and configuring this sensor, refer to chapter 6 in

Fidelis XPS User Guide Version 6.0 Overview 4

Mail

The Mail module provides graceful control of your enterprise's e-mail traffic. The Mail module supports monitoring and prevention similar to the Direct module, but also offers the ability to quarantine and to redirect messages to secure e-mail gateways. You can deploy product s with the Mail module in an SMTP path in MTA mode or with a Milter-enabled e-mail gateway.

For more details, refer to Mail chapter 7 in the Enterprise Setup and Configuration Guide.

. For information about setting up and configuring this sensor, refer to

Web Walker

The Web Walker module is used to scan all content on one or more internal web sites and analyze the data against your extrusion policies. Deploying products with the Web Walker mod ule in your environment will notify you if sensitive material is available on your web site.

For more details, refer to Web Walker refer to chapter 8 in the Enterprise Setup and Configuration Guide.

Connect

The Connect module provides content inspection services to any application that provid es a Simple Content Inspection Protocol (SCIP) interface. SCIP is a TCP-based, client-server communication protocol that provides the ability to submit information for content analysis and retrieve results.

For more details, refer to Connect refer to chapter 9 in the Enterprise Setup and Configuration Guide.

Fidelis XPS Policies

A policy is a set of rules that guide business practices within an enterprise. Some examples include determining acceptable use of network resources, preventing transmission of sensitive information, and ensuring compliance with privacy laws.

Fidelis XPS provides policy-based enforcement that maps rules to your ent erprise' s content disclosure or network use policies.

. For information about setting up and configuring this sensor,

Prebuilt Policies

Fidelis XPS ships with multiple policies that are grouped into one of the following categories:

• Compliance.

• Protection of digital assets and sensitive information.

• Managing insider use of the Internet.

All prebuilt policies will require some level of configuration, as described in the Guide to Prebuilt Policies.

Compliance

Fidelis XPS can be used to enforce policies to comply with federal and state privacy laws and industrial security standards. Such laws and standards include HIPAA, GLBA, PCI and many others. The following policies use rules that can prevent inappropriate transmission of this information:

• Identity Leakage

• HIPAA

• PCI

• Financial Information

Fidelis XPS User Guide Version 6.0 Overview 5

Protection of Digital Assets and Sensitive Information

Fidelis XPS can be used to enforce policies pertaining to corporate sensitive information. These policies are:

• Digital Asset Protection (DAP) provides the capability to detect and prevent sensitive materials being leaked through the network.

• U.S. Federal Government provides enforcement of Department of Defense Directive 5200.1

Managing Insider Use of the Internet

Fidelis XPS can be used to enforce corporate policy pertaining to the acceptabl e use of Internet resources. The policies in this category are:

• Application Management (AM) allows enforcement of unauthorized applications, such as peer-to-peer file sharing, instant messenger, access to web-based e-mail systems, and many others.

• Unauthorized Traffic (UT) is the detection and prevention of users who circumvent corporate security measures by using unauthorized proxies, defeating firewall rules, and using unauthorized encryption methods

• Inappropriate Content enforces policies regarding offensive material or langu age on the corporate network.

In addition, the File Transfer Management policy can apply to each major category. Usi ng this policy and customizing it appropriately enables you to manage the types of files transferred over the network.

For more detailed information about each policy, refer to the Guide to Prebuilt Policies.

Custom Policies

In addition to the prebuilt policies, it is possible to use the rich policy creation engi ne to define any network security policy required within your enterprise. Policies are a collection of rules, which are based on some definition of network traffic. The definition can be one or more of the following methods of identifying network traffic:

• Content refers to the textual content of an e-mail message, an IM chat, a file, or any other container of information. Fidelis XPS offers eleven methods to describe sensitive information, which include methods to register and methods to profile the information. Registration refers to the process of locating the sensitive information in its original format, sending it to CommandPost, and registering the content. Profiling refers to methods to describe sensitive information without the need to locate it.

• Location refers to the sender or the recipient of the information.

• Channel refers to all other aspects of network communication including the application

protocol, attributes (such as URL, FTP user name, and social networking application modes of operation), the time of day and day of the week, the length of the communication, and many other parameters.

Using the combination of configured prebuilt and custom policies, an administrator is able use Fidelis XPS to enforce all corporate policies for network usage and confidentiality.

For information about editing or creating policies and rules for your enterprise, refer to the Guide to Creating Policies.

Fidelis XPS User Guide Version 6.0 Overview 6

Chapter 1 Getting Started

Fidelis XPS is a real-time, extrusion prevention system that detects and prevents net work abuse and extrusions. It reassembles and analyzes traffic on your computer network. Fidelis XPS accomplishes this though its sensors and the CommandPost management console. CommandPost enables you to manage and configure the sensors that detect net work abuse and extrus ions.

This chapter provides information on how to get started using CommandPost including: accessing and navigating CommandPost, changing your account information, and where to find more information.

Access CommandPost

You can access CommandPost from anywhere on your network, by using a web browser that supports SSL. Communications between the sensors and CommandPost and between CommandPost and the web-based GUI are encrypted SSL communications.

CommandPost has been verified with Microsoft Internet Explorer versions 6, 7 and 8 and with Mozilla Firefox versions 1, 2, and 3.

For CommandPost to work properly, your client workstation must have the following installed:

• Adobe Flash Player – obtain a recent version of Adobe Flash Player free of charge from the Adobe web site at www.adobe.com.

• WinSCP – available free of charge from the WinSCP web site at www.winscp.net. WinSCP transfers files to CommandPost for policy creation and verification. All other aspects of CommandPost function properly without WinSCP.

• Allow pop-up windows from the CommandPost server.

• Enable Javascript execution in your browser.

Change your Account

From your browser, navigate to the IP address of the console device and log in with the user name and password that Technical Support

Change the password for this account immediately after your first log in.

Note: Access to account information is determined based on the CommandPost configuration for user authentication. Questions should be addressed to your CommandPost system administrator.

To do this:

1. Click the Account link at the top right corner. The Change Account dialog box displays.

Figure 2. Change Account Information

2. Enter your old password and then enter your new password.

3. Re-enter your new password.

4. You can change the full name and the e-mail address associated with this account.

provides. The CommandPost Radar page displays.

Fidelis XPS User Guide Version 6.0 Getting Started 7

5. Click Change. CommandPost saves the new password, name, and e-mail address. If you changed the password, the system will log you out.

6. Log in with your new password.

7. Add a new user for each CommandPost user. Fidelis recommends adding at least one new user, even if you are the only one accessing the system. Refer to Users

Access the Guides

Click the help icon at the top of the CommandPost GUI. The Fidelis XPS WebHelp system displays. Click the PDF Downloads link in the Table of Contents to display the Guides page with its links to the PDF files for the guides, the release notes, and the redistribution notice.

The information in the User Guide and The Guide to Creating Policies is accessible in WebHelp.

Lock Icon

Fidelis XPS CommandPost and sensors communicate over encrypted SSL connections, using se lfsigned certificates and an internal authentication method. This mode can be overridden by installing externally generated certificates that use the Public Key Infrastructure (PKI). Refer to the Enterprise Setup and Installation Guide for information about installing PKI certificates to run in this mode.

When operating with PKI certificates, a lock icon appears at the top right of the CommandPost menu bar. You can mouse over the lock icon to see the expiration date for the certificate.

CommandPost Navigation

With the exception of Radar, clicking a main menu option in the CommandPost GUI displays subnavigation menus. A highlighted option from the subnavigation menu indicates which page is currently accessed. CommandPost navigation is "sticky" meaning that if you later return to the same major heading, the page last accessed displays.

Note: Users need permissions to see many of the menu options. If a user d oes not have the appropriate permissions for a menu option, that option does not display. Refer to User Roles

for more information.

System Status

System Status provides information about Fidelis XPS components and their status that you can access from any GUI page. The diamond next to System Status reflects the status of the component with the highest severity. Mouse over the System Status diamond to see the list of components. The component list that displays is CommandPost and all sensors that have been registered which are within the user’s access privileges. Refer to a component in the list to see a message about that component's status. Each component has a green, yellow, or red diamond next to it to indicate the severity of the component's status.

Note: Users need permissions to see system status. Refer to User Roles

Green indicates that the component is operational. A red diamond indicates a condition with critical severity. The following table describes some of the

more common conditions that can cause system status messages with this severity.

Define User Profiles. Mouse over

Fidelis XPS User Guide Version 6.0 Getting Started 8

Table 1. Critical conditions

Condition Description

Invalid License Contact Technical Support for a new license.

Sensor has lost connection Sensor has not communicated

in the last 10 minutes

Insufficient disk space, alerts & sessions not being inserted

Unable to make space for alerts/sessions, alerts & sessions not being inserted

Process is having difficulties starting

Disk space on partition is gone

A yellow diamond indicates a condition with high severity. The following table describ es some of the more common conditions that can cause system status messages with this severity.

Table 2. High severity conditions

Condition Description

High stress levels Fidelis XPS sensors reassemble packets into sessions in the sensor

Sensors can lose connectivity with the CommandPost for a number of reasons.

This can occur if CommandPost cannot insert alerts or sessions into the data store.

This can occur if CommandPost cannot delete alerts or sessions from the data store when operating at space limitations.

The process manager sends this notification if it cannot start one of the server processes on the sensor or on CommandPost.

The process manager runs on sensors and checks the disk periodically.

memory.Stress is an indication of the amount of memory currently consumed by the sensor for reassembly. As stress increases, the sensor's ability to analyze all traffic diminishes. There are several reasons for increased stress:

1. When the incoming data is missing packets, stress will be high. In this situation, the sensor cannot efficiently reassemble sessions. In high stress situations with high packet loss, the sensor may be inoperable. Packet loss is the most common culprit in high sensor stress and must be remedied within the enterprise network.

2. When sustained network bandwidth exceeds the rating of the sensor, stress may be high. The remedy is to analyze the sensor model and whether it is rated to handle the observed network bandwidth.

3. When network bandwidth exceeds the rating of the sensor for small bursts, stress may rise temporarily. The sensor can withstand busts as indicated by momentary rises in the stress level.

Policy update required

Fidelis XPS User Guide Version 6.0 Getting Started 9

This occurs when policy assignments on CommandPost are not sent to the sensors by a policy update . The sensor will be executing the last policy download, not the assignments shown on CommandPost. Refer to chapter 9 in the Guide to Creating Policies.

Condition Description

License refresh required License expired License expires within one day License expires in [number of]

days Demo mode License error

No sensor registered [number of] alerts & [number of]

sessions deleted to create space Database maintenance running,

alerts are being spooled Rate of logging too high, spooler

cannot keep up

Ensure that you entered the license key for the component. Refer to

License

Register each sensor with the CommandPost. Refer to Add a Sensor CommandPost deletes alerts from the data store when operating at

space limitations. This occurs when database maintenance takes place on

CommandPost. Refer to Alert Storage A sensor sends this message if it cannot write alerts to the spool file

fast enough.

. Contact Technical Support if you require a new license.

to schedule this maintenance.

Logout

To securely log out of CommandPost, click the logout link at the top of the page. Logging out will end your browser session to CommandPost.

Note: If inactive for 15 minutes, CommandPost will log you out.

Using Non-ASCII Characters in Fidelis XPS

Fidelis XPS supports the use of non-ASCII characters in most input fields.The fields that do not allow Unicode are: e-mail addresses, host names, domain names, login names, and server directory names. CommandPost user names and passwords also do not support Unicode characters.

Fidelis XPS User Guide Version 6.0 Getting Started 10

Chapter 2 The Dashboard

The Dashboard enables you to access either the Fidelis XPS Radar page or the Information Flow Map page.

All users can access the Radar Both the Radar and the Information Flow Map pages require the Adobe Flash Player. Refer to

Getting Started

for details.

The Radar Page

CommandPost’s unique Radar page is a real-time graphical representation of alerts occurring on your network.

To access this page, Click Dashboard>Radar. The Radar page refreshes with new alert data periodically. Alerts are caused by events o n your

network.

What is an event?

When a Fidelis XPS sensor detects an extrusion of sensitive information or security brea ch, it generates an event. An event can be generated as the result of a match to a specific rule and can result in generating an alert, preventing the session, throttling the session, quarantining e-mail, rerouting e-mail, or combinations of these actions.

What is an alert?

An alert is the recorded and displayed incidence of an event. Alerts are generated on ly if the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by CommandPost.

or the Information Flow Map page.

Figure 3. The Radar page

What is alert radar?

Alert Radar graphically represents alerts occurring on your network, grouped by common characteristics identified by CommandPost’s Adaptive Alert Classifier which uses artificial neural networks technology.

Fidelis XPS User Guide Version 6.0 Dashboard 11

What are alert clusters?

CommandPost’s Adaptive Alert Classifier groups related network alerts into an alert cluster. Clusters are a visual presentation of similar alerts. When creating a cluster, CommandPost considers the sender and receiver of the information transfer, the time of the transfer, the sensor on which the alert was detected, the rule violated, and the priority of an alert.

CommandPost creates clusters based on similar information, but not necessarily equivalent or related information. For example, alerts with similar, but not equal, source IP addresses may be grouped in a single cluster, which may be indicative of a problem generated by a loc ation rather than an individual. Also, alerts from a similar time period during normal working hours may be grouped together while others occurring during non-working hours may be grouped into a different cluster.

A cluster is represented by a dot or a line on the alert radar. The line represents a cluster that contains several alerts over time. The line connects the first and most recent alerts within the cluster. A dot represents a single alert or several alerts that were detected at the same time.

The clusters are intended as a visual representation of alert activity and are not necessarily presented in the best form for investigation into network behavior. CommandPost offers many features for investigative purposes, including the Alerts and Alert Details pages, the Quarantine and Quarantine Details pages, reports, searches, filtering, and sorting.

What does the Radar show?

Alert clusters requiring immediate attention are in red. The orangecolored alerts represent alerts with a high severity. Alerts with medium severity are colored in blue and green and symbolize a low-level alert. The shape of the alert cluster on the radar corresponds to its duration—an alert grouping that appears as a point has a succinct duration and an alert grouping over a longer duration may appear as a line. Severity is determined, per rule, when the rule is created.

What is a time horizon?

The Alert Radar shows data over a configurable time horizon. As the radar beam sweeps over the alert cluster, each alert cluster is identified by rule. Mousing over the alert cluster displays a pop-up containing more information including:

• The rule violated by the alerts in the cluster.

• Sensor: provides the name of the sensor that detected the alert.

• Source address: indicates the sender’s IP address.

• Destination address: indicates the receiver’s IP address.

• Duration: provides the time difference between the oldest and newest alerts in the cluster.

As you mouse over the radar and change the horizon, you will notice a change to the key in the lower right hand corner of the page. The numbers listed here refer to the number of alert clusters, per severity level, that fall into the current time horizon. If any portion of a radar line falls within the horizon, this cluster is included in the key.

Uses of Alert Radar

Alert Radar allows network security personnel to monitor at a glance significant alerts occurring on the network.

The maximum time horizon can be set from 1 hour to 96 days by selecting from the pull-down options at the top of the alerts table and clicking Go. Moving the mouse out from the radar’s center allows you to examine data within that time horizon. As the mouse moves out, the number of alert clusters displayed by severity changes in real time.

Fidelis XPS User Guide Version 6.0 Dashboard 12

Examining Alert Clusters

Clicking on an alert cluster takes you to the Alert Report for that alert cluster.

Alert Cluster Table

Above the Alert Radar, the Radar page displays a table of alert clusters over a configurable time horizon. Click + to display the Alert Cluster table. Click – to hide the Alert Cluster table.

Figure 4. The Alerts table

The Alerts Cluster table of the Radar page displays:

• Severity of the alert cluster

• Number of alerts in the alert cluster, hyperlinked to Alert Report

• Sensor discovering the alerts

• The rule that was violated

• Time and Duration

The display time period can easily be changed from 1 hour to 96 days by using the p ull-down menu. Changing the pull-down selection also changes the time display on Alert Radar. If the list is truncated, the More link appears in the bar at the table’s foot.

Current Status Frame

The Current Status frame, located on the left of the Radar page, displays the following information, updated in real-time.

Fidelis XPS User Guide Version 6.0 Dashboard 13

User:

Displays the login name of the user currently logged in and the total number of alerts per sensor and per CommandPost. The component list and numbers represent only those alerts the user is permitted to see based on the user’s role, alert management group assignments, and sensor assignments. Refer to of alerts displays a list of these alerts. Hold your cursor over the green, yellow, or red diamond to see useful information about a component: for example, if a license is expiring, if the sensor needs updating, or if the sensor is experiencing traffic problems. Refer to System Status critical and high severity.

Define User Profiles. Clicking the number

for explanations of conditions with

Events in the Last 7 Days

Presents a graph of events in the past seven days, by severity. This graph lists all events in CommandPost, including those the user may not access. The colors in the graph refer to severity levels.

Critical severity High Severity

Medium Severity Low Severity

Information Flow Map™ Page

The Information Flow Map™ feature within Fidelis XPS takes data leakage prevention (D LP) beyond alerts to an actual understanding of how information flows across your network. A Direct sensor automatically collects information about the network it monitors and displays all levels of communication, from the transport protocol through to the content involved in network communications. Information Flow Map displays communication between nodes as network flows in real time.

Information Flow Map can display up to 64 nodes based on activity monitored by the sensor. You can manipulate the nodes that display by using the controls available on the page.

• The map reflects the activity monitored by a single sensor, as chosen at the sensor selection control.

• Filtering and sorting criteria change the sensor configuration. Manipulation of these controls will change the way nodes are chosen for display.

• The Watch list can be used to mark a node for inclusion in the map at all times, regardless of the filtering and sorting settings.

• The Ignore list can be used to mark a node for exclusion from the map at all times.

• A scanning radar line passes over the map to highlight the activity of each node. The radar

can be stopped to examine details of any node on the map and to view a summary of the node’s activity over the past 24 hours.

Information Flow Map is a CommandPost view of data collected by the sensor. The sensor process is resource intensive and cannot be executed on low performance sensor hardware. Information Flow Map can only be enabled on a Direct sensor with enough capability to support Information Flow Map. In addition, the sensor to CommandPost network bandwidth will increase significantly, Before Information Flow Map is enabled, verify the following:

Fidelis XPS User Guide Version 6.0 Dashboard 14

• The sensor is a Direct 1000 or Direct 2500. Lower performance sensors have insufficient resources.

• The sensor must be registered and actively communicating with CommandPost.

• Each sensor enabled for Information Flow Map will increase the network load between

sensors and CommandPost by approximately 5 - 10 Mbps. If your system uses an administrative network of 100 Mbps or higher for Fidelis system component communication, Information Flow Map should not present a problem. Refer to the Enterprise Setup Guide.

• Information Flow Map is not supported on Internet Explorer 6.0.

• Information Flow Map requires version 10.0 and above of the Adobe Flash Player.

Refer to Direct and Internal To see a different network flow: Select a different sensor at the drop-down list. The main Information Flow Map change and so do

the filtering options for Transport, Protocol, Format, Content, Rule, and Alert. Click Dashboard>Information Flow Map to access the page. The main sections of Information Flow

Map page are described in subsequent sections:

• The Information Flow Map

• Controls in the left panel

• Filtering and Sorting Criteria

for details about enabling Information Flow Map on a sensor.

Figure 5. Information Flow Map

The Information Flow Map

The map displays network nodes based on the selected sensor and its filter and sort configuration. The map is presented with a scanning radar line. As the radar passes over a node, the node and its

communication flows are highlighted. The left panel will reflect the name of the node under the radar and details about each color coded flow. The radar can be stopped by clicking on an y node or by clicking the Pause button located at the lower left. When the radar is stopped, you can access details about the node and its communication.

Fidelis XPS User Guide Version 6.0 Dashboard 15

Understanding the Map

By default, nodes are represented by green circles on the map. Larger circles represent nodes with more activity. Nodes represent hosts on the network. The lines between the nodes represent communication between nodes. Clicking a node pauses the radar a nd provides more information. The map presents up to 64 nodes based on the sensor configuration. Many flows will be seen between nodes on the map, in addition to flows with the “cloud.” In the context of Information Flow Map, the cloud represents all nodes not currently shown.

If a border is configured for the sensor, a grey box will appear in the center of map. Nodes are classified as internal or external based on their placement according to the network border. In this view there are two clouds. Flows between a node on the inside of the border to the external edge of the map reflect communication with an external node that is not part of the 64 nodes being displayed, otherwise known as the external cloud. Similarly, flows from an external node to the edge of the grey box represent communication to an internal node that is not being displayed, or the internal cloud.

If no border is configured, the grey box will not appear. In this case, there is only one cloud represent by flows that terminate at the edge of the map.

The lines between nodes represent communication between the nodes, col or coded to match the accordion bars in the left panel:

• Blue represents the transport protocol, (for example:TCP or UDP).

• Yellow represents application protocol, (for example: HTTP. GoogleMail, AOL Instant

Messenger, Facebook).

• Green is the format of the data transfer, which may represent the format of a file (for example: text, MS-Word, PDF) or the format of email or chat content (for example: text, HTML, XML).

• Purple represents content, as defined by fingerprints that are running on the sensor. Fingerprints are descriptions of content, communication channel, or location. The information flow map presents all fingerprint matches detected by the sensor. Refer to chapter 5 in the Guide to Creating Policies for details about the creation of fingerprints.

• Orange represents rules that have an action of Information Flow Map. Using Information Flow Map rules, fingerprints can be combined in a logical manner to monitor information without creating alerts. Refer to chapter 7 in the Guide to Creating Policies for details about creating and using rules.

• Red represents rules that have an action of Alert. Detailed alert information is available on the Alerts report. Refer to Alert Details

Nodes are represented by their IP Address. CommandPost will attempt to resolve the host name of all nodes and the with display the resolved name instead of the IP Address when possible.

Using Information Flow Map Controls

Information Flow Map controls enable you to view more information about a node, its flows, or detailed information for a selected node's history. The controls also all ow you to manipulate the Watch List and the Ignore List. Controls are located in the lower left of the screen or within the map itself.

Table 3. Controls

Control Description

Fidelis XPS User Guide Version 6.0 Dashboard 16

Click to open or close the Ignore List in the left panel. Adding a node to the Ignore List instructs the sensor to not collect information from that node.

Click to open or close the Watch List in the left panel. Adding a node to the Watch List instructs the sensor to collect information from that node regardless of filter and sort settings.

Control Description

This button becomes active if the radar is stopped and if a node is selected. Click to view the activity of the selected node over the past 24 hours. Refer to History Charts

Click a node on the map.

Drag a node on the map.

Click Click to switch to full screen mode.

Press ESC to exit full screen mode. Redraws the Information Flow Map. The map will automatically redraw approximately

once per minute. Clicking this button will redraw the map immediately. Pause the radar. The sensor will continue to collect information but the map will remain

static until the radar is restarted. Starts the radar.

Clicking a node causes the same behavior as the pause button. In this case, you select the node to be reflected on the left panel.

Nodes can be dragged within the map to change their position. When many nodes are displayed, the communication flows may not be obvious without dragging.

to return to the Information Flow Map.

Controls in the Left Panel

The left panel is used to view details about activity for a selected node and to manage the Watch and Ignore lists. The name of the selected node appears at the top of the panel. A

the name of the selected node indicates that the node is part of the Watch List. Node activity is presented by accordion bars which provide a quick view of a node's recent activity.

Accordion Bars

The accordion bars in the left panel display node activity The information for each node displays when the radar passes over the node or when the node is selected while the radar is stopped. Click an accordion bar to view the associated chart.

You can mouse over the graph to see specific information such as the number of sessions, packets, and bytes.

icon next to

Fidelis XPS User Guide Version 6.0 Dashboard 17

Each chart presents a bar chart reflecting the node activity. The X-axis of the chart reflects the average activity in the last minute. The Y-axis reflects all possible values available within the map.

Watch List

When the control on the l ower left of the screen is clicked, the left panel is replaced by the Watch List. Nodes in the Watch List are displayed on the map regardless of filtering criteria selected. However, they will not display if they have no detected activity.

The Watch List can contain up to 50 nodes. The Count at the bottom tracks how many nodes are in the list.

To add a node to the list, select it on the map and click the Add button at the bottom of the Watch List. To remove a node from the list, select it from the Watch List and click the Remove button.

When you select a node in the Watch List the following occurs in the Information Flow Map:

• The radar stops.

• The node and its flows are highlighted.

Note: If the node has no activity, it is not on the map and nothing is highlighted.

• Select a new shape or a new color and click Save. Changes to the Watch List are not effective until you click

Save.

Ignore List

When the control on the lower left of the screen is clicked, the left panel is replaced by the Ignore List. Nodes in the Ignore List are not displayed on the map and the sensor will not collect information on these nodes.

The controls for adding or removing nodes from the list operate in the same manner as the Watch List.

Fidelis XPS User Guide Version 6.0 Dashboard 18

History Charts

Select a node and click to view the charts for the selected node. History charts provide a summary of Protocol, Transport, Format, Content, Rule, and Alert activity for the past 24 hours.

You can examine specific time periods within that time frame by moving the time frame or move the slider bar to view a different time segment.

The page is presented by one large chart in the upper left in addition to smaller charts. Click move a chart into the large section. The large chart provides an interactive legend. Clicking on a name in the legend will toggle whether the associated line in the graph is shown or not.

The history charts may include gaps of time where information is missing. This represents periods where the node was not being tracked by the sensor. This can be due to inactivity, filter or sort criteria changes, and changes to watch and ignore lists.

icons to change the

Figure 6 . Information Flow Map: History

Filtering and Sorting Criteria

The selection area at the top of the Information Flow Map page contains a sensor selection, filter and sort controls, Submit and Cancel buttons, and a status icon. These controls enable you to change the map by selecting a different sensor or by modifying the sensor configuration via filtering and sorting changes.

By default, no filters are selected. This means that the network sensor collects all available information from each node and the map will reflect the most active 64 nodes. You can filter this information by selecting specific criteria from the filter lists available at the top of the page. This

Fidelis XPS User Guide Version 6.0 Dashboard 19

changes the criteria used by the sensor to collect information, which changes the method used to determine the nodes to display.

When filters are applied only those nodes that meet the chosen criteria are displayed. However, all activity of these nodes will be seen. For example, if you choose to filter by the Protocol Facebook, the Information Flow Map show all nodes using Facebook. The map will also show other flows involving these nodes.

Filter criteria across the lists are taken as a single criterion for node selection. For example, if you choose the Protocol Facebook and Content of Sensitive Data, the map will only show nodes that are communicating with Facebook and have flows that match Sensitive Data. Note that this does not mean that a single flow contains both parameters used in this example, only that the node is involved with flows that match both.

To change the filter, click

to view a list and select criteria.

Table 4. Filter Lists

List Description

Transport Enables you to filter based on transport protocols: TCP, UDP, and ICMP.

Protocol Select protocols of interest from a list of all application protocols.

Format

Content

Rule

Alert

Select from a list of all supported data formats.

Select from a list of fingerprints assigned to the sensor through policy assignments. Each sensor can track information for up to 64 fingerprints. The fingerprints are chosen according to this order: Content fingerprints are first, followed by channel and location fingerprints found in rules with an action of Information Flow Map followed by all remaining fingerprints. Each sublist is sorted alphabetically. This list is displayed according to this order, on the Content filter control.

Select from a list of rules that have an Information Flow Map action running on the sensor. The list can contain up to 32 rules, sorted alphabetically.

Select from a list of rules that have an alert action running on the sensor. This list can contain up to 32 rules. Rules that also have Content fingerprints display first, then all other rules. Each sublist is sorted alphabetically.

To change the sort, click the button of the list you wish to sort. Only one list can be chosen for sorting. The activity). The

Clicking the button again switches sort mode.

Note: Sort is only possible if at least one item is selected as filter criteria. For example, if all Protocols are deselected, sorting by Protocol has no effect.

After selecting and sorting criteria, you can:

• Click Cancel to eliminate current selections.

• Click Submit to send your changes to the network sensor and to nodes on the same network.

The sensor collects information from the network based on your selected configuration and sends it to the CommandPost GUI for display in Information Flow Map. Once configuration changes are sent, new changes cannot be sent until the sensor is synchronized. The Sync

Synchronization takes about 1 minute to complete.

Sample uses of Filtering and Sorting:

Fidelis XPS User Guide Version 6.0 Dashboard 20

icon indicates that the sort that will choose the most active 64 nodes (high to low

icon indicates a sort that will choose the least active 64 nodes (low to high activity).

icon changes to indicate that information is being retrieved from the sensor.

• To show the most active nodes on the network, use the default filter settings.

• To show the most active nodes, based on application protocol usage, sort based on the

Protocol control. This will sort the nodes based on protocol usage rather than any other level of activity.

• To show the most active nodes using Facebook and sharing sensitive data, deselect all filters except the Protocol Facebook and Content of Sensitive Data, assuming such a fingerprint is defined and running on the sensor. Nodes are selected based on the most active Facebook users and the most active Sensitive Data transfers, which are not necessarily the same set of nodes.

• To show all nodes sharing Sensitive Data over Facebook, define a rule that defines this condition. Filter the Information Flow Map based on this rule.

• To show the least active nodes, change the sorting criteria to low-to-high.

Fidelis XPS User Guide Version 6.0 Dashboard 21

Chapter 3 Understand and Manage Alert

Workflows

From the Alert Report or the Quarantine pages, you can assign, monitor, and manage alerts and quarantined e-mail. The Alert Report and Quarantine pages are available f rom the Reports main heading.

This chapter covers the following topics:

• Access to Alerts and Quarantined e-mail

• Assign a New Alert

• Manage an Alert

• Manage Multiple Alerts

Access to Alerts and Quarantined E-Mails

The Alert Report page provides a list of all alerts accessible to the user. Accessibility to this information is determined by the CommandPost user’s role, sensor assignments, and alert management group assignments.

Refer to Access Control in CommandPost groups, and how these affect users. Refer to chapter 9 in the Guide to Creating Policies for details on assigning policies and rules to sensors and to alert management groups.

Users with full access to the Alert function may:

for details on assigned sensors, alert management

• Read and examine the details of an alert, including the original transmission that caused the violation.

• Export summary alert information to Microsoft Excel or any other application that accepts comma-separated files.

• Purge alerts.

Users with full access to the Quarantine function may:

• Read and examine the details of every quarantined e-mail, including the original e-mail that caused the quarantine.

• Deliver e-mail from quarantine, sending it to its original recipient.

• Discard e-mail from quarantine, removing it from the quarantine queue without delivery.

Users with full access to the ticket system may also:

• Assign alert tickets to another user with access to the alert.

• Close an alert ticket, providing a ticket resolution.

• Move an alert from its current alert management group to another. This action makes the alert

accessible to another group of users.

• Add comments to the alert workflow log.

Handle Alerts

To find all alerts currently assigned to you, use the My Alerts view on the Alert Report page. Refer to System Reports for Alerts

To find all alerts owned by a specific user:

Fidelis XPS User Guide Version 6.0 Alert Workflows 22

+ 128 hidden pages

Fidelis XPS User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

List of Tables

Preface

Intended Audience

Technical Support

Available Guides

Fidelis XPS™ Overview

Fidelis XPS Modules

CommandPost

Direct

Internal

Proxy

Mail

Web Walker

Connect

Fidelis XPS Policies

Prebuilt Policies

Custom Policies

Chapter 1 Getting Started

Access CommandPost

Change your Account

Access the Guides

Lock Icon

CommandPost Navigation

System Status

Logout

Using Non-ASCII Characters in Fidelis XPS

Chapter 2 The Dashboard

The Radar Page

What is an event?

What is an alert?

What is alert radar?

Uses of Alert Radar

Current Status Frame

Information Flow Map™ Page

The Information Flow Map

Controls in the Left Panel

Filtering and Sorting Criteria

Access to Alerts and Quarantined E-Mails

Handle Alerts