Vector User Guide

1
Copyright © 2002–2015 by General Dynamics Fidelis Cybersecurity Solutions, Inc.
All rights reserved worldwide.

Fidelis XPS™ Vector

Vector User Guide

Revised 2015

Users are granted permission to copy and/or distribute this document in its original electronic form
and print copies for personal use. This document cannot be modified or converted to any other
electronic or machine-readable form in whole or in part without prior written approval of General
Dynamics Fidelis Cybersecurity Solutions, Inc.
While we have done our best to ensure that the material found in this document is accurate,
General Dynamics Fidelis Cybersecurity Solutions, Inc. makes no guarantee that the
information contained herein is error free.
Fidelis XPS Vector includes GeoLite data created by MaxMind, available from
http://www.maxmind.com/

General Dynamics Fidelis Cybersecurity Solutions, Inc.

4416 East West Highway, Suite 310
Bethesda, MD 20814
Table of Contents
Preface............................................................................................................................................. 1
Intended Audience ....................................................................................................................... 1
Available Guides .......................................................................................................................... 1
Technical Support ........................................................................................................................ 2
Fidelis XPS Vector Overview ......................................................................................................... 3
The Threat Life Cycle................................................................................................................... 3
Chapter 1 Getting Started .............................................................................................................. 4
Access CommandPost................................................................................................................. 4
Change your Account .................................................................................................................. 4
Access System Information ......................................................................................................... 5
Access the Online Help, the Guides, Support, and Time information .......................................... 6
Using Multiple Tabs ..................................................................................................................... 6
Lock Icon ..................................................................................................................................... 6
CommandPost Navigation ........................................................................................................... 6
System Status.............................................................................................................................. 7
Database Encryption Status ........................................................................................................ 9
Logout .........................................................................................................................................10
Using Non-ASCII Characters in Fidelis XPS Vector ...................................................................10
Chapter 2 Dashboard ....................................................................................................................11
Widget Controls ..........................................................................................................................11
Custom Alert Widget ...................................................................................................................12
Globe ..........................................................................................................................................13
World Map ..................................................................................................................................13
Radar ..........................................................................................................................................14
Top Alert (or Malware) Hosts ......................................................................................................15
Top Alert (or Malware) Sources ..................................................................................................15
Alert Trend ..................................................................................................................................15
Malware Trend ............................................................................................................................15
Application Protocol Trends ........................................................................................................15
System Status.............................................................................................................................15
Network Statistics .......................................................................................................................16
Alert Insertion Rate .....................................................................................................................16
Disk Space..................................................................................................................................16
Chapter 3 Understand and Manage Alert Workflows .................................................................17
Access to Alerts ..........................................................................................................................17
The Alert Workflow Log...............................................................................................................17

Fidelis XPS Vector User Guide Table of Contents iii

 Manage a Single Alert.................................................................................................................18
Change Status .......................................................................................................................18
Change Alert Group ...............................................................................................................18
Manage Multiple Alerts ...............................................................................................................19
Chapter 4 Understand and Manage Alerts ..................................................................................20
Alert List ......................................................................................................................................21
Alert Quick Summary .............................................................................................................21
Filter Alerts .............................................................................................................................22
Navigate Alert Pages ..................................................................................................................23
Alert Actions................................................................................................................................23
Alert Labels ............................................................................................................................24
Export Actions ........................................................................................................................24
Purge Alerts ...........................................................................................................................26
Alert List Page Controls ..............................................................................................................27
System Reports for Alerts (Vector) .........................................................................................28
Search for Alerts ....................................................................................................................28
Enter Search Terms ...............................................................................................................30
Time Range............................................................................................................................34
Group By ................................................................................................................................35
Group Details .........................................................................................................................37
Customize Report...................................................................................................................37
Create PDF Files for Alerts .........................................................................................................38
Generate PDF ........................................................................................................................38
Customize PDF ......................................................................................................................38
Email the PDF ........................................................................................................................39
Trending......................................................................................................................................39
Alert Details ................................................................................................................................40
Alert Sources ..........................................................................................................................43
Scroll through Alert Details .....................................................................................................43
Find Similar Alerts ..................................................................................................................44
Find File on Hosts ..................................................................................................................44
Change Label .........................................................................................................................44
Purge this Alert.......................................................................................................................44
Alert Compression ..................................................................................................................44
Execution Forensics ...............................................................................................................45
Decoding Path and Channel Attributes ..................................................................................47
Fidelis XPS Vector Decoders......................................................................................................49
Protocol Decoder Attributes and Values.................................................................................49
Format Decoder Attributes and Values ..................................................................................64
Attributes for Protocol and Format Decoders .........................................................................72
Fidelis XPS Vector User Guide Table of Contents iv
 Quality, Encryption String, and Hash Values ..............................................................................78
Chapter 5 Investigator ...................................................................................................................79
Include Items in an Investigation .................................................................................................79
Using the Investigator .................................................................................................................80
Change an Investigation .............................................................................................................80
Open an Investigation .................................................................................................................80
Access Data Stored in an Investigation ......................................................................................81
Search for Items .....................................................................................................................81
Edit Item Comments ...............................................................................................................81
Chapter 6 Saved Reports ..............................................................................................................83
Report Permissions.....................................................................................................................83
Report Details and Buttons .........................................................................................................84
Create Reports ...........................................................................................................................84
Search ....................................................................................................................................85
Filters .....................................................................................................................................88
Time Range............................................................................................................................89
Columns .................................................................................................................................90
Sort By ...................................................................................................................................93
Group By ................................................................................................................................93
Report Controls ......................................................................................................................94
Run Reports................................................................................................................................94
Edit Reports ................................................................................................................................95
Save and Schedule Reports .......................................................................................................95
Save .......................................................................................................................................95
Save and Schedule ................................................................................................................95
Delete Reports ............................................................................................................................96
Chapter 7 Summary Reports .......................................................................................................97
Define Summary Reports............................................................................................................97
PDF Controls ..............................................................................................................................99
Customize PDF ......................................................................................................................99
Email PDF ............................................................................................................................100
Schedule Summary Reports .....................................................................................................101
Chapter 8 Network Reports ........................................................................................................102
Network Statistics .....................................................................................................................104
Application Protocols ................................................................................................................105
TCP Processor .........................................................................................................................106
IP Defragmenter .......................................................................................................................109
Average Alert Insertion Rate .....................................................................................................110
Chapter 9 Import ..........................................................................................................................111
Chapter 10 Manage Users and Groups ......................................................................................112
Fidelis XPS Vector User Guide Table of Contents v
 Users Page ...............................................................................................................................113
Reset a Local User Account .....................................................................................................113
Access Control in CommandPost .............................................................................................113
Small Security Teams ...............................................................................................................114
Define User Profiles ..................................................................................................................114
Expand User Information......................................................................................................114
Add or Edit a Local User ...........................................................................................................115
Delete a User ............................................................................................................................116
Define Alert Management Groups ............................................................................................117
Add or Edit an Alert Management Group .............................................................................117
Delete an Alert Management Group .....................................................................................118
Chapter 11 Configure Fidelis XPS Vector Components ...........................................................119
The Components Page .............................................................................................................119
CommandPost Management Console and Sensor or Vector Information ................................119
Status Lights ........................................................................................................................119
Details ..................................................................................................................................120
License Messages................................................................................................................120
Component Buttons..............................................................................................................120
Configure CommandPost..........................................................................................................121
License .................................................................................................................................122
Alert Retention .....................................................................................................................123
Alert Storage ........................................................................................................................127
Archive .................................................................................................................................128
Configure Audit ....................................................................................................................130
Backup and Restore .............................................................................................................132
Custom GeoIP......................................................................................................................134
Diagnostics...........................................................................................................................136
Email Configuration ..............................................................................................................137
Configure Exchange .............................................................................................................138
CommandPost Language Configuration ..............................................................................139
LDAP Configuration..............................................................................................................140
Logs .....................................................................................................................................143
Proxy Config .........................................................................................................................145
RADIUS/TACACS+ ..............................................................................................................145
Session Timeout ..................................................................................................................146
System Monitor – CommandPost .........................................................................................147
User Authentication ..............................................................................................................150
User Notification ...................................................................................................................155
Add Component ........................................................................................................................156
Edit a Sensor or Vector .............................................................................................................157
Fidelis XPS Vector User Guide Table of Contents vi
 Configure Sensor or a Vector ...................................................................................................157
Runtime Information..................................................................................................................157
Config Page ..............................................................................................................................158
License & Time ....................................................................................................................158
Local Embedded Sensor or Vector ......................................................................................159
Alert Failover ........................................................................................................................161
Email Relayhost ...................................................................................................................162
Sensor Language Configuration ...........................................................................................163
Logs .....................................................................................................................................165
System Monitor – Sensor or Collector ..................................................................................167
Chapter 12 Malware .....................................................................................................................169
Execution Forensics..................................................................................................................169
Reaction....................................................................................................................................170
Configure Malware Reaction ................................................................................................170
Host Activity ..............................................................................................................................171
File Check .................................................................................................................................171
Chapter 13 Version Control ........................................................................................................173
Fidelis Release Naming Conventions .......................................................................................173
Installing Fidelis XPS Vector Software ......................................................................................174
Prepare to Install .......................................................................................................................174
Install ........................................................................................................................................175
Install Now ................................................................................................................................176
Schedule an Install ...................................................................................................................176
Update Progress .......................................................................................................................177
CommandPost Management Console..................................................................................177
Vectors .................................................................................................................................178
Scheduled Installs .....................................................................................................................178
Cancel Scheduled Installs.........................................................................................................178
Download Control .....................................................................................................................179
File Management ......................................................................................................................180
Chapter 14 Configure Exports ....................................................................................................181
Export Methods .........................................................................................................................181
Fidelis Archive ......................................................................................................................181
Email User-Defined, Syslog, and Syslog Splunk ..................................................................182
Email HTML Table and Email Excel File (TSV attachment) .................................................183
Syslog LEEF ........................................................................................................................184
McAfee ESM ........................................................................................................................184
SNMP Trap and ArcSight .....................................................................................................184
Verdasys Digital Guardian....................................................................................................185
Define Exports ..........................................................................................................................185
Fidelis XPS Vector User Guide Table of Contents vii
 Available Export Buttons ......................................................................................................187
Testing Export Communication ............................................................................................187
Delete Exports ..........................................................................................................................188
Chapter 15 Audit ..........................................................................................................................189
Access Audit .............................................................................................................................189
Search for Audit Entries ............................................................................................................190
Search Terms .......................................................................................................................190
Notes about Search Options ................................................................................................191
Time Periods ........................................................................................................................191
Appendix A: Manual Transfer of Installation Files....................................................................192

Fidelis XPS Vector User Guide Table of Contents viii

Preface
This guide describes how to use the Fidelis XPS™ Vector CommandPost to monitor and manage
security alerts, to configure sensors, and to create and maintain users
This guide contains the following chapters:
The Overview describes Fidelis XPS Vector.
Chapter 1 Getting Started describes how to access and navigate CommandPost, change account
information, and access more information.
Chapter 2 describes how to use Dashboard widgets.
Chapter 3 describes how to manage alert workflows.
Chapter 4 describes the Alert List and how to use alert features.
Chapter 5 describes how to use the Investigator.
Chapter 6 describes how to manage reports.
Chapter 7 describes how to create and use Summary Reports.
Chapter 8 describes how to use network reports.
Chapter 9 describes how to import reports.
Chapter 10 describes how to create and modify user information.
Chapter 11 describes how to configure Components.
Chapter 12 describes how to configure Malware.
Chapter 13 describes how to update and manage Fidelis XPS Vector versions.
Chapter 14 describes how to configure exports.
Chapter 15 describes the Audit feature and how to run it from the CommandPost GUI.
Appendix A describes the manual transfer of installation files.

Intended Audience
This information is intended for network system administrators familiar with networking, computer
security, and with the security requirements and practices of their enterprises. This help system
and related guides are intended for users that fit into at least one of the following major categories:

• The alert manager is a frequent user of the system, likely to visit the CommandPost GUI
several times each day. This role is usually filled by system administrators responsible for
reviewing alerts and managing any action required within the enterprise. Alert requires high
level data analysis and the ability to delve into the details of any single violation.

• The network IT manager will be the first to touch the CommandPost, but is expected to rarely
use Fidelis XPS after initial installation. The IT manager might need to adjust sensor network
settings and CommandPost to sensor communications, manage users and their credentials,
and monitor network statistics to verify connectivity.

Available Guides
The following guides are available:
The Vector Enterprise Setup and Configuration Guide describes how to set up and configure
Fidelis XPS Vector hardware.
Release Notes are updated with each release to provide information about new features, major
changes, and bugs corrected.

Fidelis XPS Vector User Guide 1

Technical Support
For all technical support related to this product, check with your site administrator to determine
support contract details. Contact your reseller or if you have a direct support contract, contact the
General Dynamics Fidelis Cybersecurity Solutions support team at:
Phone: +1 301.652.7190*
Toll-free in the US: 1.800.652.4020*
*Use the customer support option.
Email: support@fidelissecurity.com
Web: http://www.fidelissecurity.com/support/login

Fidelis XPS Vector User Guide 2

Fidelis XPS Vector Overview
Since 2002, General Dynamics Fidelis Cybersecurity Solutions has been providing its commercial,
government, and defense customers around the globe with the real-time detection, prevention, and
continuous response necessary to defend against advanced threats. Built on a patented Deep
Session Inspection® platform, Fidelis XPS™ Vector is the only comprehensive advanced threat
defense solution that stops advanced threats across all phases of the threat life cycle.

The Threat Life Cycle

Advanced, targeted attacks are not instantaneous events. They are complex processes with
multiple phases that occur over a period of time with an end goal of stealing information. Fidelis
XPS Vector is uniquely positioned with DSI coupled with a powerful policy engine and dynamic
threat intelligence feeds to monitor an attack across the entire threat life cycle. .
The threat life cycle typically follows this path:
1. Infiltration
2. Command and Control (C2) Communication
3. Lateral Propagation
4. Data Exfiltration
Infiltration: An employee at a major enterprise is sent a targeted email that includes an attached
PDF file containing malware. Further analysis of the PDF—embedded in a Zip archive—shows that
it contains hostile JavaScript, obfuscated by a deflate stream.
C2 Communication: When opened, the malware in the PDF file will trigger downloads of
additional malware or create a tunnel for the adversary to gain access to your network.
Lateral Propagation: The attacker will move laterally throughout the network in an effort to acquire
higher levels of privilege and better access to sensitive information. Once the attacker has the
ability to move through your network, they will take control of internal assets such as domain
controllers and file servers, search for sensitive data on your network, and stage data for
exfiltration.
Data Exfiltration: Once data is staged it is then siphoned out across the network. The attacker
may obfuscate the data and transmit the information out of the network on standard outbound
network channels or circumvent the system by sending data using non-standard ports and/or
protocols.

Fidelis XPS Vector User Guide 3

Chapter 1 Getting Started
Fidelis XPS Vector detects and prevents advanced cyber threats, and network abuse in real time.
Fidelis XPS Vector accomplishes this though one or more sensors and the CommandPost
Management Console. CommandPost enables you to manage and configure sensors .
This chapter provides information on how to get started using CommandPost including: accessing
and navigating CommandPost, changing your account information, and where to find more
information.

Access CommandPost
You can access CommandPost from anywhere on your network, by using a web browser that
supports SSL. Communications between the sensors and CommandPost and between
CommandPost and the web-based GUI are encrypted SSL communications.
CommandPost has been verified with recent versions of Microsoft Internet Explorer, Mozilla
Firefox, Google Chrome, and Apple Safari.
For CommandPost to work properly, your client workstation must have the following installed:

• Adobe Flash Player – obtain a recent version of Adobe Flash Player free of charge from the
Adobe web site at www.adobe.com.

• Allow pop-up windows from the CommandPost server.

• Enable Javascript execution in your browser.

• Enable TLS communication.

Change your Account

From your browser, navigate to the IP address of the Console device and log in with the user name
and password that Technical Support provides.
The top right of each CommandPost page displays the user name of the logged in user and the
CommandPost logged into.
Change the password for this account immediately after your first log in. If needed, you can also
change the start page that displays upon successful login.
If you receive a warning that your password is about to expire, change it before the expiration date
or your account will be locked.
Note: Only local users entered in System>Users>Profiles can change passwords.
Other users can change the full name, email, and the start page.

Fidelis XPS Vector User Guide 4

 To change the password:
1. Click the user name at the top right corner. The Change Account Information dialog box
displays.

Figure 1. Change Account Information

2. Click Change Password. The text boxes for the old and new passwords display.
3. Enter your old password and then enter your new password. For passwords, you can use
alphanumeric (a-z,A-Z,0-9), a space, and the following special characters:
~`!@#$%^&*()_+-={}|[]:;<>,./
Single and double quotes or back slashes are not allowed.
4. Re-enter your new password.
5. You can change the full name and the email address associated with this account.
6. Click Change. CommandPost saves the new password, name, and email address. If you
changed the password, the system will log you out.
7. Log in with your new password.
8. Add a new user for each CommandPost user. Fidelis recommends adding at least one new
user, even if you are the only one accessing the system. Refer to Users for more information.
To change the Start Page:
1. Select a new Start Page from the list.
2. Click Change. The new start page will display upon the next successful login.

Access System Information

System Information is a popup accessed from the top right of the CommandPost GUI that enables
you to quickly check which software version is on your CommandPost, which patches were applied,
and if there are any available updates.
Available Update Version will display new software versions that have been released. This feature
must be enabled at Download Control.
This and other information listed can be useful when you contact Technical Support such as: the
OS version, system type, hardware revision, and the CommandPost CPU information, memory,
and serial number.

Fidelis XPS Vector User Guide 5

Access the Online Help, the Guides, Support, and Time
information
Click the help icon at the top of the CommandPost GUI. The online help system displays.
Click the PDF Downloads link in the Table of Contents to display the Guides page with its links to
the PDF files for the guides, the Release Notes, and the Redistribution Notice.

Click to open the Support login page.

Mouse over the time to view the date, time zone, and time zone offset for this
CommandPost.

Using Multiple Tabs

You can conduct two or more searches or run reports simultaneously in multiple tabs without
interfering with each other. You can also conduct a search (or run a report) in one tab, then open
another tab to make system changes such as adding or editing users.
Each tab would act as if it is in its own session and therefore independent of other tabs during
searches on alerts, quarantine, and metadata. Updates to the system (such as a new report or a
new or changed user profile) done at one tab may not be immediately reflected in other tabs. Click
Refresh or Reload to view recent changes.

• After logging in successfully to the CommandPost, you can open another tab without logging
in again.
• Changing the page size for Alerts keeps the specified page size at that tab. You can specify
different page sizes for the same report at different tabs.

Lock Icon
Fidelis XPS Vector CommandPost and sensors communicate over encrypted SSL connections,
using self-signed certificates and an internal authentication method. This mode can be overridden
by installing externally generated certificates that use the Public Key Infrastructure (PKI).
When operating with PKI certificates, a lock icon appears at the top right of the CommandPost
menu bar. You can mouse over the lock icon to see the expiration date for the certificate.

CommandPost Navigation
With the exception of Dashboard and Metadata, clicking a main menu option in the CommandPost
GUI displays subnavigation menus. A highlighted option from the subnavigation menu indicates
which page is currently accessed. CommandPost navigation is "sticky" meaning that if you later
return to the same major heading, the page last accessed displays.
Note: Users need permissions to see many of the menu options. If a user does not
have the appropriate permissions for a menu option, that option does not display.

Fidelis XPS Vector User Guide 6

System Status
1
System Status provides information about Fidelis XPS Vector components and their statuses that
you can access from any GUI page. The diamond next to System Status reflects the status of the
component with the highest severity. Mouse over the System Status diamond to see the list of
components. The component list that displays is the CommandPost Console and all sensors that
have been registered and that are within a user’s access privileges. Refer to Define User Profiles.
Mouse over a component in the list to see a message about that component's status. Each
component has a green, yellow, or red diamond next to it to indicate severity.
Note: Users need permissions to see system status. Refer to User Roles.
Green indicates that the component is operational.
A red diamond indicates a condition with critical severity. A yellow diamond indicates a condition
with high severity.
A grey diamond indicates that there is no available information about the component.
Clicking will set the status to green. At the next attempt to use the component status will
change. For example, a feed fetched once a day will not change status until the next attempt after
clicking .

T a bl e 1. C o m p o n e nt St a t us M es s a g e s a n d S ev e ri ty
The following table describes some of the more common conditions that can cause system status
messages and their severities.

Component Severity Status Message

Alert Export Critical Cannot start exporter, see log for details

Collector Critical Please contact Fidelis support. Vertica is

malfunctioning.

Collector Critical Collector database is not operational, please

contact Fidelis Support.

Collector Critical Database access error, please contact Fidelis

Support

Collector Critical Closing Session Error

Collector Critical Collector disk usage is high

Collector Critical Metadata insertion has stopped on the Collector,

disk usage is too high

Collector Critical Database Error

Collector Critical ODBC connection error on Collector node(s)

Collector Critical Collector memory usage exceeds limits, restarted

service

Collector High Collector database is not up yet.

Collector High Vertica is undergoing maintenance. Unable to

accept new meta-data.

1
Components enables you to set up licensing and configure Fidelis XPS components. This includes
adding and registering Fidelis XPS sensors, setting password strength, configuring e-mail, and
setting up user notification and LDAP among other features.
Fidelis XPS Vector User Guide 7
 Component Severity Status Message

Collector High Collector writer thread overloaded

Collector Medium Vertica is undergoing maintenance.

Collector Medium Closing Session

Collector DB Critical Collector DB maintenance is taking too long.

Maintenance Please contact Fidelis Support

DB Maintenance High DB maintenance

Execution High Execution Forensics has invalid proxy

Forensics configuration.

Execution High Execution Forensics communication error. Check

Forensics again in 10 seconds.

Execution High Execution Forensics license key is not valid.

Forensics Contact Customer Support for assistance.

Feed fetch Critical Cannot start feed handler(s), see log for details

Feed fetch High Feed "\feeds_fidelis\" refresh error

Feed fetch High Feed update error

Host Activity High Host Activity authentication token is not valid.

Contact Customer Support for assistance.

Host Activity High Invalid configuration for Host Activity.

Host Activity High Invalid proxy configuration for Host Activity.

Host Activity High Communication Error for Host Activity.

Insight High New policies are available from the Insight feed

Insight High Failed to get valid policy feed data

Insight High Failed to import data from policy feed

Insight High Failed to update sensors after policy feed update

Insight High Failed to get valid Automatic Malware Policy feed

data

LDAP Fetch High Exchange encryption key fetch failed

License Critical License is invalid

License High License expired

License High License expiration is approaching

License High License Error

License High Using a demo license

License High License Refresh required

MDE Critical MDE is not initialized

Fidelis XPS Vector User Guide 8

 Component Severity Status Message

MDE High MDE is running more than a day old signatures

MDE High Cannot initialize MDE

MDE Updater Medium MDE Update failed

Metadata High Could not connect to the Collector

Process Monitor Critical Cannot start a process

Sniffer Critical Direct sensor requires border definition to be

operational

Sniffer Critical Bandwidth usage exceeded

Sniffer Critical Incompatible interface settings.

Sniffer Critical Interface is in bypass mode.

Sniffer High Abnormal packets processing rate

Sniffer High Network data processing errors

Spooler Critical Cannot start spool writers

Spooler Critical Dropped spool file due to queue buildup. See log
for details

Spooler Critical Skipped spool file due to queue buildup. See log
for details

Spooler Critical Low disk space. Spooling stopped. See log for
details

Spooler High Rate of logging too high, spooler cannot keep up.
See log for details

System Monitor Critical Disk is out of space.

System Monitor Critical WARNING system processing issues seem

persistent, attempting soft reset.

System Monitor High Disk space is low.

System Monitor High WARNING system is restarting.

Database Encryption Status

The Database Encrypted icon displays if Alert Storage is enabled at CommandPost. Refer to
Alert Storage.

Fidelis XPS Vector User Guide 9

Logout
To securely log out of CommandPost, click the logout link at the top of the page. Logging out will
end your browser session to CommandPost.

To securely log out of CommandPost, click to log out. Logging out will end your browser
session to CommandPost.
Note: If inactive for 15 minutes, CommandPost will log you out. The 15 minute value
can be changed at Session Timeout.

Using Non-ASCII Characters in Fidelis XPS Vector

Fidelis XPS Vector supports the use of non-ASCII characters in most input fields.The fields that do
not allow Unicode are: email addresses, host names, domain names, login names, and server
directory names. CommandPost user names and passwords also do not support Unicode
characters.

Fidelis XPS Vector User Guide 10

Chapter 2 Dashboard
The Dashboard contains multiple widgets that enable you to graphically analyze what is happening
on your Fidelis XPS sensors and CommandPosts. The first time you open the Dashboard, the
default Overview tab displays. You can customize the Overview tab by adding, moving, and
resizing widgets. You can add tabs and place any number of widgets within your tabs. Click the
empty tab on the right to add a tab. Type a name for the tab and press Enter. The tab is saved
under this name. Double click on the tab name to change it.

Click the empty tab on the right to add a tab. Type a name for the tab and press Enter. The
tab is saved under this name. Double click the tab name to change it.

Click to access Dashboard icons, click

to view the Dashboard in full screen mode. In this mode, all browser controls are removed.
Full screen mode is appropriate for display on a large monitor used for constant information display
of Fidelis XPS operations. Press ESC to exit full screen mode.

to add a widget. A list of available widgets will appear after you click. The list displays with an
example and description of each available widget.

Click or to navigate through the available widgets. Click Add at the desired
widget to add it to the Dashboard. Click X at the list of widgets to remove the list. The list of
available widgets depends on your role, therefore not all widgets are available to all users.
To remove a widget from the dashboard, click the X at the top right of the widget's title bar.

to reset the Dashboard to the default Overview layout. Click Reset at the confirmation dialog
box.
The Dashboard is specific to each user. Changes made to your Dashboard will not affect the
Dashboard of any other CommandPost user.

Widget Controls
Each widget offers controls to change the behavior of the widget. The controls available vary
depending on the widget.

Click in the title bar of the widget to expand the widget. When expanded the chosen widget
will occupy the entire dashboard space.

Click to return the widget to the original size and return all other widgets to the dashboard.

Click to start auto refresh. The frequency of the auto refresh differs per widget. By default, all
widgets begin in an auto refresh state. Widgets also refresh automatically within 2 to 5 minutes
depending on the duration time selected for the widget. If the selected Duration is hours, refresh
will occur approximately every 2 minutes. If the selected Duration is days, refresh will occur
approximately every 5 or more minutes.

Click to stop auto refresh. After stopping and starting data refresh, an immediate update
request will be sent to the server to refresh the data.
Click to retrieve the latest data for a widget. Move your mouse over to see the last time data
was updated.
Select a time frame: Click and select a time frame from 1 minute up to 30 days.
Slider bar: Many widgets include a slider bar along the top or right side of the widget. This bar can
be used to zoom in or out of the data displayed. Click if available, to expand the widget to show
all data.

Fidelis XPS Vector User Guide 11

Custom Alert Widget
The Custom Alert widget enables you to extract and display System, Custom, and Alert reports.
You can select from a list of all public and any private Saved reports, alert reports, and system
reports to which you have access -- the same list that appears at Reports>Saved Reports. The
Dashboard checkbox must be selected for a report to be available at the Custom Alert Widget.
Refer to Saved Reports.
A default time value such as customized duration displays for the time selection until you change it.
This time value is the original time range or value selected at the Alert or Reports pages. You can
use the default value or select another value by choosing a time from a number of hours through 90
days. You selection is used to extract information for the widget and is not saved in the report or at
the widget. You will see all alerts that occurred during the selected time period.

1. Click to access the edit popup. At the pop up, you can select a report, graph type, and
trending.

2. Select a report for the Custom Alert Widget.

Note: If the button is active, the data in the report will not change if a new report is
closed. Click to stop refresh before changing the report.
Reports that contain group by information can display information either by groups or by trending
date. Reports without group by, can only display trending information.
For group by reports:
You can click the Trending checkbox to display trending information in the main chart. The legend
to the right of the chart displays group information. Uncheck the Trending checkbox to display
information by group, summarized by the selected time period.
For all other reports:
The Trending checkbox must be selected or a warning message displays.
3. Select the graph type: either Bar or Line chart. This is how your results will display in the
widget even if another view such as pie chart was originally selected for the report. If the
report returns no alerts, you will see a message stating: No results found. If more alerts are
found during a refresh, the count increases.
4. Either enable or disable trending. Trending enables you to see alerts over time.
5. Click Apply. The edit pop up goes away and your results display based on any selections
you made in the pop up. Clicking Cancel closes the pop up without applying your
selections.
You can mouse over a bar or line point to view a pop up that lists the information by group or by
date. If ellipses (...) display, this indicates that more information is available than what can be
displayed in the pop up. You can use the slider bar to see another portion of the graph.

Fidelis XPS Vector User Guide 12

 If the report includes group by and trending information, column labels appear on the right. You can
hide data in the chart by clicking on a column name to select or deselect.
To access more information, click a bar or portion of the line to go to the Alert List page to view a
list of alerts represented by that portion of the bar or line chart. For example, if you click on the
portion of the chart representing the HTTP protocol, a page displays with alerts that have HTTP
protocol violations. At the Alert List page you can then access Alert Details for individual alerts.
Click the link: Run saved alerts report to run the report and view the results in the Alerts List page.
Click the link: Edit saved alerts report to change criteria at the Create Custom Reports page. Refer
to Custom Reports.

Globe
The Globe widget shows incoming alerts as they arrive and alert activity for the last hour displayed
by shades of colors for countries.
Alerts are shown as they arrive with their source or destination country including any custom GeoIP
information. The globe will spin to show the country of each alert as it arrives. Clicking the alert ID
takes you to the Alert Detail page for that alert. If an alert is malware related, the icon displays
next to alert severity on the globe. Small countries that are not visible on the globe are represented
as large dots. After pausing and resuming data refresh, an immediate update request will be sent to
the server.
Note: If the source or destination country is not available for an alert, then Unknown
is listed as the source or destination and will be placed in the middle of the Atlantic
ocean. This often occurs if the alert is from an internal network. To fix this, access
CommandPost>Config>GeoIP and set internal IP address ranges and assign a flag.
Refer to Custom GeoIP.

World Map
The World Map widget displays alerts and enables you to view an Alert List based on country
source and destination. You can zoom in to focus on a specific area or zoom out. You can select a
time frame at the drop down.
Moving your mouse over a country highlights the country and shows the total number of alerts for
the selected time period and the total number of alerts for source and destination.

A pie chart shows the distribution of alert severity levels.

Click on a country to run an alert search with the selected country being the source or the
destination of alerts for the selected time frame.
Arrows show alert volume between two countries, pointing from the source to the destination.
Arrows are placed on the map in order based on alert severity with arrows indicating alerts with
higher severity on top. The color of the line and the arrow show the highest severity alert for the
time frame. Arrow width indicates the alert volume compared to other country pairs: the thicker the
arrow, the more volume between the two countries.
Moving your mouse over a line highlights the line and displays a popup that indicates the direction
of the transmission that caused the alerts with a .

Fidelis XPS Vector User Guide 13

 Click a line to run an alert search with the selected countries being the source and destination
countries of alerts for the selected time frame.
Pins indicate location. Arrows emanating from or going to a pin indicate the direction of data
from or to that location. Pins take on the color of their respective arrows and are not clickable. If a
country map contains a pin but no arrows this indicates that the source and destination for all alerts
are within that country.
Note: If the source or destination country is not available for an alert, then Unknown
is listed as the source or destination and will be placed in the middle of the Atlantic
ocean. This often occurs if the alert is from an internal network. To fix this, access
CommandPost>Config>GeoIP and set internal IP address ranges and assign a flag.
Refer to Custom GeoIP.

Radar
The Radar widget graphically represents alerts occurring on your network, grouped by common
characteristics into an alert cluster. Clusters are a visual presentation of similar alerts. When
creating a cluster, CommandPost considers the sender and receiver of the information transfer, the
time of the transfer, the sensor on which the alert was detected, the rule violated, and the priority of
an alert.
CommandPost creates clusters based on similar information, but not necessarily equivalent or
related information. For example, alerts with similar, but not equal, source IP addresses may be
grouped in a single cluster, which may be indicative of a problem generated by a location rather
than an individual. Also, alerts from a similar time period during normal working hours may be
grouped together while others occurring during non-working hours may be grouped into a different
cluster.
A cluster is represented by a dot or a line on the alert radar. A dot appearing in the center of the
radar is the most recent alert in CommandPost. Over time, the dot will migrate toward the outer
edges of the radar.The line represents a cluster that contains several alerts over time. The line
connects the oldest and most recent alerts within the cluster. A dot represents a single alert or
several alerts that were detected at the same time.
The clusters are intended as a visual representation of alert activity and are not necessarily
presented in the best form for investigation into network behavior. The radar widget refreshes with
new data periodically. The refresh cannot be disabled for this widget
The cluster details portion of the widget is relative to your mouse position
on the widget. As you move your move over the radar, a portion of the
radar will be highlighted in grey. The Cluster details will reflect the time
range and the number of clusters per severity within the scope of your
mouse.

2
Clicking on an alert cluster takes you to the Alert List for that cluster.

2
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 14
Top Alert (or Malware) Hosts
The Top Alert Hosts widget displays an interactive bar chart for alerts grouped by host IP address.
The Top Malware Hosts displays an interactive bar chart for alerts with malware grouped by host IP
address. You can select a time frame at the drop down.

Top Alert (or Malware) Sources

The Top Alert Sources widget displays an interactive bar chart for alerts grouped by source IP
address. The Top Malware Sources widget displays an interactive bar chart for alerts with malware
grouped by source IP address.

Alert Trend
The Alert Trend widget displays an interactive stacked bar chart that shows alerts grouped by
severity and date for the selected time period.You can select a time frame at the drop down.
Moving your mouse over the chart displays the number of alerts by severity level for that date. You
can move the slider bars to select a time period. Below the graph you can click a severity to
remove it from the chart. Click it again to add it.

Malware Trend
The Malware Trend widget displays an interactive line chart that shows malware grouped by
malware type and date for the selected time period. You can select a time frame at the drop-down.
Malware trends display by date and counts are shown by malware type. Moving your mouse over
the chart displays the number of malware by malware type for that date. You can move the slider
bars to select a time period. Below the graph you can click a malware type to remove it from the
chart. Click it again to add it.

Application Protocol Trends

Application Protocol Trends shows sessions per minute by protocol, graphically.All protocols
detected in alert data within the selected time frame display.
Only protocols with at least one data point with a session rate above zero will display.
Note that statistics are collected at 5 minute time intervals and rare occurrences of a
protocol that translates to session rates below 1 per minute may result in the
protocol being absent in the graph.
The Application Protocol Trends widget provides an interactive graph that you can use to closely
examine what is occurring on your network at specific times. The data represents the sum of all
sensors registered to the selected CommandPost. You can select a time frame at the drop down.
You can highlight an area of activity to expand that portion of the report, mouse over a line to see
what occurred at that point, or use the slider bar to zoom into or out of the graph. Refer to Network
Reports for more details on using the performance graph and the slider bar.

System Status
The System Status widget displays the total number of alerts per CommandPost, sensor, and
Collector. The component list and numbers represent only those alerts the user is permitted to see
based on the user’s role, alert management group assignments, and sensor assignments. Refer to
Define User Profiles.
If you are logged into a Master CommandPost, system status will display also all Subordinate
CommandPosts and all components registered to each Subordinate CommandPost.
Hold your cursor over the green, yellow, or red diamond to see useful information about a
component: for example, if a license is expiring, if the sensor needs updating, or if the sensor is
experiencing traffic problems. Refer to System Status for explanations of conditions with critical and
high severity.

Fidelis XPS Vector User Guide 15

Network Statistics
The Network Statistics widget displays Kbits per second by transport protocol, graphically.You can
select a time frame at the drop down.
The Network Statistics widget provides an interactive graph that you can use to closely examine
what is occurring on your network at specific times. The data represents the sum of all sensors
registered to the selected CommandPost. You can highlight an area of activity to expand that
portion of the report, mouse over a line to see what occurred at that point, or use the slider bar to
zoom into or out of the graph. Refer to Network Reports for more details on using the performance
graph and the slider bar.

Alert Insertion Rate

The Alert Insertion Rate widget displays alerts per minute inserted to the selected
CommandPost.You can select a time frame at the drop down.
The Alert Insertion Rate widget provides an interactive graph that you can use to closely examine
what is occurring on your Fidelis XPS sensors and CommandPost at specific times. You can
highlight an area of activity to expand that portion of the report, mouse over a line to see what
occurred at that point, or use the slider bar to see another portion of the graph.
Refer to Network Reports for more details on using the performance graph and the slider bar.

Disk Space
The Disk Space widget displays charts that show total disk space, and current used disk space for
Vector.

Fidelis XPS Vector User Guide 16

Chapter 3 Understand and Manage Alert
Workflows
3
From the Alert List page , you can assign, monitor, and manage alerts .
This chapter covers the following topics:

• Access to Alerts

• Assign a New Alert

• Manage an Alert

• Manage Multiple Alerts

Access to Alerts
The Alert List page provides a list of all alerts accessible to the user. Accessibility to this
information is determined by the CommandPost user’s sensor assignments and alert management
group assignments.
Refer to Access Control in CommandPost for details on assigned sensors, alert management
groups, and how these affect users.

• Read and examine the details of an alert, including the original transmission that caused the
violation.

• Export summary alert information to Microsoft Excel or any other application that accepts tab-
separated files.
• Purge alerts.

• Assign alert tickets to another user with access to the alert.

• Close an alert ticket, providing a ticket resolution.

• Move an alert from its current alert management group to another. This action makes the alert
accessible to another group of users.
• Add comments to the alert workflow log.

The Alert Workflow Log

Every alert has an associated alert ticket that can be referenced in the alert workflow. New alerts
are not assigned to an owner. A usermay open, close, and assign an alert. Alert Workflow
Management includes:

• Assign one or more alerts to another user with access to the sensors that generated the alerts
and have access to the alert management group(s) to which these alerts belong. When an
alert is assigned, an email is sent to the new alert owner.

• Close an alert. You can close an alert and select Allowed, Action taken, No action taken, or
False positive. This action may be performed by anyone with access to the alert. When the
alert is closed, a resolution is entered to the alert workflow log.

• Add comments to the ticket log.

3
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
Fidelis XPS Vector User Guide 17
 • Change Management Group will make the alert accessible to a different group of users. When
the group is changed, an email is sent to the group mailing list, to make members of the new
group aware of the alert.
The workflow can be accessed from the Alert Details page of any alert. You may also change the
workflow for multiple alerts by choosing Change Ticket Status or Change Management Group from
the Actions button on the Alert list page.
For any workflow action, the alert manager has the option to fill out the Subject and Comment fields
which will be added to the alert workflow log. The alert workflow log will display the full history of
the alert with all comments as it changes from group to group, owner to owner, and finally to a
closed state.
When the ticket is assigned, the subject and comment information will be included in the body of an
email sent to the newly assigned user. When the management group is changed, the subject and
comment information will be included in the body of an email sent to the address associated with
the newly assigned group.

Manage a Single Alert

4 5
You can manage an Alert at the Alert Workflow Log section of the Alert Details page. You can
6
access this page by clicking next to an alert at the Alert List page. This functionality enables
users with ticketing privileges to do the following:

Change Status
• Enter a Subject or Comment.

• Click Assign to and select a user from the list to assign the alert. The list of users includes
those with access to the sensor that generated the alert and have access to the alert
management group to which the alert belongs. After you submit the change, the selected user
receives an email reflecting the assignment.

• Click Add comment to add comments to the ticket log without changing the ticket status or
ownership. After you submit the change, information entered in the Subject and Comment text
boxes will be appended to the comment.

• Click Close as and select a reason from the list. Your options are Allowed, Action taken, No
action taken, and False positive. The alert is closed.
Note: Closing an alert marks you as the owner of the alert.

Change Alert Group

Click Change Group to: and select the alert management group for the alert at the dialog box. If
you do not belong to the selected group, you will not have access to the alert after clicking Submit.
Note: Changing the alert management group, removes the assigned owner and
changes the status to new.

4
An alert is the recorded and displayed incidence of at least one event.
5
Alert Details is the most granular level for examining alert data.
6
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 18
Manage Multiple Alerts
7
Multiple alerts can be managed from the Alert List page by using checkboxes and the Actions list
at the top of the Alerts List.
To manage multiple alerts from both pages:
1. Select one or more alerts.
To select all alerts on the page, click the checkbox at the top of the page.
2. Select a management option from the Actions list. The dialog box that displays depends on
the option selected.
3. Enter changes into the dialog box and click Submit.

T a bl e 2. A c ti o ns l i st o pti o ns
You can access these options from the Alert List page.

Management Description
option

Change Status Assign, Close, or add comments to the selected alert

tickets.

Change Changes the management group associated with

Management selected alerts. Enter a subject or a comment if desired.
Group

Note: From the Alert List you can also apply labels, purge, and export selected alerts.
These functions do not impact the ticketing system and are described in Understand
and Manage Alerts.

7
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 19
Chapter 4 Understand and Manage Alerts
Alerts displays a list of all alerts accessible to you. You can filter which alerts display, search for
specific alert attributes, and research details about alerts.
You can also assign or close alerts. Refer to The Alert Workflow Log.
This chapter covers the following topics:

• Alert List
• Navigate Alert Pages

• Select Alert Actions

• Alerts Report Page Controls
• Alert Details
To access the Alert List, click Alerts. The first time you access it, the Malware Report displays. You
can change the report to another system report or to a Custom Report that you create. The last
report that you view will be restored on your next access.

Figure 2. Alert List

The Alert List contains the following major elements:

• Alert List—a list of all alerts displayed according to the selected report and any actions taken
at the Alert page.
• Page Navigation
• Actions—Enables you to take action on selected alerts.
• Alert List controls—Enables you to search, group, change the display settings of the page,
and retrieve a custom report. Click in the upper right corner of the Alert page to show or
hide the controls.

Fidelis XPS Vector User Guide 20

Alert List
8
An Alert List is created from all alerts available within your assigned groups and sensors. The list
can be greatly customized by choosing the columns to display, by reducing the alerts to those that
match specified criteria, by summarizing, and by choosing to display the results in a chart or as a
table.
In all cases, the list is highly interactive. Rows in a table and sections in a graph can be clicked to
obtain further information; specific details of any alert can be obtained; actions can be taken on
single alerts or groups of alerts; and alerts can be purged.
Selecting a list restores settings for that report, including:

• The columns available in your list represent summaries of alert attributes. Primary columns
are shown on your report. Secondary columns become available when you click on a row
within the list to view the quick summary of the alert. For attributes that contain large amounts
of data, the list column may be truncated.
• Data criteria including Searches, Filters, and Time Selections. These serve to reduce the
number of alerts in the list.
• Grouping and sorting of the list. Alerts can be grouped by any one or multiple primary
columns to produce a summary of the data. Sorting can be applied to any primary column
whether grouped or not.
• The list results can be displayed as a chart or table. Charts are available only for grouped
lists.
• A trending chart can be saved with any type of list. The trending chart will show alerts per time
above the report.
After running a report, you can use the controls on the Alert List to further manipulate the
information. When you make changes, you are changing the list into an Unnamed Report. By
clicking Customize list you can save this new list with your new settings. Alternatively, you can use
the Unnamed list to analyze and drill down into your information as you would any other report.
The time required to generate a list is greatly influenced by the Time Selection. Reports based on
Insert time using a short timeframe will be optimal. Reports based on selecting all alerts or based
on the recorded alert time may run substantially slower, depending on the total number of alerts
stored on CommandPost.

Alert Quick Summary

Click a row on the Alert List to display a Quick Summary, which provides the information associated
with the columns in the secondary row of your report.

9
At the Quick Summary, you can click to view the Alert Details page for the selected alert.
You can also choose to filter alerts based on the value of the available information.

8
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
9
Alert Details is the most granular level for examining alert data.
Fidelis XPS Vector User Guide 21
 Figure 3. Alert Report: Quick Summary

Filter Alerts
You can filter alerts by selecting items at the Quick Summary page. Filters are used to reduce the
list to only those alerts that match your filter criteria. For example, you can choose to filter by
Protocol = HTTP, the result will be a list of all alerts from the HTTP protocol. This list would not
include alerts from any other protocol.
To set a filter:
1. Click the check box next to one or more values in the Quick Summary page.
2. Click Filter.
3. CommandPost finds all alerts that exactly match the filtered value and display only these
alerts.

Figure 4. Filtered alerts

When a filter is applied, the following occurs:

• If you selected multiple fields, all are applied to the filter. The more filters that you select, the
more narrow your results.

• The applied filters display above the table.

• The [x] next to the value in the filter list allows you to remove the filter.
Filtering performance is typically fast when filtering on one column, but can degrade as more filters
are applied.

Fidelis XPS Vector User Guide 22

Navigate Alert Pages
10
Because CommandPost may contain thousands or millions of alerts, the Alert List is presented
in pages. Each page initially contains 25 rows of alerts. You can change the number of rows per
page by entering the new amount in the text box at the bottom of the page. This value will be stored
as your new default page size.
Up to 10 page numbers display at the top and at the bottom of each page. Clicking a page number
takes you to that page. Click the < or > arrow buttons to move to the next page in either direction.
Click << or >> to advance to the first or last page. These buttons may be disabled when you are
currently at the beginning or the end of the alert report.

Alert Actions
11
Click the check box next to one or more alerts to select them. Clicking the check box at the top of
12
the Alert List page selects (or deselects) all alerts on the current page.

Figure 5. Alert actions

The following actions may be taken on selected alerts from a CommandPost:

• Change Ticket Status. Refer to The Alert Workflow Log.

• Change Management Group. Refer to The Alert Workflow Log.

• Change Label. Refer to Alert Labels.

• Export to Microsoft Excel, Evidence Package, zipped PDF, or zipped text. Refer to Export
Actions.

• Purge Alerts from the CommandPost database. Refer to Purge Alerts.

• Evidence Package. Refer to Evidence Package in Alert Details.

10
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
11
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
12
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 23
 Alert Labels
Labels are tags that a CommandPost user can apply to an alert. By using labels, you can
categorize alerts into meaningful names for your enterprise. You can later search or filter by label to
retrieve alerts that contain your label.
Labels can be applied from the Alert List page or from the Alert Details page. From the Alert List
page you can select multiple alerts and apply the same label to each.
To apply a label from the Alert List page:
1. Click the checkbox next to the alert or alerts that you wish to label.
2. From the Actions list, select Change Label. The Change Label dialog box displays where you
can select an existing label or create a new one.
3. The Existing Labels text box lists all previously used labels. You may choose a label from this
list and click Apply Label.
4. If you wish to create a new label, type it into the New Label text box and click Apply Label.
You can also click to add the new label without applying it.
To remove a label from an alert: You can choose a new label using the steps above and overwrite
the label with the new label. To clear the label for all selected alerts, click Clear Label.
To remove a label that is no longer required: Select the label in the Existing Labels text box and
click . Labels can only be removed if there are no alerts that use the label.

Export Actions

Click at Alert Actions and the Export options will display.

Figure 6. Alert Actions: Export options

Fidelis XPS Vector User Guide 24

 To Excel
Export selected alerts to Excel (or other application) that can accept a tab-separated file.

Figure 7. Export Alerts

1. Select criteria for the export file: You can choose alerts previously selected on the Alert List
page, specify a number of alerts, or all the alerts in the list.
CommandPost limits number of rows that are included to 100,000. Users should also
understand limitations of their version of Excel (or other spread sheet applications) that may
require the reports to be limited using the options provided.
2. Click to compress the exported file, if desired.
Note: Large numbers of alerts can result in a large file. Using compression will
reduce download time.
3. Click Customize export columns to choose the columns to output, if desired. If you do not
select export columns, columns in the export file will be the same as the primary and
secondary rows in the Alert List. Refer to Columns in Create Custom Reports for more
information about column choices. If selected, the column item Alert Details Link lists the
URL for the alert details of each alert.
4. Click Export to Excel. You can choose to open or save the file.
If alerts are grouped, the dialog box changes to enable you to select groups.
Select Criteria, Data, File, and Column options to export groups of alerts. If you select the option:
Include alerts belonging to groups in export, alerts are included in the export and are listed by
group. If you do not select this data option, then only the group summary information is exported.

Fidelis XPS Vector User Guide 25

 Figure 8. Export Grouped Alerts

Evidence Package
Evidence Package gathers selected alerts and their associated files and into one compressed tar
(.tgz) or zip file. Refer to Evidence Package for details.

Alert Details PDF

Click Alert Details PDF (Zipped) to create a zip file that contains PDF files of alert details for each
selected alert.

Customi zed Alert Details

Click Customized Alert Details (Zipped) to select Alert Details sections and to customize and email
the PDF report. This creates a zip file that contains a PDF report of alert details for each selected
alert up to 50.
Select the Text tab to choose sections for the text file or to send it via email.
Refer to Customize the PDF for Alert Details.

Alert Details Text

Click Alert Details Text (zipped) to create a zip file that contains a text file of alert details for each
selected alert up to 50.

Purge Alerts
Purge Alerts removes selected alerts from CommandPost. Once a purge starts, you can perform
other actions at the CommandPost, but you cannot start another purge.
1. Click Purge Alerts.
2. Click Ok at the confirmation dialog box. Alert purge will permanently remove the selected
alerts and all associated information about the selected alerts. This operation cannot be
undone.

Fidelis XPS Vector User Guide 26

Alert List Page Controls
The Alert List page contains several options to modify Alert Lists, drill down into alert details, and
manipulate the presentation of alerts to facilitate investigations. The controls are located at the top
of the page. Click in the upper right corner of the Alert List page to open the control section. Click
to hide the controls.
Within this section the following controls are available:

• Report—Enables you to select a report from the drop-down list. All other functions available
on the Alert List are based on this initial setting. You may choose from multiple system reports
plus any report that you create and save.
• Search—Enables you to reduce an Alert List to alerts that match your search criteria.
Searches are performed as case-insensitive partial string matches, whereas Filters are
performed as exact matches. Refer to Search for Alerts. The Search dialog box also contains
the CommandPost, Time Range, and Group By sections.
Time Range—This section enables you to reduce an Alert List to alerts that occurred during a
specified time period. Refer to Time Range.
Group By—This section enables you to summarize alerts by selected columns. The result will
display the selected columns and the number of alerts that match each available value within
those columns. Grouped information can be displayed in a table or graph form. Refer to
Group By.
• Filtered By—Displays what you have selected at Search or at Quick Summary to filter alerts.
Refer to Filter Alerts. Click an x to delete a filter.

• Refresh—Refreshes the Alert List page.You can also specify auto refresh. Mouse over
the button. The Refresh select box displays.

Click the checkbox next to Refresh and enter a time period. The Alert List automatically
refreshes for the time period specified.
New incoming alerts display when the Alert List is refreshed. The time stamp next to Last
Search Results updates to reflect the last time that the Alert List page was refreshed.
The Alert List also refreshes whenever you conduct a search, group alerts, or run a report.
Accessing Alert Details or the Quick Summary for an alert, then returning to the alert list will
not refresh the list if not selected.

• PDF—Enables you to save the alert report as a PDF document, customize it, or email it.
The generated PDF will include all elements on the current page of your Alert Report. Refer to
Create PDF Reports for Alerts.

• Trending—Enables you to view and control alert trend charts. Refer to Trending.

• Fixed (Relax) Columns—When the report contains many columns, you can select Fixed
Columns to resize columns to better fit within your page size, truncating some of the data in
the columns and replacing it with ellipses. Mouse over the ellipses to view the hidden
information. Relax Columns displays all information in each column which may require
horizontal scrolling in your browser window to view all information.

Fidelis XPS Vector User Guide 27

 System Reports for Alerts (Vector)
System Reports are built into CommandPost and available to all users.

T a bl e 3. Sys t em R e p or ts

Report Description

Alert The alert management report provides a summary of alert tickets and their
Management status. This report is most useful to alert managers who fully use the
Report CommandPost ticketing system. This report will display all alerts sorted by Alert
ID and lists the owner and the alert management group associated with each
alert. This report is only available to users whose role provides access to tickets.

Malware The malware report displays information about detected malware. The
information includes the alert severity, alert ID, time, malware name, malware
type, host IP address, network application protocol, and file format type.

Alert Report provides a list of all alerts, whether they contain malware or not. Non-malware
alerts on Vector include the detection of command and control communication
and other indications of an infected host.

Alerts by Host provides similar information to the Alert Report, but is grouped by the Host IP
address and displays a summary of the detected violation. This report provides a
grouped list of all violations detected from an infected host, whether the network
data contains malware or not.

Malware by The Malware by Format report provides a summary of all alerts grouped by the
Format file format of malware.

Malware by Host The Malware by Host report provides a summary of all alerts grouped by the IP
address of the infected host machine.

Malware by The Malware by Protocol provides a summary of all alerts grouped by the
Protocol network application protocol over which malware was detected.

Malware by The Malware by Type report provides a summary of all alerts grouped by the
Type malware type.

Search for Alerts

13
Searching alerts can be done by entering criteria in the Search dialog box within the Alert page
controls. From the search interface you can enter search terms to be applied to any of the available
alert fields that may be searched. To search over multiple fields; however, you need to use
Customize Report .
14
If the alert control buttons are not visible, click in the upper right corner of the Alert List page
to display them.
Searches differ from filters in the manner that the data is matched:

• Filters use an exact match to find alerts.

13
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
14
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 28
 • Searches use a case-insensitive, partial string match to find alerts. Refer to Alert Search
Fields.

Figure 9. Alert Search

1. Click Search within the Alert control bar.
2. Enter search terms in the Search For: text box. The search term is a simple phrase or set of
phrases to find within alert information.
3. Select a search field at the In: pull down menu.
Refer to Enter Search Terms.
If you have applied multiple search terms in a Customized Report, the option: Current Search
will appear. The Search For: text box will display Current Search and not be editable. The In:
selection will display Current Search. If you make no changes, the current search parameters
will be unchanged, enabling you to modify the time, CommandPosts, grouping, and display
options without modifying the search parameters. If you change the In: selection, you can
erase the current search with a new search term and field. To have complete control over
multiple search fields, use the Customized Report interface.
4. Select a specific time period or enter a range at the Time Range section. Refer to Time
Range. If you do not select a time, the end date is the time the report is run and alert insert
time is used.
5. If desired, select one or more items in the Group By section. Group By enables you to group
alerts by information available in one or more of the primary columns of your current alert
15
page. For example, if you select protocols, alerts are grouped by protocols. Refer to Group
By.
6. If desired, you can select how the Group By results display by selecting options at the View
Results list.
7. Click Go.

15
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
Fidelis XPS Vector User Guide 29
 Enter Search Terms
The following guidelines apply to entering search terms:

• Searching for term will match any alert containing term in the chosen field. This will match
alerts with words such as term, terminate, and exterminate.
Entering multiple words such as:
term1 term2
matches alerts containing both term1 and term2. The terms can be found in any order and
with any amount of separation between them.
• You can search on multiple Alert IDs, Threat Grid Scores, and for multiple Any, Source, or
Destination Ports by separating entries with a comma. For example, entering
AlertID1,AlertID2 would find alerts with both ID numbers.
• You can specify a range for Alert ID, Threat Grid Scores, and for multiple Any, Source, or
Destination Ports by using a hyphen.

• The use of quotes around a phrase will be treated as a single search term. The phrase "term1
term2” will match any alert containing the exact phrase within the quotes. Any spaces in the
phrase will match any space characters in the alert, including a space, a tab, a new line, etc.
Matching is done on the character boundaries, not word boundaries. Therefore, a phrase of
“top secret” will match an alert containing a phrase such as “stop secrets.”

• Multiple phrases such as a “literal phrase 1” and a “literal phrase 2” can be included in the
Find field. This will match any alerts containing all of the phrases listed.

• You can combine word-terms and phrase-terms. Any combination is allowed, such as:

“literal phrase 1” word word1 word2 “literal phrase 2”

• Matching does not consider the order of the terms, only that all are found within the search
field.
• Placing a minus sign (-) before a word or a literal phrase changes the meaning to “match all
alerts that do not contain” the specified word or phrase. Any combination of positive (no
minus) and negative (minus) terms is supported.
For example:
Top –secret matches alerts that contain the word top but do not contain the word secret.
“top secret” –confidential –personal matches alerts that contain the phrase “top secret” but
contain neither confidential nor personal.
top secret –“confidential document” matches alerts that contain the words top and secret but
do not contain the phrase “confidential document.”
- 192.167.10.255 excludes the specified IP addresses 192.167.10.255 from a search.
Important: the following also applies to all searches:

• All searches are case insensitive.

• There is a limit of 40 terms (words or literal phrases). If more terms are entered, the 41st and
beyond will be ignored.

• If Go is pressed without entering a search term, the Alerts List reappears. However, entering
unknown in the Find text box, substitutes for an empty string in the Country, Filename, From,
To, and User fields.

• Search performance is typically fast, even with very large alert databases. With a database of
over 2 million alerts, search will typically respond in a few seconds. Exceptions are searches
over Forensic Data, Session Attributes, and Owner fields, which may require considerable
time to execute.

Fidelis XPS Vector User Guide 30

 T a bl e 4. A l e rt s e a rc h fi el d s

Alert search Description

fields

Action Search is applied over the action field.

Alert ID Enables you to search for specific alert ID numbers.

Alert Management The search is applied over the alert management group field. An alert can
Group belong to only one alert management group. If you search for multiple
groups, the search will match an alert containing any one of the groups
(most other search fields require a match of all terms). For example, a
management group search for: Group1 Group2 yields all alerts belonging to
either Group1 or Group2.

Country: Any Searches for the specified country in either the source or destination
country.
Entering two or more countries in search criteria returns all entries with any
of the countries entered. For example if you do a country search for France
Afghanistan the search will return entries that have either France or
Afghanistan.
This applies to all country searches.

Country: Searches for the specified country in the destination country.

Destination

Country: Source Searches for the specified country in the source country.

Current Search Enables you to use the simple Search interface to modify time,
CommandPosts, grouping, and display without changing search items that
were entered on the Customize Report interface.
You will see this option only when Customize Report was used to enter
search terms against multiple searchable fields. The text box will display:
Current Search and cannot be edited. If you select a different field, the text
box will become enabled and you may enter new search terms against the
selected field.

Execution Searches alerts based on their execution forensics status. You can select
Forensics Status from: Failed, Not Submitted, Pending, Received, or Rejected.

Filename Searches the name of the file that caused the violation. Will be empty if no
file was involved in the violation.
Format Type Searches for the Format Type of the content whether it is sent within a file,
in the body of an email, or in any other form.

From Searches the value of the From field.

Host Activity Searches alerts for Host Activity information from Carbon Black. You can
selected Detected or Not Detected to identify alerts with or without Host
Activity data.

IP: Any Searches for any IP address: source or destination. Refer to Search IP
Addresses.
Note: Selecting IP Pair overrides Any IP and Source and Destination
IP.

IP: Destination Searches for the receiver’s IP address. Refer to Search IP Addresses.

Fidelis XPS Vector User Guide 31

 Alert search Description
fields

IP Host Searches for the IP address of the host.

IP: Source Searches for the sender’s IP address. Refer to Search IP Addresses.

Label Searches for an alert label. The label search has one special feature: A
search for the term unassigned (with or without quotes) will display all alerts
that have not been assigned a label

Malware Name Searches for the malware name.

Malware Type Searches on the malware type.

MD5 Searches the MD5 hash value associated with the file.You can enter
multiple search criteria separated with a comma.
Port: Any Searches on any port, either source or destination.
Port: Destination Searches on the sender's port number.
Port: Source Searches on the recipient's port number.

Protocol An alert can only contain one protocol. Therefore, a search containing
multiple terms will match an alert that matches any one of the terms (most
other search fields require a match of all terms). For example, a protocol
search for: ssh http yields all alerts found over either SSH or HTTP.

Resolved IP Searches for any IP address: source or destination that matches the
Address: Any resolved DNS name. Refer to Search Resolved IP Addresses.
Resolved IP Searches for the receiver’s resolved IP address. Refer to Search Resolved
Address: IP Addresses.
Destination
Resolved IP Searches for the sender’s resolved IP address. Refer to Search Resolved
Address: Source IP Addresses.

Subject Searches the value of the extracted Subject field.

Summary The search by summary is applied over the summary field of the alert.

Target Target refers to the destination of the information. The value is protocol
specific. Examples include the destination URL, share name, or host name.
Target is based on extracted protocol information and not based on the IP
address of the data. In many network configurations, the IP address may be
an internal address corresponding to a local NAT server or proxy, whereas
the target represents the intended destination of the data.

Threat Score Searches for alerts that match the specified threat score. Enter search
values between 0 -100. If the alert does not include execution forensics, the
value is empty.
To search for alerts with a specific score enter the value. For example, enter
4 to find alerts with a threat score of 4.
To search for alerts with a list of specific scores, enter a comma-separated
list of values. For example, enter 4,37,82,100 to find alerts with a threat
score of either 4, 37, 82, or 100. Do not enter spaces between the commas.
To search for alerts within a range of scores enter the range separated by a
hyphen. Be sure to not include spaces in your search text. For example, to
find all alerts with a score greater than 50, enter 51-100 into the search text.

Fidelis XPS Vector User Guide 32

 Alert search Description
fields

To find all alerts with a threat score, enter 0-100 into the search text.

Ticket Content Searches the content of the alert ticket Subject and Comment fields. This in
the Alert Workflow Log section of the Alert Details page.

Ticket Owner An alert can belong to only one owner. However, if you enter a search with
multiple terms, the search will match an alert containing any one of the
terms (most other search fields require a match of all terms). For example,
a search for: Owner1Owner2 yields all alerts belonging to either Owner1 or
Owner2.
Also, a search for the term unassigned (with or without quotes) will display
all alerts that have not been assigned.

To Searches the value of the extracted To field.

User Searches the value of the extracted User field.

UUID Enables you to search for a specific alert UUID number. This is an exact
search.

With Malware Enables you to find alerts with related malware.

Search IP Addresses
There are several methods available to search for an IP address:

• Alert source

• Alert destination

• Both source and destination

• Resolved IP address
• IP Host

Search Source, Destination, or Any IP address

Searching can be performed by entering an IP address in the Search For: text box using CIDR
representation. The following formats are supported for single addresses or address ranges. In all
cases, IPv6 addresses may be substituted for the IPv4 addresses shown in the following examples.

• 192.167.10.5 finds this exact IP address within the selected field (source, destination, or
both).

• 192.167.10.5/24 applies an IP address mask of 24 bits to the address. This includes all IP
addresses within the 192.167.10 subnet, from 192.167.10.0 through 192.167.10.255. Replace
“24” with any value 0-31 to obtain the appropriate mask.

• 192.167.10.5-192.167.10.15 provides a range of IP addresses and returns all matches within

the range and including the end points. In this example, the search matches any address
within the range of 5 through 15. Do not enter spaces around the dash (-).

• 192.167.10.5,192.167.10.15,192.167.10.25 provides a list of specific IP addresses to match.

A comma or a space must be placed between each IP address in the list. The list has no limit
with regard to the number of IP addresses provided, however, long lists will require more
processing time.

• Any IP address or range can be used to match multiple IP addresses if the IP address entries
are separated by spaces or commas. For example, entering “192.167.10.5/24

Fidelis XPS Vector User Guide 33

 192.167.11.5/24” would match any IP address in the range 192.167.10.0 through
192.167.10.255 or IP addresses in the range 192.167.11.0 through 192.167.11.255.

Search Resolved IP Addresses

This search returns alerts where the source or destination address of the alert matches the
resolved DNS name. Note that the text provided to the search may match several resolved names.
Search results improve when the text entered in the Search text box is as specific as possible.

Notes on IP address searches

Comma and dash separated strings must contain no spaces for the parser to behave correctly. As
an alternative, the entry may be encapsulated in quotes (“) in which case the spaces do no impact
behavior. For example, “192.167.10.5 - 192.167.10.15” would create an IP address range.
If the search string contains malformed IP addresses, the search will ignore the entry. In the case
of a single address search, no alerts will be found. In the case of a list, malformed addresses will
be ignored. In the case of a range, the search will revert to a single address search using the one
legal address or will return nothing if both ends of the range are malformed.
Exercise caution when using spaces to search multiple ranges. Make sure that spaces are used
only to separate ranges. For example, if two ranges of IP addresses are to be searched such as
192.167.10.5 through 192.167.10.15 and 192.167.10.60 through 192.167.10.70 then spaces
should be used to separate the two ranges: “192.167.10.5-192.167.10.15 192.167.10.60-
192.167.10.70”

Time Range
16
To specify a time period for alerts , click Search at the alert control bar and select a value at the
Time Range section. When you click Go, all alerts during the selected time period will be listed.

Sel ect time mode

Insert Time is the time when the alert was inserted into CommandPost. Alert Time is the time when
the alert was created in the sensor. Under normal operating conditions, these times should be
relatively equal. Insert Time can differ from Alert Time if alerts are imported from an archive file into
CommandPost or if alerts are spooled during database maintenance or CommandPost upgrade.
Selecting Insert Time will result in faster response from CommandPost. The performance
difference can be significant when the specified time selection is small and the number of alerts in
the database is large.

Time Range Selections

These selections include:

• All Alerts: Includes alerts from all time periods.

• Last Login: reduces alerts to those that have occurred since the last time you logged into
CommandPost.

• Last 24 Hours, 7 Days, or 30 Days: provide shortcuts to reduce alerts to the prior day, week,
and month.The default setting of all system reports is 24 hours.

• Specific Hours: will display a text box to which you can enter a two digit number, N. Only
alerts occurring in the past N hours will be displayed. You can use this feature to reduce
alerts by partial days with granularity of one hour increments.
• Specific Days: will display a text box to which you can enter a two digit number, N. Only alerts
occurring in the past N days will be displayed. You can use this feature to reduce alerts to
those that occurred during a specific number of days.

16
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
Fidelis XPS Vector User Guide 34
 • Specific Date: Click in the text box. A calendar displays from which you can select a date.
This reduces your alerts to those that occurred on the specified date.
• Date Time Range: You can enter a range by entering From and To dates and times. Click the
text box. A calendar displays from which you can select dates and times. This reduces your
alerts to those that occurred during the specified range, including the specified dates and
times.

Group By
This feature enables you to group alerts by information available in one or more of the primary
17
columns of your current alert page. For example, if you select protocols, alerts are grouped by
protocols. The total number of alerts for each protocol will be listed in the Count column.
The Grouped by page also includes the Last Seen column that shows the latest time stamp of each
group of alerts.
Grouped alerts can be displayed in tabular or graphical form. Graphical forms include pie charts,
bar charts, and stacked bar charts. You may choose the display most relevant to your analysis.
Group By enables you to more easily organize alert information. After grouping, the checkboxes on
18
the left side of the Alert List page apply to the whole group. With one click, you can manage,
purge, or label thousands or even millions of alerts at once. The more alerts that you select, the
longer it will take.
To group alerts:
1. Click Search. The Group By section displays in the Search dialog box .

Figure 10. Alerts Group By

Note: If the desired column is not displayed, select another report at Alerts.
2. Click one or more of the desired columns.
Note: Group by can take several minutes depending on the size of the alert database.
3. Select how the results will display at the View Results as list. You can select from Tabular, Pie
Chart, Bar Chart, and Stacked Bar Chart options.
4. Click Go.

17
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
18
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 35
 Figure 11. Group By results in a pie chart
You can easily change the output between tabular and graphical output options.

Displays a pie chart.

Displays a bar chart.

Displays a stacked bar chart.

This image cannot currently be displayed.

Displays the alerts in a tabular format.

When alerts are not grouped, these icons are not visible.
The C column is a legend that indicates how the rows in the tabular section pertain to the pie or bar
chart illustrations. Each color represents a portion of a pie or bar chart above the rows. The C
column does not display if you select the tabular format.
You can click a section of the pie chart, bar chart, or stacked histogram to see a list of alerts
represented by that section. For example, if you click on the portion of the pie chart representing
the HTTP protocol, a page displays with alerts that have HTTP protocol violations. At the initial
group by list, click a row to see a Distribution Summary for all other elements in the view’s primary
and secondary rows. The distribution summary can provide insight into areas where further group
analysis may be beneficial. For example, a Distribution Summary indicates 499 alerts found with a
malware type of TROJWARE. Of these alerts, you can learn that all are from the same Host IP,
there are 4 different format types, and 13 different file names.

Fidelis XPS Vector User Guide 36

 Figure 12. Group By Distribution Summary
At the Distribution Summary page, you can:

• Click Group Details to see a list of all alerts in the selected row. This action is identical to
clicking a section of the associated graph.
• Click one of the Group By links in the Distribution Summary to group alerts again using this
new element in the group analysis. A new group-by page is generated.

Group Details
When you click a section of a group by graph or click the Group Details button within the group
distribution summary, you are taken to a page with ungrouped alerts, filtered by the criteria
associated with the graph section or row in the group table.
You may change the filter, search, and sort criteria as designed. The Group row displays a link to
Return to Group List. Clicking this link will restore the Group By settings that started your flow.
If you change the Group settings, the Return to Group List link will no longer be valid.

Customize Report
Click Customize Report to access the Custom Report page. From this page, you can search
multiple fields at the same time. Customize Report enables you to save current search, filter, time
range, or group by selections.
Using Customize Report to save criteria entered at the Alert List page as a Custom Report enables
you to access the report later at the Alert List page. Refer to Create Custom Reports.
The new Custom Report is also available at the Reports>Saved Reports. From the Report List, you
can edit the custom report, schedule it to run at specified times, or copy it to other users.
You can create other reports and make them available at the Alert List page.

Fidelis XPS Vector User Guide 37

Create PDF Files for Alerts
19
You can create a PDF of an Alert List page. For alerts, the PDF report includes current alert
data such as:

• Alerts in the currently selected report.

• Trending information is included if selected. The trending chart displays with alerts in the PDF
report.
• Group by information is included if selected. For example, if you group by Host IP Address
and Protocol, then alerts are grouped by Host IP Address and Protocol. If you select a chart
to display with the alerts, the graphics are also included in the PDF report.
• The number of alerts in the current page size. For example, if you selected 25 for page size,
then 25 alerts will be included in the PDF report.
• The alerts on the selected page. If you are on page 2 of the Alert Report, those alerts are in
the PDF report, not alerts from other pages.If you desire a much larger number of alerts,
consider using the Export to Excel feature. Refer to Export Methods.
To create a PDF report:

Mouse over to see the options: Generate or Customize PDF. Both options enable you to
create a PDF file of all alerts on the current Alert List page.
You can also

Generate PDF
Select Generate PDF to create a PDF file. Simply clicking the PDF icon is equivalent to choosing
Generate PDF. The file will be downloaded.

Customize PDF
Customize PDF enables you to specify a title, description, footer, add a logo, and choose the
number of columns to include in the report.

Figure 13. Alerts: Customize PDF

1. For column options, you can keep the default selection of All Columns in the Report or
select First columns. Columns in the original Alert List are included from left to right.
2. Enter a title for the PDF report that will display on the top left.
3. If needed, enter a description to display under the title.

19
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 38
 4. To include a footer in the report, you can select the default footer, or type the desired footer
text into the box and click Save.
To create a footer for single use:
Click the checkbox next to Use: and enter a name in the checkbox.. This footer will only be
used in the current report and is not saved.
To use the default footer:
Select the checkbox next to Footer: Use: [previously saved footer]. Once you select the
default footer, the option to enter and use another footer will not be available.
To change the default footer:
Click to change the footer. The PDF Config tab opens. Enter the desired text into the
text box.. Click Save as Default. This footer is available for other PDFs and for all other
users until changed. Click Reset to Default to restore the previous default.
To disable the footer without changing it, uncheck the box.
5. To include a corporate logo or image: choose a .jpg, .gif, or .png file from your workstation
and click Save to upload the image to CommandPost. This image will be inserted into the
PDF at the top left of the report. The size of the logo file should be less than 500 kB.

Select the checkbox next to the previously saved footer to use in your report . Click
and choose the image file from your workstation. Click Save to upload the image. The logo
is available for other PDFs and for all other users until changed.
To disable the footer without changing it, uncheck the box.
To disable the image without changing it, uncheck the box.
6. Select the page orientation: portrait or landscape.
7. Click Export PDF. The resulting PDF file contains up to 50 alerts on the current Alert List
page. Export PDF does not save changes, but these changes will be available for other
Alert page PDF reports until you log out or until these settings are changed.

Email the PDF

Click the Email checkbox. to send the PDF report via email. Refer to Email the PDF.

Trending
Trending enables you to graphically display the trend for all alerts within your current settings.
Filtering alerts, entering search or time range values, and grouping alerts will change the trending
display accordingly. Trending charts match colors with the group by charts and vary depending on
the groups selected. If one group is selected, then one color displays in the trending chart.

Click at the Alert Report. Alert trends displays.

Note: Response time can slow if trending is selected. This depends on the number of
alerts within the specified time period and the number of options selected.
Click to enable persistent trend graphs. This enables trending in all cases and can result in
slower response times. The icon changes to . If persistent trend graphs is selected, clicking
will hide or show trend graphs.
Click to disable persistent trend graphs.
If needed, click to close trend graphs.

Fidelis XPS Vector User Guide 39

 Figure 14. Alert Trends

Alert Details
The most granular level for examining data is the Alert Details page. To access alert details, click

at the selected alert.

Figure 15. The Alert Details page for Vector

The Alert Details page contains multiple sections, which can be hidden (or expanded) by clicking
the- or + on the title bar of the section.
Click expand all to display information in all sections. Collapse all hides all information.
You can change the order of sections in Alert Details by dragging the title bar of a section and
dropping it to the new position. Click to move that section to the top of the pane.
The selected order continues to display each time you log in until changed. Your selections do not
impact the order chosen by other users for their accounts.
Page View—Allows you display the Alert Details in one column or twoone, two, or three columns.
Viewing the alert in multiple columns will maximize the information available and is most suitable

Fidelis XPS Vector User Guide 40

 for users with wide monitors. The same information is presented in all views. Click the appropriate
Page icon to change the view.
If the resolution is less than 800 X 600, please set to a single column page view.

T a bl e 5. S e cti o ns i n A l ert D et ai l s

Alert Details Description

Alert Provides basic information about the alert including: time and date of detection,
Information age (elapsed time since detection), the sensor that detected the alert, the
application protocol, and format, source and destination data. Other
information includes: the alert label, the status of the associated alert ticket,
and the action taken by the sensor.
The data format includes a Format Type and Format Data size if the alert
includes forensic data. Format information may not be present when an alert is
based on channel information and not on content.
Source and destination information includes IP addresses, TCP ports
(presented as the service), and data flow direction. The Host IP represents the
computer or workstation that resides within your network – the system that may
be infected by malware it received or propagated or the system that sent
sensitive information.
The country associated with the source or destination IP is also displayed. The
data is based on the country to which the IP address is registered or the
custom location presented to CommandPost, refer to Custom GeoIP.
Note: Source and Destination IP addresses and ports are relative
to the flow of the content that triggered the alert. It is not
necessarily the same as the TCP client and server definitions.
Data Flow Direction indicates the direction of data between the
client (TCP session initiator) and the server (recipient of a TCP
initiation request).
If alert compression has occurred, this table will include the number of events
that were compressed into this alert. Refer to Alert Compression below.
Several items have associated links to Find Similar, Change Label, Host
Presence, and Find Metadata. These links are described in the sections below.

Violation The Policy and Rule names can be clicked to redirect you to the Policy or
Information Rules page if you have a role that provides access to Policies.
Refer to chapters 7 and 8 in the Guide to Creating Policies.
Selecting a fingerprint, rule, or policy from a Subordinate CommandPost.
Fidelis Insight Policy feeds may include encrypted fingerprints. If an encrypted
fingerprint is matched on, the Matched On information and highlighting is not
available for that fingerprint.
If a fingerprint contains a NOT clause, the Matched On information displays but
highlighting is not available for that fingerprint.
Refer to the Fingerprint Page ( chapter 2 in the Guide to Creating Policies).

Related Alerts A single network event can create multiple alerts. When this occurs, related
alerts section will list all alerts generated by the same network transaction.
When related alerts exist, a list appears showing the severity, alert ID,
summary, time of the alert, and an indication of whether the alert contains
malware or not. The Alert ID of a related alert can be clicked to access the
details of that alert.

Malware This section contains the name, type, behavior, and description of the
Information malware. If the alert does not include malware, this section will state: No
malware detected by MDE.

Fidelis XPS Vector User Guide 41

 Alert Details Description

Execution Files deemed malicious are automatically run through execution forensics.
Forensics Automatic submission may be configured by file type or disabled. Refer to
Execution Forensics. The execution process may take several minutes after
the alert appears in CommandPost.
This section may contain a button for manual submission of a file. The button
appears when the alert contains a file type that can be executed and either the
file was deemed non-malicious or it was deemed malicious but the file type
was excluded from automatic submission. When results are returned, the data
will replace the button in the Execution Forensics portion of the alert details
page.
If the alert does not include a file or it includes a file of type that cannot be
executed, this section will state: No Execution Forensics Report.

Alert Workflow Provides information about the alert ticket. Every alert includes an associated
Log ticket that can be assigned to a CommandPost user, moved to a different alert
management group, closed, and tracked by adding comments to a ticket.
The Alert Workflow log will display the history of the ticket and all associated
comments.
Refer to The Alert Workflow Log.

Decoding Path Provides the Decoding Path and the information extracted by the decoding
and Channel process executed by the Fidelis XPS Vector sensor. The Decoding Path
Attributes provides access to the original data detected by the sensor, broken into each
level of protocol or file format extraction. Refer to Decoding Path and Channel
Attributes for a description of how you can use this information.
You may click each line of the decoding path that is displayed in red text. The
result is the output of the decoder at the line clicked. The decoding path will not
be clickable until the session recording is complete and the recorded session is
available to CommandPost. The decoding path (or portions of the decoding
path) may appear in black text and not be clickable if the recorded session is
truncated due to a session that exceeds the maximum configured recording
size, a prevented session, a corrupted session, or a session file that has not
yet transferred from the sensor to CommandPost.
Each line in the Decoding Path represents the output of a Fidelis XPS Vector
decoder. These decoders also extract attributes from the protocol or file that is
being decoded. The Channel Attributes present a table, per decoder, listing all
extracted attributes.
Refer to Protocol and Format Decoder for more information.

Fidelis XPS Vector User Guide 42

 Alert Details Description

Forensic Data Forensic data is the information extracted by the last decoder in the decoding
path of the alert. You will see text, stripped of all formatting, that represents a
portion of the actual extracted data used by the sensor. You may view this
information in either a text or hexadecimal format.
Forensic data represents the decoded information available at the time of the
alert. If a rule is based purely on content or location information, the forensic
data section may be empty because content was not used to determine the
alert.
The displayed forensic data is limited to 4KB of data and will not display all
information used for analysis. If the size of the network data exceeds 4KB, the
display will begin approximately 100KB before the first content violation. The
entire forensic data may be obtained by clicking the last element in the
decoding path. Any portions of the data that match a content fingerprint will be
highlighted in the text view.
Viewing Forensic Data in text form is the default setting. When you change to
view the data as text, hexadecimal, or recorded session, your choice will
become your new default and will be applied the next time you access alert
details.

Recorded The recorded session is the session or object recorded up to the limits
Session/ Object configured for the sensor. This information is not stripped in any way and is
presented as it was recorded on the network (in client side and server side
data). By default, the first 4KB of the session is displayed. This can be
changed to view more of the session. Clicking Recorded Client Data or
Recorded Server Data will download the recorded data to your client
workstation.
Refer to Configure a Sensor for session limit settings.
If the recording was clipped because it exceeded the maximum configured size
at the sensor, or if there is any TCP prevention or time out information, a
message indicating one or more states displays.

Host Activity Provides Host Activity information from Carbon Black. Host Activity displays
information about malware that has been executed on the client workstation.
Click on a Process ID to display more information about the process including
the host name, process name start time, and endpoint IP. Network activity and
disk activity on the host is also provided.
This data is similar to the Execution Forensics section. However, Execution
Forensics provides information about what might happen if the malware was
execution, while Host Activity provides what did happen.
For access to this data, you need to enable integration with a Carbon Black
server. Refer to Host Activity.

Alert Sources
Alerts can be generated from many different sources and can have different characteristics
because of this. Alert sources include:
Fidelis XPS sensors, based on a rule

Scroll through Alert Details

From the Alert List page, you can create a list of alerts by searching, filtering, or sorting. When you
enter the Alert Details page of any alert, CommandPost remembers the original list so that you can
scroll through it by clicking Previous and Next at the top of the page. As you move through alert
pages, the title refers to the location of the specific alert within the list.
Click Back to Alert List to return to the Alert List page at the location of the current alert.

Fidelis XPS Vector User Guide 43

 Find Similar Alerts
Click on the Find Similar links within the Alert section to find similar alerts. This action will apply the
selected values as filters and return you to the Alert List page showing the result of a search after
applying these filters.
The Find Metadata link is not available for alerts generated by the DNS decoder or from the Web
module. Refer to DNS Decoder and Web.

Find File on Hosts

The Find File on Hosts displays if MD5 for the alert is available and if Bit9 Integration is enabled.
Refer to Host Activity for more information about configuring Bit9. This link would be available only
when file type is exe.

Change Label
Within the Alert Information section, you will see the label applied to the alert. To change the label
or to delete labels, click Change Label. The process is identical to that described in Alert Labels.

Purge this Alert

Clicking Purge this alert will remove the alert you are viewing and the display will move to the next
alert in the list. If you purge the last alert in the list, you will be returned to the Alert List page. Once
purged, the alert cannot be restored.

Alert Compression
In cases of high event activity, the sensor may compress multiple, very similar events into a single
alert to reduce the network communication load.
When one alert represents several events, the Alert Details will include the Events/Compression
data in the Alert Information section. The associated value indicates the number of additional
events represented by this alert. For example, if the value is 8, then there were nine similar events,
the one displayed in the Alert Details plus eight similar events.
If the alert contains no compression, you will not see the Events/Compression data. This is the
typical case.

Fidelis XPS Vector User Guide 44

 Execution Forensics
All files deemed malicious by the Malware Detection Engine (MDE) are automatically submitted to
the malware execution system for analysis and the results are displayed in the Execution Forensics
section. If the Vector license has not been properly installed, or if there is a network problem at the
time of an alert, execution cannot be performed. In this case, the Execution Forensics section
displays and you can manually submit the file for analysis after the system
errors are rectified. Refer to License for information on entering the Execution Forensics Key.

Fidelis XPS Vector User Guide 45

 This image cannot currently be displayed.

Figure 16. Alert Details: Execution Forensics

File execution results are displayed at the Alert Details page. Links to a PCAP file, MP4 video and
full screen also display in the Execution Forensics. File execution can take a few minutes to
complete, during which a status of Analysis pending would be displayed for the report.

• Full Page Report: The Full Page report presents the full results of the execution of the
malicious files.
• PCAP File: The Packet Capture (PCAP) file provides details of network transactions spawned
by the analyzed file. The pcap file can be reviewed in an application such as Wireshark.
• Video: The video file shows video of the desktop during execution of the file.

Analysi s Report ( Metadata)

This section contains metadata information about the file analyzed and the system conducting the
analysis. Details like SHA256 hash and Magic Type are some of the metadata found in the section.
The metadata section also displays any warnings about the file.

Behavioral Indicators:
These indicators are characteristics of the file during execution that reflect typical heuristics
observed in malicious samples. The presence of behavioral indicators alone does not indicate the
sample was malicious, rather it is the combination of these indicators that determines if the file was
malicious.

HTTP Traffic
All observed HTTP traffic during the execution of the file will be listed here. Please note that the
presence of HTTP traffic alone is not an indication that the destination is malicious or should be
blocked. For example, some malicious files will test connectivity before executing by reaching out
to web sites with a high probability of being active (like Google or Yahoo).

DNS Traffi c
All observed DNS queries will be listed in this section.

Fidelis XPS Vector User Guide 46

 TCP/IP Stream
Any TCP/IP traffic not detected as HTTP that was active during the execution of the file will be
listed here. This area could include traffic like DHCP queries, IRC connections, and other raw TCP
connections.

Processes
All processes that were initiated based on execution of the sample will be listed in this area along
with the Process Identification number (PID) and other useful data. Please note that the presence
of a process in this area does not indicate maliciousness of that process. For example, if you
analyze a file type like Adobe PDF, some processes listed will be due to the initialization of Adobe's
PDF Reader.

Artifacts
All artifacts created, modified, read, or deleted on the file system during the analyzing of the
sample will be listed here. There is a large amount of expandable content regarding each artifact,
including PE sections and import/export symbols for executable files, a hash of each artifact, and
the process that used that artifact.

Registry Activity
This section is divided into three subsections: Created Keys, Modified Keys, and Deleted Key
Values. Each subsection lists the associated information pertaining to each registry key-value pair.

Filesystem Activi ty
Each file object on the system that was created, modified, read, or deleted during the execution of
the sample will be listed in this section. Details contained here include the full file path, PID of the
process that took action on the file, and the associated file.

Decoding Path and Channel Attributes

The Decoding Path displays each level of decoding performed by the Fidelis XPS sensor during
analysis of a data transmission. Many levels of the decoding path can be clicked to provide a file of
the decoded transfer from that stage of the decoding process.

Figure 17. Alert Details: Decoding Path and Channel Attributes

If you click the Evidence Mode checkbox before clicking the link for the file, the file will be
downloaded in Evidence Mode. Evidence mode provides the original decoding path file in a tar.gz
container file along with a text file that includes an MD5 signature of the selected file, information
about the user who downloaded the file, and a summary of the alert details information.
Fidelis XPS Vector User Guide 47
 If Evidence Mode is not selected, the file format will depend on which line of the decoding path was
clicked. The result will either be a text file or binary file revealing the decoded content.
If you click on the line that includes a file name, the file will be opened. Your browser will choose
the appropriate application for the file, based on the file extension. Note that the file name is the
exact name used in the original transaction which may indicate an incorrect file type. Your browser
may not be able to handle this situation.
In some cases, if the file has been encrypted, clicking on the file name will not provide the original
file. Usually, the next item in the Decoding Path list will provide the unencrypted file. Base64
encryption is the most common cause of this problem.
For example, consider the decoding path of an MS Word document that was zipped, attached, and
sent in an email with multiple attachments. You can click on any part of the decoding path to
download the file as decoded up to that point. The table below describes what file is downloaded
for each part of the path.

T a bl e 6. D e c o di n g p at h s

Decoding path Files downloaded

SMTP[1] The entire SMTP message (including complete SMTP

headers)
The result will be a .eml file which can be viewed in you
email application to see the entire original email (unless the
recorded session was truncated when it exceeded the
configured maximum recorded object parameter for the
sensor).

MIME The body of the full MIME (Multipurpose Internet Mail

Extensions) message. This includes all MIME attachments.

multipart[3] The particular MIME attachment that contains the file

(including the part header).

MIME(cnd.1.zip) The MIME attachment without the part header (in this case,
a Base64-encoded file).

Base64 The Base64-decoded file (in this case, a zip file)

zip(cnd.1.doc) The unzipped file (in this case, an MS Word file).

ms-word The core content stripped of all Microsoft Word formatting

(analogous to copying the contents of the Word document
and pasting them into Notepad). The data from the last
element in the Decoding Path will match the Forensic Data
for the alert.

It is important to note that whether an entire file can be downloaded depends on how much of the
session is recorded in the CommandPost Vector alert database. Similarly, Fidelis XPS decoders
can deal with some number of missing network packets and still decode file content. The file
application may not be able to open a file with missing content.
If the recording of a session ends in the middle of a file you wish to download, you may get a partial
file that cannot be read by the original application. For example, Fidelis XPS Vector decoders and
analyzers can read a partial zip file even though the WinZip Windows application cannot. Similarly,
Fidelis XPS decoders can deal with some number of missing network packets and still decode file
content. The file application may not be able to open a file with missing content.
If the recording of a session ends before a file you wish to download, that part of the decoding path
will not be clickable, and that file cannot be downloaded.

Fidelis XPS Vector User Guide 48

Fidelis XPS Vector Decoders
Fidelis XPS Vector contains protocol and format decoders, and each has specific attributes. All
decoders, however, include the MD5 attribute.
To support wildcards, the CommandPost GUI provides a menu of all attributes for all protocols and
file formats, however, only some are applicable to any given protocol.

Protocol Decoder Attributes and Values

All supported protocols are listed in the table below. This table provides the complete list of all
attributes available for each supported protocol. In some cases, attributes have a well-defined list of
possible values and are represented in the Values column. When the attribute has an undefined
content, the Values column is left blank (in these cases, the value will be extracted from the
network transmission).

T a bl e 7. Pr ot o c ol d e c o d er a ttri b u t es a n d va l u es

Protocol decoder Protocol decoder Attribute Definition/Values

description strings

AIM AOL Instant Messenger Encrypted

Filename

From

To

User

AIMEXPRESS A Web version of AOL Filename

Instant Messenger
From

To

User

AOLMAIL A Web version of AOL Filename The filename of the

mail
attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment

Subject Subject of the email

To Recipient's email address

User User's email address

BADOO A social networking web

site

BITTORRENT A peer-to-peer Filename

Fidelis XPS Vector User Guide 49

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

communications protocol
for file sharing
Content is not decoded.

COMCASTMAIL Webmail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment

Subject Subject of the email

To Recipient's email address

User User's email address

CVS Concurrent Versions Root

System; a client-server
free software revision User
control system.

DB2 A relational model Cipher

database server
Database

Encrypted

From

Midstream

Quality True or False

SQL

To

User

DNS The Domain Name Host

System (DNS) is a
DNS is only supported hierarchical distributed
when the DNS naming system for
Decoder is enabled on computers, services, or
a Direct or Internal any resource connected
sensor. to the Internet or a
private network. DNS
protocol translates host
names into IP
addresses.

Fidelis XPS Vector User Guide 50

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

EARTHLINKMAIL Webmail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

EDONKEY A peer-to-peer file Host

sharing network
User
Content is not decoded.

EMUMAIL Webmail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read eamil for the detected
email body or upload or
Download file for the
detected attachment

Subject Subject of the email

To Recipient's email address

User User's email address

EXCHANGE Microsoft Exchange Cipher

provides email, calendar,
(Includes NT
and contacts on personal
Lan Manager
computers, phones, and
(NTLM) or
web browsers.
Kerberos
Includes MAPI authentication)
(Messaging Application
Program Interface) a Encrypted Refer to Quality, Encryption
Microsoft Windows String, and Hash Values.
program interface that Filename
enables users to send
emails from within a From
Windows application
such as word Midstream
processors,
spreadsheet, and Quality
graphics applications.
Server

Fidelis XPS Vector User Guide 51

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

Subject

To

UID

User

FACEBOOK A social networking web From

site
Mode

Profile

Subject

To

UID

User

FIX The Financial Client

Information eXchange
(FIX) protocol is a Server
messaging standard
developed specifically for User
the real-time electronic
exchange of securities
transactions.

FRIENDSTER A social gaming site

FTP File Transfer Protocol; a Command Get or Put

standard network
protocol used to copy a Filename
file from one host to Passive or Normal
another over a TCP- Mode
based network
Stream Type Data Transfer or Control

User

GNUTELLA A large, decentralized

peer-to-peer network
Content is not decoded.

GOOGLEMAIL Web mail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or

Fidelis XPS Vector User Guide 52

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

download file for the

detected attachment.

Subject Subject of the email

To Recipient's email address

User User's email address

GOOGLETALK Freeware instant Filename

messaging and voice
over Internet (VoIP) From
protocol client
application To

User

GOOGLE_WEBIM A chat widget for Google From

talk users to use on
various Google web sites Mode
such as gmail.
To

User

HI5 A social networking site

HORDEMAIL Webmail Filename The filename of the

attachment
From
Sender's email address
Mode
Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment
Subject
Subject of the email
To
Recipient's email address
User
User's email address

HOTMAIL Webmail Filename The file name of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment

Fidelis XPS Vector User Guide 53

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

Subject Subject of the email

To Recipient's email address

User User's email address

HTTP Hypertext Transfer Command

Protocol, a
networking protocol Connection
that is the foundation
Filename
of data
communication for From
The World Wide Web
Host

Location

Malformed Client sends no data

Midstream

Mode

Proxy

Proxy Port

Referer

Server

Server Port Yes

Status Code

To

Tunnel

URL

User

User Agent

Via

X-Forwarded-
For

IMAP4 Internet Message From

Application Protocol a
prevalent Internet Subject
standard protocol for
email retrieval To

User

IPTUNNEL Used when one network Tunnel String with a defined format
protocol (the delivery

Fidelis XPS Vector User Guide 54

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

protocol) encapsulates a (TYPE IP1:PORT1 IP2:PORT2)

different payload
protocol. PORT 1 and PORT 2 apply only
Prevention is disabled to Teredo tunnels. Type can be
for this decoder. one of the following:Teredo, 6in4,
6to4, GRE, IPIP, IPsec

IPsec Internet Protocol Encrypted ESP

Security (IPsec) is a
protocol suite for Mode Transport or Tunnel
securing IP
communications by Protocol AH,ESP or AH+ESP
authenticating and
encrypting each IP
packet of a
communication session.
IPsec also includes
protocols for establishing
mutual authentication
between agents at the
beginning of the session
and negotiation of
cryptographic keys to be
used during the session.
Prevention is disabled
for this decoder.

IRC Internet Relay Chat, a From

form of real-time,
Internet text messaging To

User

JABBER A protocol developed by Filename

the Jabber open source
community for near-real- From
time, extensible instant
messaging (IM), To
presence information,
and contact list. User

KAZAA Kazaa Media Desktop

was used to exchange
MP3 music files and
other file types, such as
videos, applications, and
documents over the
Internet.
Content is not decoded.

LDAP The Lightweight Authentication SASL or SIMPLE

Directory Access
Protocol (LDAP) is an Command bind, search, add, delete, modify,
application protocol for search result
reading and editing
DN distinguished name or string

Fidelis XPS Vector User Guide 55

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

directories over an IP Midstream True or False

network.
Mode Add, replace, delete

User

LINKEDIN Social networking site From

Mode

Subject

To

UID

User

MSNIM Windows Live Encrypted

Messenger (formerly
named MSN Messenger) Filename
is an instant messaging
client created by From
Microsoft and is
designed to work with To
Microsoft Windows
platforms. User

MSN_WEBIM The web-based version From

of Windows Live
Messenger. Mode

To

User

MSSQL Microsoft SQL Server is

a relational model
database server. Its
primary query languages
are T-SQL and ANSI
SQL.
Content is not decoded.

MYSPACE Social networking site From

Mode

Subject

To

UID

User

Fidelis XPS Vector User Guide 56

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

NEOMAIL Webmail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the sender or

Read email for the detected
email body or upload or
download file for the
detected attachment

Subject Subject of the email.

To Recipient's email address

User User's email address

NING Social networking site

ORACLE An object-relational Cipher Refer to Quality, Encryption

database management String, and Hash Values.
system (ORDBMS) Client
Note: By default the
Oracle decoder uses the Database
standard Windows CP
1252 character set for Encrypted
American English. For
international character From
sets, the Oracle decoder
Midstream
uses the first character
set defined in the Quality
Language Configuration
page of the sensor SQL
configuration. Refer to
chapter 9 in the Vector Server
User Guide. These
defaults can be To
overwritten by editing the
Oracle configuration file. User

ORKUT Social networking site

OWAMAIL Web mail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment

Subject Subject of the email

Fidelis XPS Vector User Guide 57

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

To Recipient's email address

User User's email address

PLAXO Social networking site From

Mode

Subject

To

UID

User

POISON IVY A remote access tool Encrypted Camelia

Version
POP3 Post Office Protocol User
(POP) is an application-
layer Internet standard
protocol used by local
email clients to retrieve
email from a remote
server over a TCP/IP
connection.

RDP Remote Desktop

Protocol (RDP) is a
proprietary protocol
developed by Microsoft,
that provides a user with
a graphical interface to
another computer.
Content is not decoded.

RFB Remote Frame Authentication VNC, RA2 ,RA2ne, SSPI, SSPIne

Buffer, an open , TightVNC, UltraVNC , TLS,
protocol for remote VeNCrypt TLS,
desktop GTK-VNC SASL,
MD5 Hash, Colin Dean xvp

Version

RTMP Recognizes and

decodes the Real Time
Messaging Protocol
(RTMP) was developed
for streaming audio,
video and data over the
Internet, between a
Flash player and a
server.
Content is not decoded.

Fidelis XPS Vector User Guide 58

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

RTSP Real Time Streaming

Protocol (RTSP) is a
network control protocol
designed for use in
entertainment and
communications systems
to control streaming
media servers. The
protocol is used for
establishing and
controlling media
sessions between end
points.
Content is not decoded.

SHAREPOINT collaboration software Filename Name of the file being

transferred

Mode Upload, download, post,

and view

Title Site name

User User name

SIP A signaling protocol CallID

widely used to set up
Voice over IP and Video Command INVITE, REGISTER,
over IP calls.
MESSAGE, etc.
SIP can create, modify
and terminate two-party Contact
or multiparty sessions.
Each session may From
consist of one or several
media streams. Media String with a defined format.
media port, protocol, codecs

Server

Subject

To

User-Agent

Via

SKYPE An application that

allows users to make
voice calls and chats
over the Internet.
Content is not decoded.
Note: The Skype
decoder does not
provide content
decoding. To reduce the

Fidelis XPS Vector User Guide 59

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

number of alerts, Skype

provides one alert per
Skype client, not per
session. However, the
action (prevent or
throttle) is applied to all
the sessions from the
Skype client.

SMB Server Message Block Client

(SMB) operates as an
application-layer network Directory
protocol used to provide
shared access to files, Domain
printers, serial ports, and
miscellaneous Filename
communications
between nodes on a Midstream True or False
network.
Read/write Read, write, read& write

Share

User

Version SMB 1 and SMB 2

SMTP Simple Mail Transfer Client

Protocol (SMTP) an
Internet standard Encrypted TLS
foremail transmission
across IP networks. From

Malformed Client sent no data

Server

To

User

SQUIRRELMAIL Webmail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email bode or upload or
download file for the
detected attachment

Subject Subject of the email

To Recipient's email address

User User's email address

Fidelis XPS Vector User Guide 60

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

SSH Secure Shell or SSH is a Cipher Refer to Quality, Encryption,

network protocol that String and Hash Values.
allows data to be
exchanged using a
Client
secure channel between
two networked devices. Encrypted SSH
Content is not decoded.
Hash

Quality

SSL Secure Sockets Layer Cipher Refer to Quality, Encryption

(SSL) is a cryptographic
protocol that provides String, and Hash Values.
communications security
Command
over the Internet.
Content is not decoded. Encrypted SSL or TLS

Hash

Malformed Bad record length from client

Bad record length from server

Mode Decrypted SSL (Only with SSL

Inspector)

Quality Refer to Quality, Encryption

String, and Hash Values.
Suspicious

Version 2.0 or 3.0

TELNET Telnet is a network User

protocol that provides
communications using a
virtual terminal
connection.

TFTP Trivial File Transfer Filename

Protocol (TFTP) is a file
transfer protocol Mode netascii or oclet
generally used for
automated transfer of Read/Write Read or write
configuration or boot files
between machines in a To
local environment.
User User email address if used in the
Note: TFTP over UDP
obsolete mail mode
can only be prevented
when detected by a
network sensor
configured for inline
mode.

Fidelis XPS Vector User Guide 61

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

TLS Transport Layer Security Cipher Refer to Quality, Encryption

(TLS) is a cryptographic
String, and Hash Values.
protocol that provides
communications security Command
over the Internet.
Encrypted SSL or TLS

Hash

Malformed Bad record length from client

Bad record length from server

Mode Unused

Quality Refer to Quality, Encryption

String, and Hash Values.
Suspicious

Version 1.0,1.1, and 1.2

TWITTER An online social

networking and
microblogging service

VERIZONMAIL Webmail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment

Subject Subject of the email

To Recipient's email address

User User's email address

WEBSOCKET WebSocket is a web Host

technology providing full-
duplex communications Server
channels over a single
TCP connection.

X11 A computer software

system and network
protocol that provides a
basis for graphical user
interfaces (GUI) for
networked computers.
Content is not decoded.

Fidelis XPS Vector User Guide 62

 Protocol decoder Protocol decoder Attribute Definition/Values
description strings

YAHOOMAIL Web mail Filename The filename of the

attachment

From Sender's email address

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment

Subject Subject of the email

To Recipient's email address

User User's email address

YAHOO_WEBIM Yahoo instant Filename

messenger for the web
From

Mode

To

User

YMSG Yahoo Messenger Filename

Protocol is the
underlying network From
protocol used by the
Yahoo Messenger Mode
instant messaging client
To File Transfer

User

Fidelis XPS Vector User Guide 63

 Format Decoder Attributes and Values
Similar to protocol decoders, format decoders can extract specific attributes and values. The
following table defines each of the format decoders and lists any applicable attribute strings and
values.

T a bl e 8. F or m at d e c o d er a ttr i b u t es

Format Format decoder Attribute strings Values

decoder definition

7z A file that contains one Cipher Refer to Quality, Encryption

or more compressed String, and Hash Values
files. Attribute strings do
not apply to supported Compression
compression utilities Method
such as zip.
Creation Date

Filename

Hash

Modification
Date

Quality

Type Anti-Item

air Adobe AIR is a Refer to Quality, Encryption

Cipher
String, and Hash Values
developer's tool for
creating platform- Compression
independent web Method
applications that can be
run on a user's desktop. Filename

Quality

base64 An encoding method that Suspicious

converts binary data into
ASCII text and vice
versa.

binary A binary file Suspicious XOR (key value)

Pad (pad length)
XOR (key value) and Pad (pad
length)

binhex BinHex, short for binary- Filename

to-hexadecimal, is a
binary-to-text encoding
system used on the Mac
OS for sending binary
files through email.

bmp Bitmap Image File

Fidelis XPS Vector User Guide 64

 Format Format decoder Attribute strings Values
decoder definition

bzip2 An open source data Filename

compression program.

certificate An electronic document End Date

that uses a digital
signature to verify Extended Key Server Authentication
identity.
Usage Client Authentication
Code Signing
Email Protection
Time Stamping
OCSP Signing
Use Unknown if not
defined in RFC 3280

Issuer Name If the ON Entry in both the

Issuer and Subject fields are
the same, the value will be
ON Self-Signed Certificate

Key Length Number of bits

Key Usage
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Key Agreement
Certificate Signing
CRL Signing
Encipher Only
Decipher Only
Use Unknown if not defined
in RFC 3280
Start Date

Subject Name

Type
X509 Certificate or
Unrecognized Certificate

chunked An encoding method that

allow s data to be
returned in chunks.

deflate An algorithm that

compresses
data without any loss.

embedded- An embedded image Filename

image

embedded- Embedded text or file Filename

object

Fidelis XPS Vector User Guide 65

 Format Format decoder Attribute strings Values
decoder definition

Stream type

exe The Executable file Binary Type Library or Executable

decoder will extract
attributes of the file,
Compression
including the Operating
Method
System, the file type
(library or executable),
Creation Date Can only be captured on Windows
and the creation date.
applications

Contents are decoded to ImpHash Import Table Hash

extract readable text or
strings from applicable OS Family Android, Linux/Unix, Windows or
sections of the DOS, MacOS/OSX
executable, such as
import table, export Packed The packer program used, such as
table, resource table, UPX
symbol table, and string
table, etc. Type

fix-format Financial Information Filename

eXchange (FIX) XML
and tag-value
messages.

flash Detects compressed and Filename

uncompressed Flash
files such as swf, flv, or
f4v files.
Text content is decoded
and any executable
ActionScript is extracted
for user analysis.

gif Graphics Interchange

File

gzip A file compression Filename

program

html Hyper Text Markup

Language

image An image

java-class Detects and decodes

java class files.

javascript JavaScript is a scripting Filename

language that can be
embedded directly in
HTML source of Web
pages and also in PDF
applications outside of
web pages.

Fidelis XPS Vector User Guide 66

 Format Format decoder Attribute strings Values
decoder definition

jpeg Joint Photographic

Experts Group, a
compression method for
digital images
keynote Presentation program for Author
Apple iWork
Filename

mail Email messages that do From

not include MIME
formatted data Subject

To

message Any set of transmitted

data
Searches for messages
transmitted in 7-bit, 8-bit,
and binary transfer
encodings.

mime Multipurpose Internet Filename

Mail Extensions, the
most common method of From
transmitting non-text files
via Internet email. Subject

To

User

XHeader
(Customizable)

ms-access-mdb Microsoft Excel Filename

ms-excel Microsoft Excel Author

Cipher Refer to Quality, Encryption

String, and Hash Values.

Creation Date

Filename

Header/Footer The header or footer found within

a Microsoft Excel document

Modification Date

Quality

ms-msg Microsoft Outlook From

message
Subject

Fidelis XPS Vector User Guide 67

 Format Format decoder Attribute strings Values
decoder definition

To

ms-office Microsoft Office Author

Includes the stream
format type extracted by Creation Date
ms-office decoders.
Filename

Header/Footer

Modification Date

ms-powerpoint Microsoft PowerPoint Author

Creation Date

Filename

Header/Footer
The header or footer found
within a Microsoft PowerPoint
Modification
document.
Date

ms-rtf Microsoft rich text format Creation Date

Filename

Header/Footer
The header or footer found
within a Microsoft rich text format
document.
Modification Date

ms-visio Microsoft Visio Author

Creation Date

Filename

Header/Footer

Modification Date

ms-word Microsoft Word Author

Cipher Refer to Quality, Encryption

String, and Hash Values.
Creation Date

Filename
The header or footer found within
Header/Footer a Microsoft Word document

Fidelis XPS Vector User Guide 68

 Format Format decoder Attribute strings Values
decoder definition

Modification Date

Quality

multipart Multipart mime decoder

– handles emails sent
with attachments.
numbers Spreadsheet program for Author
Apple iWork
Filename

oasis-document Openoffice text Creation Date

document decoder
Filename

Filename
The header or footer found within
Header/Footer an Openoffice text document

Modification Date

oasis- Openoffice presentation Creation Date

presentation decoder
Filename
The header or footer found within
Header/Footer an Openoffice presentation
document
Modification Date

oasis- Openoffice spreadsheet Creation Date

spreadsheet decoder
Filename
The header or footer found within
Header/Footer an Openoffice spreadsheet
document
Modification Date
pages Word processing and Author
page layout program for
Apple iWork Filename

pdf Portable Document Author

Format or PDF
documents are easily Cipher
Refer to Quality, Encryption
readable with freely- String, and Hash Values.
available Adobe Reader. Creation Date

Filename

Header/Footer

Modification Date

Title

pgp Pretty Good Privacy or Cipher Refer to Quality, Encryption

GNU Privacy Guard String, and Hash Values.

Fidelis XPS Vector User Guide 69

 Format Format decoder Attribute strings Values
decoder definition

(gpg)
PGP-encrypted binary
and executable files can
be recognized by the
encrypted files analyzer,
with extraction of
encryption attributes.

pkcs The signature decoder Issuer Name Signed or name of

will extract attributes of signature certificate issuer
the file such as the
signature issuer name Signing Time Signature signing time
and the signing
time if the
file is signed.

postscript Postscript or standard

page description
language (PDL)
developed by Adobe.
Most printers support
PostScript with a built-in
interpreter.

png Portable Network

Graphics File Format

quoted- An encoding method that

printable converts binary data into
ASCII text.

rar A file format for data Compression

compression and Method
archiving.
Filename

rfc822 A standard for the format

of Arpa Internet Text
Messages

soap Simple Object Access

Protocol

stream For multimedia that is

constantly received by
and presented to an
end-user while being
delivered by a streaming
provider.

tar Tape Archive, a UNIX Filename

utility that combines
several files into one.

text Text file

tiff Tagged Image File

Format

Fidelis XPS Vector User Guide 70

 Format Format decoder Attribute strings Values
decoder definition

tnef Transport Neutral Creation Date String

Encapsulation Format or
TNEF is a proprietary End Date
email attachment format
used by Microsoft Filename
Outlook and by Microsoft
Exchange Server. From

Modification
Date

Start Date

Subject

torrent Detect and decode Creation Date

.torrent files which
are used to describe file
locations to the
BitTorrent protocol.

urlencode An encoding scheme

used in HTTP.

uuencode An encoding method that Filename

converts binary data into
ASCII text.

WebP image format that uses

compression

xfdl Extensible Forms Filename

Description Language
An encoding method
intended for forms.

xml Extensible Markup

Language used to define
data elements on a Web
page.

ymsg Yahoo Instant Message Filename

Decoder
From

Mode

To

User

zip A file that contains one Refer to Quality, Encryption

Cipher String, and Hash Values
or more compressed
files. Attribute strings do
not apply to supported Compression
compression utilities Method

Fidelis XPS Vector User Guide 71

 Format Format decoder Attribute strings Values
decoder definition

such as LHA.
Filename

Quality

Attributes for Protocol and Format Decoders

The following table defines attributes for protocol and format decoders. These attributes are listed
with each applicable protocol or format decoder.

T a bl e 9. Pr ot o c ol a n d f or m at d e c o d e r a tt ri b ut es

Decoder Description Decoders that use the

attributes attribute

Authentication Authentication method in use for LDAP, RFB

the session

Author The author or creator of the file keynote, ms-excel, ms-office,

ms-powerpoint, ms-visio, ms-
word, numbers, pages, pdf

BinaryType The type of an executable program exe

file

CallID Caller ID as found in the SIP SIP

session

Cipher The algorithm used for encryption 7z, DB2, EXCHANGE,

of session or file ORACLE, SSH, SSL, TLS,
air, ms-excel, ms-word, pdf,
pgp, zip

Client Initiator host of the session Fix, Oracle, SMB, SMTP,

SSH

Command Protocol specific commands such FTP, HTTP, LDAP, SIP, SSL,
as get or put TLS

Compression Algorithm used to compress a file 7z, air, exe, rar, zip
Method

Connection Status of the HTTP connection: HTTP

closed or keep alive, etc.

Contact Contact information as found in the SIP

SIP headers

DN Distinguished name of an LDAP LDAP

object

Database Database name DB2, Oracle

Directory Directory being accessed in an SMB

SMB transaction

Domain Domain name associated with the SMB

Fidelis XPS Vector User Guide 72

 Decoder Description Decoders that use the
attributes attribute

SMB transaction

Encrypted Flag denoting that session was AIM, DB2, Exchange, IPsec,
encrypted MSNIM, Oracle, Poison Ivy,
SMTP, SSH, SSL, TLS

Evasion A technique for modifying attacks tunneling decoders

Technique to prevent detection

Extended Key Extended usage for public key in certificate

Usage X.509

Filename name of the file Almost all protocols and

wrapper file formats Including:
7z, AIM, AIMEXPRESS,
AOLMAIL, BITTORRENT,
COMCASTMAIL,
EARTHLINKMAIL, EMUMAIL,
EXCHANGE, FTP,
GOOGLEMAIL,
GOOGLETALK,
HORDEMAIL, HOTMAIL,
HTTP, JABBER, MSNIM,
NEOMAIL, OWAMAIL,
SHAREPOINT, SMB,
SQUIRRELMAIL, TFTP,
VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG, air,
binhex, bzip2, embedded-
image, embedded-object, fix-
format, flash, gzip, javascript,
keynote, mime, ms-access-
mdb, ms-excel, ms-office, ms-
powerpoint, ms-rtf, ms-visio,
ms-word, numbers, oasis-
document, oasis-presentation,
oasis-spreadsheet, pages,
pdf, rar, tar, tnef, uuencode,
xfdl, ymsg, zip

From User that initiated the email, chat, All email and chat protocols,
or transaction including:
AIM, AIMEXPRESS,
AOLMAIL, COMCASTMAIL,
DB2, EARTHLINKMAIL,
EMUMAIL, EXCHANGE,
FACEBOOK, GOOGLEMAIL,
GOOGLETALK,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,
HTTP, IMAP4, IRC, JABBER,
LINKEDIN, MSNIM,
MSN_WEBIM, MYSPACE,
NEOMAIL, ORACLE,
OWAMAIL, PLAXO, SIP,
SMTP, SQUIRRELMAIL,

Fidelis XPS Vector User Guide 73

 Decoder Description Decoders that use the
attributes attribute

VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
mail, mime, ms-msg, tnef,
ymsg

Hash Hash of an encrypted or 7z, SSH, SSL, TLS

compressed transmission

Header/Footer The header and footer of a file ms-excel, ms-office, ms-

(supplemental information at the powerpoint, ms-rtf, ms-visio,
beginning and end) ms-word, oasis-document,
oasis-presentation, oasis-
spreadsheet, pdf

Host A computer connected to a DNS, Edonkey, HTTP,

network. WebSocket,

ImpHash Import Table Hash exe

Issuer Name Name of the certificate issuer certificate, pkcs

Key Length Length of the public key certificate

Key Usage How the public key is used certificate

Location Location specified in HTTP HTTP

headers

Malformed Session containing a badly formed HTTP, SMTP, SSL,TLS

name, resource record, or other
error

Media Media information found in SIP SIP

headers

Midstream Flag indicating that session was DB2, Exchange, HTTP,

not captured from the beginning LDAP, Oracle, SMB

Mode Distinct method of operation within AOLMAIL, COMCASTMAIL,

a computer system EARTHLINKMAIL, EMUMAIL,
FACEBOOK, FTP,
GOOGLEMAIL,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,
HTTP, IPsec, LDAP,
LINKEDIN, MSN_WEBIM,
MYSPACE, NEOMAIL,
OWAMAIL, PLAXO,
SHAREPOINT,
SQUIRRELMAIL, SSL, TFTP,
TLS, VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
ymsg

Modification Date Date when a file was modified 7z, ms-excel, ms-office, ms-
powerpoint, ms-rtf, ms-visio,

Fidelis XPS Vector User Guide 74

 Decoder Description Decoders that use the
attributes attribute

ms-word, oasis-document,
oasis-presentation, oasis-
spreadsheet, pdf, tnef

OS Family Operating system to which an exe

executable file pertains

Packed The packer program used, such as exe

UPX

Profile A link to the user Facebook profile Facebook

Protocol Application protocol for the IPsec IPsec, NetworkEvasion

session

Proxy HTTP Proxy server involved in the HTTP

session

Proxy-Connection Status of an HTTP connection to a

proxy server

Proxy port Port on which the HTTP proxy HTTP

server is listening

Quality Quality of encryption of a session 7z, DB2, EXCHANGE,

or file ORACLE, SSH, SSL, TLS,
air, ms-excel, ms-word, zip

Read/White Read/write permission on a file or SMB, TFTP

folder as found in protocol data

Reassembly Reassemble packets info proper NetworkEvasion

order at the receiving end of the
communication

Referer An HTTP header field that HTTP

identifies the address of the web
page (i.e. the URI) that linked to
the resource being requested

Root Top level directory of an RCS file CVS

system
SQL Structured Query Language (SQL): DB2, Oracle
a query language used for
accessing and modifying
information in a database

Server The server to which the host has Exchange, Fix, HTTP, Oracle,
connected SIP, SMTP, WebSocket
Server port The port on which the server is HTTP
listening

Session ID sub session of Rel Session ID tunneling protocols

Share A shared directory accessed over SMB

SMB

Fidelis XPS Vector User Guide 75

 Decoder Description Decoders that use the
attributes attribute

Signing Time Time that the certificate was signed pkcs

Start Date date started certificate, tnef

Status Code HTTP response status code HTTP

Stream type Whether the session was a control, FTP, embedded-object

data, or encrypted stream

Subject The subject of an email or AOLMAIL, COMCASTMAIL,

message EARTHLINKMAIL, EMUMAIL,
EXCHANGE, FACEBOOK,
GOOGLEMAIL, HORDEMAIL,
HOTMAIL, IMAP4, LINKEDIN,
MYSPACE, NEOMAIL,
OWAMAIL, PLAXO, SIP,
SQUIRRELMAIL,
VERIZONMAIL,
YAHOOMAIL, mail, mime,
ms-msg, tnef

Subject Name subject name in a certificate certificate

Suspicious File with suspicious formatting or binary, base64, SSL, TLS

structure

Title Sharepoint site Title Sharepoint, pdf

To Recipient of the information / email All email, chat, social

protocols including: AIM,
AIMEXPRESS, AOLMAIL,
COMCASTMAIL, DB2,
EARTHLINKMAIL, EMUMAIL,
EXCHANGE, FACEBOOK,
GOOGLEMAIL,
GOOGLETALK,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,
HTTP, IMAP4, IRC, JABBER,
LINKEDIN, MSNIM,
MSN_WEBIM, MYSPACE,
NEOMAIL, ORACLE,
OWAMAIL, PLAXO, SIP,
SMTP, SQUIRRELMAIL,
TFTP, VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
mail, mime, ms-msg, ymsg

Tunnel A protocol in which one protocol is HTTP, IPTUNNEL

encapsulated within another (HTTP
Connect, IP tunnels)

Type Different types – 7z: anti-file, 7z, certificate, exe

certificate: root or not, exe: signed
or not

Fidelis XPS Vector User Guide 76

 Decoder Description Decoders that use the
attributes attribute

UID User ID used in various systems Exchange, Social protocols

and protocols including: EXCHANGE,
FACEBOOK, LINKEDIN,
MYSPACE, PLAXO

Url HTTP Uniform Resource Locator, HTTP

or web address

User A person or software using an Almost all protocols including:

information system AIM, AIMEXPRESS,
AOLMAIL, COMCASTMAIL,
CVS, DB2, EARTHLINKMAIL,
EDONKEY, EMUMAIL,
EXCHANGE, FACEBOOK,
FIX, FTP, GOOGLEMAIL,
GOOGLETALK,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,
HTTP, IMAP4, IRC, JABBER,
LDAP, LINKEDIN, MSNIM,
MSN_WEBIM, MYSPACE,
NEOMAIL, ORACLE,
OWAMAIL, PLAXO, POP3,
SHAREPOINT, SMB, SMTP,
SQUIRRELMAIL, TELNET,
TFTP, VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
mime, ymsg

UserAgent Application using the HTTP as HTTP, SIP

transport

Version Version of the protocol being used PoisonIvy, RFB, SMB, SSL,
TLS

Via Via (proxies) information as found HTTP, SIP

in HTTP-like headers

X-Forwarded-For HTTP header field used for HTTP

identifying the originating IP
address of client using an HTTP
proxy

XHeader X-Headers field found in mime mime

headers

Fidelis XPS Vector User Guide 77

Quality, Encryption String, and Hash Values
Quality and encryption string values are listed below.
Quality string values Encryption string values Hash values

256-bit Password MD5

192-bit Fortezza SHA1
128-bit RC4
120-bit RC2
112-bit Idea
104-bit Serpent
96-bit Twofish
88-bit Arcfour
80-bit Cast
72-bit Blowfish
64-bit Triple-DES
56-bit DES
48-bit AES
40-bit None
Weak Non-Standard
None RC4-DSS
Kerberos
RC4-DH
RC4_ENH
RC4-DSS_ENH
RC4-RSA-AES
RC4-RSA
RC4-STRONG
XOR
PGP

Fidelis XPS Vector User Guide 78

 Chapter 5 Investigator
Investigator enables you to bookmark alerts, and alert searches for further investigation. This
allows you to group disparate items together with comments for easy retrieval and review by other
users.
For example, you can include alerts and an alert search in an investigation. Information about the
bookmarked alerts and the alert search is saved in the investigation and is available even after the
original alerts are deleted.
Note: To access Investigator, you need View access to Alerts and Full access to
Details
To print or export search results, you need Full access to Alerts. Refer to User Roles.
From above the Alert List page:

Click to open Investigator. Once enabled, you may drag and drop alerts and alert searches
to begin using the Investigator. Initially, the default investigation displays and all items dropped into
the Investigator are added to the default investigation. The default investigation is private.
Investigations can be added, made public, closed, and modified. To change the status of the
default investigation, you need to save it under another name. Refer to Open an Investigation.

If you navigate to another page, the last investigation accessed displays. Click the investigation
name to display a list of investigations available to you.

Include Items in an Investigation

When an investigation is enabled you will notice your mouse pointer change to a hand as you
move over items that can be dragged. Click to select an item. As you drag the item toward the
Investigation icon, the icon will expand showing where to drag the item. Once you drop the item,
the investigation icon will indicate that an item was added.
After you include an item, a text box displays that enables you to enter a short comment to describe
the item. Any comments entered will display immediately before the more detailed comments that
are automatically generated for the item. If you do not enter comments, the text box disappears
after a few seconds. Refer to Edit Item Comments.
The following elements can be added to an Investigation:

• Alerts: From the Alert list page, drag and drop any row in the investigation. This action will
insert the alert with a name: Alert – N where N is the alert ID. The Comments associated with
the alert include relevant information about the alert including the UUID, source, destination,
protocol, file type, rule, and policy. The name and comments can be modified after dragging
the row to the investigation.
Once added, the alert will have a icon next to it in the Alert list. The icon only displays
when the investigation to which the item belongs is selected.
• Alert Search: There is often a need to include all alerts that meet certain criteria in the
investigation. This can be accomplished by executing a Search on the list page. Move your
mouse to the top left of the Alert list page where the search criteria is described and the
mouse icon will change to a hand. You can grab the search criteria and drop it to your
investigation. The search criteria includes search, filter, time range, and group information. If
your search includes group by information, the Return to Group List will not be available. The
entry into the investigation will be named: Alert Search – Date and the Comments will include
all search criteria. The name and comments can be modified later but the search criteria
cannot be changed.
Note that running these searches in the investigator at a later time may yield different results
if the search had an open-ended end time (e.g. last 24 hrs) or because of alert purging.

Fidelis XPS Vector User Guide 79

Using the Investigator
To access or modify the information gathered in an investigation, click the icon to open the
Investigator. The name of the current investigation will appear as well as the edit icon, . For
example:

Click to edit the investigation. Click the name of the investigation to change to another. Click

at the top of the screen to close the investigation.

Clicking at the bottom closes the investigation. If you open or close an investigation, this
selection remains if you navigate to another page.
When open, the investigation includes an interface to change an investigation, view a list of all
items in an investigation, and an interface to filter the list. You can also create a PDF file of the
investigation or export it to Excel.

Change an Investigation
Open the current investigation to select a different investigation. The following controls display:
Status enables you to search for all , open, or closed investigations. The selections available at the
Owner and Investigation selections will change based on the selected status.
Owner enables you to select investigations that were created by different users. Any user that has
created a public investigation will be displayed in the list, in addition to yourself. The selections
available at the Investigation selection will change to list those created by the selected user. Public
investigations can be accessed and modified by any user with the proper role.
To access and use Investigator, your role must include full access to Alerts, Alert details, and
reports.
Investigation enables you to select an investigation based on the Status and Owner selections in
the window.
The current investigation may also be changed by clicking the investigation name in the
Investigation icon at the top of the Alerts page:

Open an Investigation
Open an investigation to add a new investigation or to edit, print, or delete an existing investigation.
You have the following options located next to the Investigation selection:
Click to start a new investigation.
Click to edit the name, status, access, or comment fields for the selected investigation. The
bottom of the investigation page shows when the investigation was created, when it was last
modified, and which user created or changed the investigation.
Select the status: either Private, Public (Read Only), or Public (Read-Write).
Click in the Comment text box to add, delete, or edit text. You can also select text and click on a
formatting button to underline text, change font color, or change the background color of the
selected text. Any formatting or editing changes display in the PDF file. You can also copy
comments to include them in an email or a text document.
Click to generate a PDF file of the current investigation. You will be able to create a PDF of
information to which you have Full access. For example if you have Full access to Alerts, but not to
Metadata, you will only be able to include alert information in the PDF. The PDF contains the
content of the selected Investigation and uses the footer and the logo specified at Alerts for PDF
reports. Refer to Create PDF Reports for Alerts to change the footer or the logo. The creation date,
time, and the user display for the investigation and for each item.
Choose to print the PDF with or without search results.
The PDF without search results provides a summary of each alert search and summaries of alerts
items.
The PDF with search results includes the search and item summaries and the search results.
When search results are included, they will be capped at 1,000 results per search and 5,000 results
Fidelis XPS Vector User Guide 80
 in total. The number of results allowed will be equally distributed between searches. The search is
performed before generating the PDF. This operation may be time consuming.
Click to export the current investigation to Excel. Export runs any alert or metadata searches in
the investigation and places the results in Excel. You will be able to export information to which you
have Full access. For example if you have Full access to Alerts, but not to Metadata, you will only
be able to include alert information in the export. Each search result is put into a different
worksheet with the name of the search. You can have up to 100,000 entries for all searches. The
number of results allowed will be equally distributed between searches. This operation may be time
consuming.
The Excel spreadsheet also includes investigation comments and item names and comments.
You can export with Saved search columns or with All search columns. Your selection determines
which columns will display in the Excel spreadsheet.

• Exporting with Saved search columns uses the search columns saved in an alert or metadata
search.
• Exporting with All search columns uses all columns that are in the alert or metadata page. If
you select All search columns for a Metadata search, an ExtraData column displays that
contains information from the Metadata Details page.

Click to delete the selected investigation. At the dialog box, click Continue to proceed with the
deletion.
Using or controls presents the following controls:
Name: enter a unique name for a new investigation or modify the name of an existing investigation.
Status: Open or Closed
Access: Private or Public. Private investigations can only be accessed by the CommandPost user
who created the investigation. Public investigations can be accessed and modified by any
CommandPost user with a role that provides Full access to Alerts, Alert Details, and Reports.
Comment: Provide a comment for the investigation.

Access Data Stored in an Investigation

Investigations may include individual alerts or alert searches. When you open an investigation, the
Type selection can be used to locate specific items.
For each item in an investigation, you have the following options:
Click to change the selected item's name or comments about the item.
Click to delete the selected item. At the dialog box, click Continue to proceed with the deletion.
Click to see details of the item open in another tab (or window depending on your browser). The
item must exist on your system for the item details to display. For example, if an alert is purged, the
Alert Details page will not be available for that alert.

• For an alert item, the Alert Details page displays, if available.

• For a metadata item, Metadata Details displays.
• For alert and metadata searches, the search will run again and the search results display

Search for Items

Enter a search term in the text box and click Search to find specific items in an Investigation. A
string search is performed on item names and comments.

Edit Item Comments

Mousing over the comment section of an item displays a tool tip for the item that contains
information from the first part of the comment such as short comments created when the item was
added. Comment content can differ depending on whether the item is an alert, or alert search item.

Fidelis XPS Vector User Guide 81

 Note: Editing search criteria in comments for an alert search does not change the
search itself. To change the search, you need to change search criteria at the Alert
page and create a new entry in the Investigation.

Click to view the comments in their entirety or to edit comments.

Click in the Comment text box to add, delete, or edit text. You can also select text and click on a
formatting button to underline text, change font color, or change the background color of the
selected text. Any formatting or editing changes display in the PDF file. You can also copy
comments to include them in an email or a text document.

Fidelis XPS Vector User Guide 82

 Chapter 6 Saved Reports
Saved Reports enables you to access and manage all your reports from one location. You can use
20
criteria entered at the Alert List or Summary Report pages and save these reports which are
then available at the Report List.
To access the list of your saved reports, click Reports>Saved Reports. When you first access the
list, it displays default system reports.

• System Reports – These reports ship with Fidelis XPS Vector and include: Alert
Management, Malware, Malware by Host, Malware by Type, . You can run these reports or
use them as the basis for a new custom report. If saved as a custom report, the original
system report is not affected. System reports are also available at the Alert List page.
System Reports have the Public (Read Only) permission. You run these reports or copy and
save them under different names.
• Custom Reports – Customized reports allow you to control the contents and the display of
your report. From the Saved Reports page you can run, modify, and schedule these reports.
Refer to Create Reports.
• Saved Summary Reports – These are Summary Reports that were created and scheduled
at the Summary Reports page. From the Saved Reports page you can run, modify, and
change the execution schedule. Refer to Create Summary Reports.
Figure 18. Saved Reports page

Report Permissions
Reports have one of the following permission levels described below. The report author refers to
the user that created the report.

• Private – The report author has full access to the report. Other users have no access to
private reports. The author can copy Private reports to other users and those users will
become the authors of the copies.
• Public (Read Only) – These reports can be viewed and executed by all users. The author of
a Public (Read Only) report is the only user permitted to edit, schedule, or delete the report.
All System Reports are Public (Read Only) and cannot be deleted by any user.
• Public (Read-Write) – These reports can be viewed and modified by all users. Any user with
the same permissions as the original author can edit, copy, run, delete, or schedule the
report. The last user to change the report is listed as the author of the report.
Public reports can be copied in a process known as Report Cloning. The new report is exactly the
same as the original, with the same report contents, and permissions. The author of the cloned
report will be the user that made the copy.
The permission of any report can be changed when the report is saved.
All reports execute under the permissions of the report author. Only those alerts available to the
author by sensor and alert management group assignment will be available in the report. In the
case of Public (Read-Write) reports, the author is the last user to modify the report.

20
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 83
Report Details and Buttons
Click a report to see report details. The author of the report is listed with its permissions. Create
and modify times are also listed. These times and the author information are assigned by
CommandPost cannot be changed directly.
The following buttons display depending on the report selected and the permissions associated
with it.

• Run enables you to execute the report. This is active for all reports. Refer to Run Reports.
• Edit takes you to the Custom Report page to edit criteria and save the report. Refer to Create
Reports.
• Modify is available for saved Summary Reports and takes you to the Summary Reports page.
Refer to Create Summary Reports.
• Delete is available for Custom and Summary Reports. Refer to Delete Reports.
• Schedule enables you to enter scheduling information. This button is active for Custom
Reports.
• Modify Schedule also enables you to enter scheduling information and is active for Summary
Reports. Refer to Save and Schedule Reports.
• Export enables you to save the report definitions in a file on your client workstation. Exported
reports can be imported. Refer to Import.
• Export All enables you to save all report definitions to your client workstation.

Create Reports
Depending on the permissions of each report, reports can be modified, scheduled for automatic
execution, and copied to other users.
There are several ways to begin creating a report:

•
21
Click Customize Report at the Alerts page. All alert search, filter, time selection, and group
criteria is selected in the Custom Report page. You can change any parameter and save it.
• Click the appropriate report at the Saved Reports page and click Edit. The Custom Report
page displays with any criteria selected for the saved report. This enables you to create a new
Custom Report based on a system report or an existing report.
• Click Create New Report at the Saved Reports page.
The Custom Report page contains the following sections that you can expand or collapse as
needed:

• Search provides an interface to identify alerts by a search rather than an exact match. Search
terms are typed into the available input fields.
• Filters provide an interface to identify alerts by an exact match of one or more alert fields.
Values are selected by choosing one or more values from the available lists.
• Time Range provides an interface to identify alerts by time.
• Columns provides a control for the information available in your alert report.
• Group By provides a control to summarize and chart the results of your report. The fields
available for grouping are those chosen as your primary columns for the report.

21
An alert is the recorded and displayed incidence of at least one event.
Fidelis XPS Vector User Guide 84
 Search
To search, enter criteria into one or more of the text boxes within Search.

Figure 19. Custom Search: Search

Fidelis XPS Vector User Guide 85

 T a bl e 1 0. S e ar c h Fi el ds

Search fields Description

Alert ID Enter a single alert ID, a comma-separated list of alert IDs or a range.
Ranges are entered by a hyphen between the start and end of the range

File Name Searches the name of the file that caused the violation.

Forensic Data The search is applied over the forensic data field of the alert, as shown in
22
the Alert Details page.

From Searches on the From field.

IP:Any Searches on any IP address, either source or destination.

Note: Selecting Any IP overrides Source and Destination.

IP:Destination Enter an IPv4 or IPv6 IP address, a comma-separated list of IP addresses,

or a range. Ranges are entered by a hyphen between the start and end of
the range. Custom Search cannot accept resolved IP addresses, however,
other information is valid inSearch IP Addresses.

IP:Host Enter an IPv4 or IPv6 IP address, a comma-separated list of IP addresses,

or a range. Ranges are entered by a hyphen between the start and end of
the range. Custom Search cannot accept resolved IP addresses, however,
other information is valid in Search IP Addresses.

IP: Pair Specify the IP addresses on which to filter alerts. Each IP address can be
source or destination. IP Pair is used to find alerts where the source AND
destination match the pair. It is used to find communication between
specified IP addresses.
Any IP is used to match alerts where the source OR destination is within
the defined range. Any IP is used to find communication that involves a
specified IP address.
Note: Selecting IP Pair overrides Any IP and Source and Destination
IP.

IP Source Enter an IPv4 or IPv6 IP address, a comma-separated list of IP addresses,

or a range. Ranges are entered by a hyphen between the start and end of
the range. Custom Search cannot accept resolved IP addresses, however,
other information is valid in Search IP Addresses.

Malware Name Searches on the Malware Name.

MD5 Searches the MD5 hash value associated with the file.

Port: Any Searches on any port: source or destination.

Port: Destination Enter a TCP port number, a comma-separated list of port numbers, or a
range. Ranges are entered by a hyphen between the start and end of the
range.

Port: Source Enter a TCP port number, a comma-separated list of port numbers, or a
range. Ranges are entered by a hyphen between the start and end of the
range.

22
Alert Details is the most granular level for examining alert data.
Fidelis XPS Vector User Guide 86
 Search fields Description

Resolved IP:Any Searches on any IP address: source or destination that matches the
resolved DNS name.

Resolved IP: Enter an IPv4 or IPv6 IP address, a comma-separated list of IP addresses,

Destination or a range. Ranges are entered by a hyphen between the start and end of
the range. Custom Search cannot accept resolved IP addresses, however,
other information is valid inSearch IP Addresses.

Resolved IP: Searches on any IP source address that matches the resolved DNS name.
Source

Session Attributes This search is performed over the Channel Attributes of the alerts. The
value will match the name of a protocol or file format for which attributes are
available, the attribute name, or the attribute value. Refer to chapter 4 in the
Guide to Creating Policies for details about protocol or file formats and their
attributes.
Refer to Protocol and Format Decoders.
Refer to Enter Search Terms.

Subject Searches the value of the extracted Subject field.

Summary The search is applied over the summary field of the alert.

Target Target refers to the destination of the information. The value is protocol
specific. Examples include the destination URL, share name, or host name.
Target is based on extracted protocol information and not based on the IP
address of the data. In many network configurations, the IP address may be
an internal address corresponding to a local NAT server or proxy, whereas
the target represents the intended destination of the data.

Threat Score Searches for alerts that match the specified threat score. Enter search
values between 0 -100. If the alert does not include execution forensics, the
value is empty.
To search for alerts with a specific score enter the value. For example,
enter 4 to find alerts with a threat score of 4.
To search for alerts with a list of specific scores, enter a comma-separated
list of values. For example, enter 4,37,82,100 to find alerts with a threat
score of either 4, 37, 82, or 100. Do not enter spaces between the commas.
To search for alerts within a range of scores enter the range separated by a
hyphen. Be sure to not include spaces in your search text. For example, to
find all alerts with a score greater than 50, enter 51-100 into the search text.
To find all alerts with a threat score, enter 0-100 into the search text.

Ticket Content Searches the content of the alert ticket Subject and Comment fields. This in
the Alert Workflow Log section of the Alert Details page.

To The value of the extracted To field.

User Searches on information from the extracted User field.

UUID Enter a specific alert UUID number. This is an exact search.

Note: In searching IP addresses, the priority is IP Pair first, then Any IP, and finally
Source IP and Destination IP.
Note: Search terms entered for Session Attributes follow the same syntax as
described in Search for Alerts.

Fidelis XPS Vector User Guide 87

 Filters
Filters use an exact match to find alerts. You can use filters to limit the report to only those alerts
that match your filter criteria. If you select multiple fields, all are applied to the filter. The more filters
that you select, the more narrow your results.
When you click Customize Report from the Alert Report, you will notice that many search terms will
be shown as filters on the Custom Report Edit page.
This translation occurs because exact match filters perform faster than inexact searches. It also
allows you to save your report with the specific data matched by your search.

Figure 20. Custom Search: Filters

Fidelis XPS Vector User Guide 88

 T ab l e 1 1. Fi l t ers

Filter Description

Alert Actions Select an alert action.

Alert Management Select one or more alert management groups to which the alerts belong. All
Groups groups available in CommandPost are listed.

Components Select one or more sensors or Collectors.

Country: Any Select one or more countries for source or destination.

Country: Select one or more destination countries.

Destination

Country: Source Select one or more source countries.

Execution Searches on alerts based on their execution forensics status You can select
Forensics Status from: Failed, Not Submitted, Pending, Received, Rejected.

Format Type Select one or more file format types for the alerts.
Host Activity Select either detected or not detected on Carbon Black.

Labels Select one or more alert labels. Refer to Select Alert Actions to understand
how to apply labels to alerts.

Malware Type Select one or more malware types.

Protocols Protocol refers to the network protocol over which the violation was
detected.

Severity Select one or more severity levels. Severity could be low, medium, high, or
critical.

Ticket Owner An alert can belong to only one owner. However, if you enter a search with
multiple terms, the search will match an alert containing any one of the
terms (most other search fields require a match of all terms). For example,
a search for: Owner1Owner2 yields all alerts belonging to either Owner1 or
Owner2.
Also, a search for the term unassigned (with or without quotes) will display
all alerts that have not been assigned.

Ticket Resolution Select one or more resolutions for the alerts.

Ticket Status Select one or more statuses for the alerts.

With Malware Select to include or exclude malware.

Time Range
Time Range enables you to specify a time period for your Custom Report and include trending
information.

Fidelis XPS Vector User Guide 89

 Figure 21. Custom Search: Time Range
Time Range selections include:

• Last Login: reduces alerts to those that have occurred since the last time you logged into
CommandPost.

• Last 24 Hours, 7 Days, or 30 Days: provide shortcuts to reduce alerts to the prior day, week,
and month.

• Specific Hours: will display a text box to which you can enter a two digit number, N. Only
alerts occurring in the past N hours will be displayed. You can use this feature to reduce
alerts by partial days with granularity of one hour increments.
• Specific Days: will display a text box to which you can enter a two digit number, N. Only alerts
occurring in the past N days will be displayed. You can use this feature to reduce alerts to
those that occurred during a specific number of days.
• Specific Date: when you click the text box a calendar will appear. This reduces your alerts to
those that occurred on the specified date.
• Date Time Range: you can enter a range by entering start and end dates and times. When
you click a text box a calendar will appear. Select the desired date and use the sliders to
select a time. Click Done to enter the chosen date and time.This reduces your alerts to those
that occurred during the specified range, including the specified dates and times.
Click Trending to graphically display the trend for all alerts within your current settings
Select time mode.
• Insert Time is the time when the alert was inserted into CommandPost.
• Alert Time is the time when the alert was created in the sensor.
Under normal operating conditions, these times should be relatively equal. Insert Time can differ
from Alert Time if alerts are imported from an archive file into CommandPost or if alerts are spooled
during database maintenance or CommandPost upgrade.
Selecting Insert Time will result in faster response from CommandPost.

Columns
Columns determine what information is displayed in the custom report. You must select at least
one primary and one secondary row to run or save a report.

• Column Choices lists all columns that you can include in a report. Refer to the table below
that describes report columns.

• The Primary Row contains the columns that will display as the main columns for the custom
report. These columns can be sorted or used to group alerts.
• The Secondary Row contains additional columns that can be used to provide extended
information on the Alert Report. When the report is run within CommandPost, each primary
column is shown per alert. You can click the alert to open the Quick Summary to access your
secondary information. Secondary row columns can be used to filter alerts and to navigate to
other pages by following clickable information fields. When the report is scheduled for
automatic delivery, secondary rows are not shown as part of the report.
• Sort By displays columns selected for the primary row or those selected for grouping. The
selection will determine the order of your report.
Fidelis XPS Vector User Guide 90
 Figure 22. Custom Search: Columns
To set up columns:
This image cannot currently be displayed.

• To add a new column: Select one or more choices from Column Choices and click or
.

• To edit column order: Select one or more columns and click or until all columns are
in the desired order.

• To delete columns: Select one or more rows and click .

T a bl e 1 2. R e p o rt c ol u m ns

Available Description
columns

Action The action taken by the sensor in response to the violation.

Alert Details
Icon Displays the icon at the location of your choice in the Alert List .

Alert Id Displays the alert ID. The alert ID is unique to a single

Vector. Refer to UUID for the alert ID unique across all components.

Alert Displays the alert management group to which the alert belongs.
Management
Group

CommandPost Displays information about CommandPosts.

Component Select one or more sensors.

Compression Indicates the number of additional events represented by an alert. Refer to Alert
Compression.

Country: The country to which the destination IP address is registered.

Destination

Country: Source The country to which the source IP address is registered.

Fidelis XPS Vector User Guide 91

 Available Description
columns

Filename Displays the name of the file that caused the violation. Will be empty if no file was
involved in the violation.
Format Type Displays the data format type that caused the violation.

From Displays the value of the extracted From field. The value is protocol specific and
most applicable to email or webmail. The value will be empty if the violation
occurred over a protocol that does not provide From.

Host Activity Displays host activity information as a red flag when the host reports activity
related to the malware detected on the network.. The column will be empty if there
was no activity on the host.

Insert Time Time when the alert was inserted into the CommandPost database.

IP:Destination The IP address of the recipient of the data. When available, both IP and resolved
host name are provided.

IP:Host The IP address of the host. The host usually identifies a workstation infected by
malware.
IP: Source The IP address of the sender of the data. When available, both IP and resolved
host name are provided.
Label Displays the label assigned to the alert.
Refer to Select Alert Actions to understand how to apply labels to alerts.

Malware Name Displays the name of the identified malware.

Malware Type Displays the type of the identified malware.

MD5 Displays the MD5 of the file with the malware. Information displays in this column
if a malware event occurred.
Owner The name of the CommandPost user to whom the alert has been assigned.
Port: Destination The destination TCP port number
Port: Source The source TCP port number

Protocol The application protocol on which the violating transfer occurred.

Resolution Displays the resolution to an alert ticket that was closed. Resolution can take the
following values: Allowed, Action taken, No action taken, and False positive. Refer
to The Alert Workflow Log.

Severity Displays a level of severity. Severity could be low, medium, high, or critical.

Status Provides the status of an alert ticket, which can be new, open, or closed. Refer to
The Alert Workflow Log.
Subject Displays the value of the email subject line. The value is protocol specific and only
applicable to email or webmail. The value will be empty if the violation occurred
over a protocol that does not include email.

Summary Displays summary text associated with the rule.

Target Target refers to the destination of the information. The value is protocol specific.
Examples include the destination URL, share name, or host name.

Fidelis XPS Vector User Guide 92

 Available Description
columns

Target is based on extracted protocol information and not based on the IP

address of the data. In many network configurations, the IP address may be an
internal address corresponding to a local NAT server or proxy, whereas the target
represents the intended destination of the data.

Threat Score Displays the threat scores.

Time Displays the time when the alert was detected on the sensor.

To Displays the value of email recipients. The value is protocol specific and most
applicable to email or webmail. The value will be empty if the violation occurred
over a protocol that does not include email.

User Displays the value of the extracted User field. The value is protocol specific and
most applicable to protocols that require a login or user name. The value will be
empty if the violation occurred over a protocol that does not provide User.

UUID The Universal Unique ID (UUID) is an alert ID that will be unique over all Fidelis
XPS components. If an alert is archived and imported at a later date, the UUID will
not clash with the current set of CommandPost alert IDs, however the Alert Id
may.

With Malware A Yes/No value to indicate if the alert contains malware.

Sort By
Sort By enables you to sort your report results by selecting an available column in either ascending
or descending order. Available columns can either be from the Primary Column entries if here is no
group by, or from the Group By list (with the Count and Last Seen columns). You can only select
one column at a time. Report results are sorted by your column and sort order selections and can
be saved..
If there is no group by in the report, Alert Time in descending order is used by default (most recent
to least recent alert time). You can change the sorting order to ascending, or you can select one of
the other Primary Columns.
If there is group by in the report, group results are sorted by Count in descending order (from
largest to smallest count) by default. You can change the sort order to ascending (smallest to
largest), or select one of the other group by columns (including Last Seen or Count).

Group By
Group by enables you to summarize your report by grouping selected values. The list of available
columns matches your selection of primary columns. Use CTRL-Click to select one or more
columns to group report results. You may also select a view for your report, either tabular, pie
chart, bar chart, or stacked bar chart. Refer to Group.

Figure 23. Custom Search: Group By

Fidelis XPS Vector User Guide 93

 Report Controls
After entering criteria, you have the following options:

• Reset–resets the report to the last saved state.

• Run–runs the report. If the report was not saved before running, the report will be
named: Unnamed Report.
• Save–enables you to save the report with any new criteria.
• Save As–enables you to save the report with a new name and new permissions. Refer to
Save Reports.
• Save & Schedule–enables you to save and schedule the report. Refer to Save and Schedule
Reports.

Run Reports
Select the appropriate report and click Run. CommandPost displays any data that matches your
23
criteria in the Alert List page. The criteria chosen will be displayed at the top of the report. All
normal operations of the Alert List page are available. Refer to Understand and Manage Alerts.
Click Customize Report to return to the Custom Report page.

Figure 24. Report Results

23
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.
Fidelis XPS Vector User Guide 94
Edit Reports
To edit a report:
1. Click Reports>Saved Reports.
2. Select the appropriate report.
Note: You can edit private reports that you created or public (read-write) reports.
3. Click Edit. The Custom Report page displays with any previously selected criteria. Refer to
Create a Custom Report to make any needed changes.
4. Save your changes. Click Save to save your changes to this report. Enter a new report name
to save this report with a new name.

Save and Schedule Reports

You can save or schedule a custom report.
To schedule a system report, you must edit it and save it as a custom report. To schedule a
Summary report, refer to Schedule Summary Reports.

Save
To save a custom report:
1. After entering your report criteria, click Save at the Custom Report page.
2. Enter a unique report name with a maximum length of 40 characters.
3. Enter a description for this report, if desired.
4. Ensure that the checkbox next to Save as alerts report is selected. This option is selected by
default to make this report available at the Alerts List page.
5. Ensure that the checkbox next to Dashboard Custom Report List is checked to make this
report available at the Custom Widget on the Dashboard.
6. Select a new report permission, if needed or keep the current permission. Select from either:
24 25
private ,public (read only) , or public (read-write).
7. Click Save.
Your saved report displays in the Saved Reports page.

Save and Schedule

To save and schedule a custom report:
1. Click Save & Schedule at the Custom Report page.
If you select a Custom Report and click Schedule you can select scheduling information
without entering a report name or saving as an alerts report. Proceed to step 4.
2. Enter a unique report name with a maximum length of 40 characters.
3. Ensure that the checkbox next to Save as alerts report is selected. This option is selected by
default to make this report available at the Alerts List page.
4. Select a new report permission if needed or keep the current permission. Select from either:
26 27
private , public (read-only), or public (read-write) .

24
The private report permission gives users full access to the reports they created. Other
CommandPost users have no access to private reports. Private reports can be copied to other
CommandPost users.
25
Public (Read Only) reports can be viewed by all users. You can run a report with this permission
level or copy and save it with a new name. The author of a Public (Read Only) report is the only
user permitted to edit, schedule, or delete the report. All System Reports are Public (Read Only)
and they cannot be deleted.
Fidelis XPS Vector User Guide 95
 Note: If a previous user has scheduled a public (read-write) report to send an email
periodically and a second user modifies the same report without changing the
scheduling, the report will run with the second user's changes and be emailed to the
first user.
5. Select a report delivery time.
6. Specify report frequency. This ranges from every day to specific days of the week or the
month. Report Frequency only determines the delivery schedule for the report and does not
change any times entered when creating the report.
Note: If you selected Date Range for the report, this date range will not change when
the report is executed. However, if you choose Last 24 hours, 7 days, or 30 days, the
time frame of the report will change with each execution.
7. Enter an email address for report delivery.
8. Choose to send the report as a pdf attachment to the email. You can also send the report as
HTML, text, or zipped alert details PDF. Click Save.
Note: If your report includes group by, trending, or pie or bar chart criteria, the Send
As option is not available. The report is sent as a pdf attachment.
To send as HTML: Click, HTML and select columns. Any columns that display in the column
list will send that information from your report in the email.
For more information about columns, refer to Columns.
To send as Text: Click Text. Select keywords and click Add Keyword. Keywords display in
the text box. If a user-defined format is chosen, type your format into the text box. Use
keywords to select the specific alert information to include in the report. If you desire a
comma-separated list, for example, enter each keyword from the drop-down list and type a
comma between each valid entry.
To send as a zipped Alert Details PDF: Click Zipped Alert Details PDF. This creates a zip
file that contains a PDF of alert details for each alert in the report up to 50 alerts. You can
customize the PDF file. Refer to Customize the PDF for Alert Details.
9. Click Save.
Your saved report displays at the Saved Reports page. The Scheduled column at the Report List
indicates that your report is scheduled.
Note: the report will run under the permissions of the author, using their sensor and
alert management groups. For a Public (Read-Write) report the author is the user that
made the last change. This may change the alerts that are available in the report
output.

Delete Reports
To delete a report:
1. Click Reports>Saved Reports.
2. Click Delete next to the appropriate report.
Note: You can delete all reports that you created, whether public or private. You can
also delete any public (read-write) reports.
3. Click OK at the confirmation dialog box. The report is removed from the Saved Reports page.
If applicable, it is also removed from the Alerts Report List and from the Dashboard Custom
Report List.

26
The private report permission gives users full access to the reports they created. Other
CommandPost users have no access to private reports. Private reports can be copied to other
CommandPost users.
27
Public (Read-Write) reports can be viewed by all users. Any user with the same permissions as
the original author can edit, copy, run, delete, or schedule the report. The last user to change the
report is listed as the author of the report.
Fidelis XPS Vector User Guide 96
 Chapter 7 Summary Reports
28
The Summary reports page provides access to commonly used reports of alert data. Reports can
be generated immediately or scheduled for periodic creation and delivery.
Click Reports>Summary then select a report by clicking on the corresponding link. Refer to Define
Summary reports.

Figure 25. The Summary reports page

Define Summary Reports

Summary reports enable you to answer key questions about violations detected on your network
and associated alert management activities. These reports are organized under some of the more
common concerns that administrators often need to address.
The Executive Summary provides multiple reports in one view to give you a snapshot of your
alerts.

• Select a date range.

• Select one or more sensors.
• Include the number of results to be considered.
Tickets provide an analysis of your alert management activities. Tickets reports can provide a
summary of ticket activity as well as a breakdown by current status and the resolution of closed
alert tickets.

• Choose from available data filters.

• Select a date range.
• Select one or more sensors.
• Select the chart type (for status and resolution reports only).
Alerts Breakdown reports provide an analysis of your alerts.

• Choose from available data filters.

28
An alert is the recorded and displayed incidence of at least one event.
Fidelis XPS Vector User Guide 97
 • Select a date range.
• Select one or more sensors.
• Include the number of results to be considered, up to 99. The graphics will display the top
nine results individually and sum the remaining results into a tenth result. The chosen number
will influence the size of the associated data table, if selected.
• Select the chart type: pie or bar chart.
Malware Breakdown reports provide an analysis of malware events.

• Choose from available data filters.

• Select a date range.
• Include the number of results to be considered, up to 99. The graphics will display the top
nine results individually and sum the remaining results into a tenth result. The chosen number
will influence the size of the associated data table, if selected. This option is not available for
the Malware by Time of Day report.
• Select the chart type: pie or bar chart.

T a bl e 1 3. S um m ar y r e p ort s

Report Report Description

Organization

Executive Executive The Executive Summary displays the number of malware by

Summary Summary host ip, by malware by name, malware by source country,
alerts by policy, and alerts by rule. Each display is a line
chart accompanied by a trending chart showing the data
over the previous week.
Tickets By Status The Tickets by Status report displays the total for tickets
grouped by the current ticket status: New, Closed, or Open.
Time selections and trend graphs refer to the alert creation
time.

By Resolution The Tickets by Resolution report displays the total for

closed tickets grouped by resolution: Allowed, Action taken,
No action taken, and False positive.
Time selections and trend graphs refer to the alert creation
time.
Workflow Workflow Summary displays alert management statistics
Summary including the average time to progress ticket status and the
total number of alerts processed. You can run this report by
owner or group.
Alerts By Severity The Alerts by Severity report displays the total for alerts
Breakdown
generated during the selected time period grouped by
severity. Severity includes Low, Medium, High, and Critical.

By IP Address The Alerts by IP Address displays the total for alerts

generated during a selected time range and grouped by
source, destination, or any IP addresses. The choice of IP
Pair results in a report showing communications paths.

By Destination This report displays the number of alerts grouped by

Country destination country. This enables you to determine which
country the transmission was going to when the alert was
generated.

Fidelis XPS Vector User Guide 98

 Report Report Description
Organization

By Protocol The Alerts by Protocol report displays the total for alerts
generated during the selected time range summarized by
application protocol.

Malware By Host Malware by Host displays malware events and trends

Breakdown grouped by Host IP addresses.

By Malware Malware by Name displays malware events and trends by

Name name.

By Country Malware by Country displays malware events and trends by

the country associated with the source of the malware.

By Protocol Malware by Protocol displays malware events and trends by

network application protocol.

By Format Type Malware by Format type displays malware events and

trends by format type.

By Time of Day Malware by Time of Day displays malware events grouped

by the hour of during which the malware was detected. The
report contains two graphs, which present the malware by
severity and by malware type.

PDF Controls
When you place your mouse over the Report button a window appears with PDF controls. From
this menu you may:
• Generate PDF, which is equivalent to clicking the Report button.
• Customize PDF.
• Email PDF.

Customize PDF
Customize PDF enables you to customize a PDF report for your needs. You can enter a title,
description, a footer, and add a logo.
1. Enter a title for the PDF report that will display on the top left.

Figure 26. Customize the PDF

Fidelis XPS Vector User Guide 99

 2. If needed, enter a description to display under the title.
3. To include a footer in the report, type the desired footer text into the box and click Save.
To change the existing footer:
Select the checkbox next to the previously saved footer to use in your report. Click and
enter the desired text. Click Save. This footer is available for other PDFs and for all other
users until changed.
To disable the footer without changing it, uncheck the box.
To disable the footer without changing it, uncheck the box.
5. To include a corporate logo or image: choose a .jpg, .gif, or .png file from your workstation
and click Save to upload the image to CommandPost. This image will be inserted into the
PDF at the top left of the report. The size of the logo file should be less than 500 kB.

Select the checkbox next to the previously saved footer to use in your report . Click
and choose the image file from your workstation. Click Save to upload the image. The logo
is available for other PDFs and for all other users until changed.
To disable the image without changing it, uncheck the box.
6. Select the page orientation: portrait or landscape.
7. Click Export PDF. The resulting PDF file contains the report information. Export PDF does
not save changes, but these changes will be available for other PDF reports until you log
out or until these settings are changed.

Email PDF
This option enables you to send a PDF report via email.

Figure 27. Send Report PDF via Email

1. Click the Email checkbox. The email portion displays.
2. Enter an email address.
3. Enter a subject or keep the default.
4. Enter information for the email body, or keep the default text.
5. Click Export PDF. The PDF report is sent as an attachment to the specified email address.

Fidelis XPS Vector User Guide 100

Schedule Summary Reports
You can schedule any of the Summary Reports to distribute automatically via email at specified
times and intervals. You can use the default criteria when creating a report or select your own
criteria.
To schedule a Summary Report:
1. Select one of the Summary Reports.
2. Keep the default report criteria or edit as needed. Refer to Create Summary Reports.
3. Click Schedule. The Schedule Report dialog box displays.
4. Enter a unique report name.
5. Select a report delivery time.
6. Specify report frequency. This ranges from every day to specific days of the week or the
month. Report Frequency only determines the delivery schedule for the report and does not
change any times entered when creating the report.
7. Enter an email address for report delivery.
8. Click Submit.
The report can be managed at Reports>Saved Reports with all other saved reports.

Fidelis XPS Vector User Guide 101

Chapter 8 Network Reports
The Network Reports page displays statistical information about the data flow observed by Fidelis
XPS Vector sensors.
To display network statistics:
1. Click Reports>Network.
2. Select the time period from 10 minutes to 14 days.
3. Select the type of report.
4. Select a specific sensor or select All. Note for the Interface Statistics report, the All selection
is not available.
Note: Selecting <all> provides consolidated network statistics for all sensors
registered to Vector.
5. Click Go.
The following reports are available:
Network Statistics
Application Protocols
TCP Processor
IP Defragmenter
Average Alerts Insertion Rate
Many of the Network reports include interface wire statistics that provide the following
information.
The hardware interfaces refers to the set of Active interfaces on the sensor.
• Errors: number of packet errors reported by the hardware interfaces
• Dropped: number of packet dropped by the hardware interfaces
• Invalid: number of invalid packets(with format errors) received by the hardware interfaces.
Many of the Network reports, except for Interface Statistics provide the following information at the
top of each report page:
• Current time: current CommandPost time
• First sample time:Start of the actual period from which data are retrieved
• Last sample time:End of the actual period from which data
• Last restart time: The last time Fidelis XPS was restarted.
• Total processed packets: The total number of packets processed
Many network reports provide an interactive performance graph that you can use to closely
examine what is occurring on your network. You can click items listed in the legend next to many of
the graphs to select or deselect specific items to filter information. With the performance graph, you
can look at time periods from 10 minutes to 14 days.
To do this:
• Highlight an area of activity to expand that portion of the report.

Note how the time changes in the button below the slider bar. Time
measurements also change on the graph.
• Mouse over a line to see what occurred at that point and how frequently.

Fidelis XPS Vector User Guide 102

 Figure 28. Network reports: interactive performance reports
• To return to a larger view, double click in the graph. Each time you double click, the time
displayed in the graph doubles.

• Clicking displays the information available for the maximum 14 day period,
even if you initially selected a shorter time period.
• Use the slider bar to see another portion of the graph.

Move the to expand or contract the time period being examined. You can also move to another
part of the performance graph. The time changes in the button and time
measurements on the graph also change.
Click any line in the legend to hide the associated line from the chart. As you hide lines, the scale of
the graph will change so that each line can be more visible,
Click to switch the graph to linear or to logarithmic scale.

Fidelis XPS Vector User Guide 103

Network Statistics
CommandPost displays the following statistical information about your network data flow by sensor,
including:
• Packets by protocol: a graphical display and a numerical breakdown
• Bytes by protocol: a graphical display and a numerical breakdown, bits/sec
• Packets per second by transport protocol, graphically
• Kbytes per second by transport protocol, graphically
• Packets per second by service, graphically. If the service is unknown, the TCP port number
displays.
• Bytes per second by service, graphically. If the service is unknown, the TCP port number
displays.
• Volume of packets by size, graphically
• Wire statistics (NIC errors, dropped and invalid packets)

Figure 29. Network statistics

The legend contains controls to remove or restore the associated information from the graph.

Fidelis XPS Vector User Guide 104

Application Protocols
CommandPost shows the following information about the Application Protocols observed by the
sensor :

• Sessions per minute by protocol with a graphical display

• Observed protocols: a graphical display and a numerical breakdown

Figure 30. Application Protocol statistics

The legend contains controls to remove or restore the associated information from the graph.

Fidelis XPS Vector User Guide 105

TCP Processor
CommandPost displays the following Configuration information and runtime statistics about the
TCP Processor module:
The TCP processor report also includes a Runtime graph of TCP sessions per minute up to the
past 14 days
Configuration information includes:

• hash
• max payload

• payload limit

• descriptors

• payload handlers
• Shared memory

T a bl e 1 4. TC P R u n ti m e St a ti sti c s
The following table lists and defines TCP runtime statistics.

TCP Runtime items Description

Processed Packets The total number of packets processed by a sensor. This value
provides a percentage of processed packets versus all received
packets. If the sensor is processing less than 100% of packets,
the sensor may be under too much traffic load.

Payload Faults The total number of payload faults for all sessions since the last
sensor software restart.
A payload fault occurs when a session was not allocated a
payload buffer. A payload buffer is used to save TCP and UDP
payloads in memory.
This fault is an indicator of low memory resources because of
sensor stress. One common cause of a payload fault are large
numbers of sessions with large amounts of traffic on each
session such as a large file transfer or a system backup.

Payloads Total number of sensor internal payloads processed. Inside the

sensor, TCP/UDP payloads are reassembled and saved into
larger sensor internal payloads.

Total Sessions Total number of sessions processed by the sensor.

Session Label Faults The total number of session label faults over all sessions since
the last sensor software restart. A session label fault is a session
for which a label descriptor was not allocated.
This fault is an indicator of low memory resources because of
sensor stress. A common reason for this fault may be large
numbers of simultaneous TCP or UDP sessions. This fault
should not happen often for sensors with greater than 32G of
memory installed.

Session Labels The total number of session descriptors over all sessions since
the last sensor software restart.
Session labels also known as session descriptors are

Fidelis XPS Vector User Guide 106

 TCP Runtime items Description

parameters that describe the parts of a session. Each parameter

will contain a value such as the session types: SSH, TELNET,
SSL, SMTP. These parameters are fed to the decoders that use
them to identify whether this is a session it should or should not
decode.

IPv6 Sessions The total number of IPv6 sessions processed by the sensor.

Midstream Sessions The total number of midstream sessions since the last sensor
software restart. The percentage represents the number of
midstream sessions as compared to all sessions.
A midstream session is a session where the sniffer process did
not detect both the SYN or SYN-ACK TCP handshake packets
for a session. This means that the beginning of the session was
not seen for the client or the server.
These faults will increment for a short period of time immediately
after the sensor boots because it will miss the first part of the
session while offline.
Persistent large numbers of midstream sessions are indicators
of a permanent or transient problem with the network traffic. The
sensor or upstream device, such as a TAP or SPAN port could
be dropping packets due to FCS errors or an overloaded device.
Midstream sessions are also typically seen in deployments
where there is asynchronous traffic routing and the sensor is
only provided one direction of the traffic..
Some midstream sessions can be detected and decoded,
however, any data attributes contained in the handshake will be
missed. This will result in loss of data for alerts and metadata.
A properly functioning sensor will report a high percentage of
midstream sessions when it starts. Over time, the percentage
should steadily decrease.

Midstream The total number of midstream established sessions over all

Established Sessions sessions for a given period of time.
Midstream established sessions are sessions where the sniffer
process did not detect both the SYN or SYN-ACK TCP
handshake packets for a session, however the sensor
subsequently detected both the incoming and the outgoing
packets in that session.

Holes Added When the sensor receives packets out of order, holes are
created in the session and filled when the out-of-order packet is
received. If the packet never arrives, the hold is marked as an
Unfilled Fault.
Holes Added represents the total number of hole descriptors
added over all sessions since the last sensor software restart

Holes Unfilled Faults Unfilled faults is a count of all lost packets. The percentage
provided is the number of unfilled holes over all holes added.
A small number of hole add faults and unfilled faults are
common because network traffic is not perfect and packets will
be lost.. A large number of these unfilled faults indicates a
problem with network traffic.

Sesring Faults The total number of session ring faults over all sessions since
the last sensor software restart.

Fidelis XPS Vector User Guide 107

 TCP Runtime items Description

A sesring fault is where a session was not assigned to the

session ring buffer. A session ring buffer is a memory buffer
used by the sensor to temporarily store sessions as they are
analyzed by Fidelis XPS decoders.
This fault is an indicator of low CPU resources.
Two of the most typical causes for this fault indicator is a sensor
that may possibly have a large number of policies assigned to it
or a large number of rules that use the regular expression or
YARA fingerprints. The more time that the policy engine spends
on any one given session, the fewer session ring buffers are
available for incoming sessions.

Figure 31. TCP Processor statistics

The legend contains controls to remove or restore the associated information from the graph.

Fidelis XPS Vector User Guide 108

IP Defragmenter
CommandPost shows the following information about the IP Defragmenter module:

• Configuration information (shows current configuration and capacity of IP defragmenter

module including the hash, max datagram, shared memory, descriptors, timeout, and
conversion memory

• Runtime (information about the IP defragmentation alerts per minute over the selected time
period). Faults, frags, and rebuilt info for IPv4 and IPv6.

Figure 32. IP Defragmenter statistics

The legend contains controls to remove or restore the associated information from the graph.

Fidelis XPS Vector User Guide 109

Average Alert Insertion Rate
This report displays the average alert insertion rate per minute .

Figure 33. Average Alert Insertion Rate

Fidelis XPS Vector User Guide 110

Chapter 9 Import
You can import report files created by a report export from the same or different
CommandPost.This enables you to back up your reports and to use the same report definitions on
multiple CommandPosts.
To use this feature, you need to have full permissions for reports.
Note that importing reports into CommandPost can affect the Created and Last Modified
information included in the imported report. If the original author exists in CommandPost, then the
Created and Last Modified dates and user information are not affected. If the author does not exist,
then the Created and Last Modified dates and user information will be the date of the import and
the user performing the import.
To import:
1. Locate the report xml file on your workstation.
2. Upload the file. The Import dialog box displays with the name of the selected file.

Figure 34. Report Import

3. Select an option for conflict handling. A conflict occurs when any report has the same name
as an existing report on the CommandPost. Your selection tells Import what to do if it detects
a conflict.

• Ignore Import File–will ignore the conflicting report in the import file. This is the default
option. All non-conflicting reports in the file will be imported.
• Import File Overwrites Database Entry–If there is a conflict with a Public read-only report
that is not owned by the user performing the import, the report will be rejected and will
not overwrite the database.
The import can take several minutes depending on the size of your import file. When complete, the
Import Result displays.

Fidelis XPS Vector User Guide 111

Chapter 10 Manage Users and Groups
CommandPost includes Local, and non-local users such as LDAP or RADIUS/TACACS+
administrative users.

• Local users are defined within CommandPost. Using the System>Users page, you can
create a user profile, which includes the local password and all permission settings. Local
users obtain a CommandPost user name and password and are the easiest to configure and
manage. CommandPost includes one default local user (admin) which must be used to
configure all other settings. Fidelis recommends that you create local user accounts for all
persons responsible for the maintenance and support of the Fidelis products.
• LDAP users are created and managed by an external LDAP or Active Directory server.
RADIUS/TACACS+ users are created and managed at a RADIUS/TACACS+ server.
Directory attributes can be used to map users or user groups to CommandPost permission
settings. LDAP and RADIUS/TACACS+ users can access CommandPost using their directory
user names and passwords. LDAP and other non-local users are not provided a
CommandPost user name or a password. Some capability will be limited due to the lack of
these credentials. Management is performed by creating a user profile that maps directory
attributes, such as group names, to CommandPost access permissions.
Note: LDAP and other non-local users display in the Users>Profiles list after the first
login. This is used for user account management purposes only.
To create and manage LDAP users , refer to LDAP Configuration . To create and manage
RADIUS/TACACS+ users , refer to
To manage users , click System>Users. The Users page displays with the current list of
CommandPost user profiles and basic information about each user.

Figure 35. Users information

When first installed, CommandPost has one default user, admin, with full System Administrator
privileges.
Refer to chapter 1 in the Vector Enterprise Setup and Configuration Guide for the the default
password for the admin user. Change this password immediately after you first log in.
Fidelis XPS Vector enables you to manage local user access by assigning each user to:

•
29
Zero or more groups; needed for alerts management features.
• Zero or more sensors; needed to manage sensors and to view alerts from sensors.
LDAP users are managed in a similar fashion. Create a profile to map user attributes to role, group,
and sensor assignments. Each profile may manage a single user or many users, depending on
your configuration.
The user page provides two icons to note user status:

Denotes a valid user. The user has a role and has at least one group and sensor
assignment.

29
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
Fidelis XPS Vector User Guide 112
 Denotes a user with limited access to the system. This user may have a role, but lacks either
a group or sensor assignment
They may log into the system, but will not be able to execute their role.
This icon can also indicate a user who has been locked out of accessing CommandPost for
one of several reasons such as an expired password. Refer to Reset a Local User Account .
User Authentication contains more information about account lock and password age
settings.

Users Page
The Users page can be sorted by any column on a page in either ascending or
descending order.
To do this:
Click the column header to sort by that column.

The or icons display when a column has been sorted. You can only sort by one column at
a time.

Reset a Local User Account

If a user is locked out of an account because of inactivity, multiple failed login attempts, or an
expired password, you must reset the user's password.
To reset an account:
1. Select the user and click Edit to access the Profiles page for that user.
2. Change the password for the user.
3. Provide the user with the new password.

Access Control in CommandPost

CommandPost provides multiple layers of access control to the secure information stored in
CommandPost and to the information collected from Vector sensors. The design is scalable from
small to large enterprises, so that access can be easily assigned to security teams that range in
size from a single person to a large, multi-tiered team.
Access control is managed by: alert management groups and sensor access control.

• Sensor access restricts the CommandPost functions to specified sensors.

• Alert Management Groups can be used to divide the work of violation review and to segregate
violations by type.
Sensor access control is part of the access control system.
Each user can only access the sensor to which that user is assigned. For example:

• A system administrator may only configure and manage sensors to which that operator is
assigned.

• An alert manager may only view violations from sensors to which the manager is assigned.
The sensor access control serves to segregate data depending on where it was found in the
network.
The alert management group is another component of the access control system. This is a group
of one or more users with a similar function, who should review similar network violations.
Examples might include a network administration group, Human Resources, or a network security
office.

Fidelis XPS Vector User Guide 113

Small Security Teams
Many enterprises may be too small to need access control. This is especially true of enterprises
with a single network security officer. To simplify access control, General Dynamics Fidelis
Cybersecurity Solutions has set up default configurations:

• The System Administrator role provides full access to the system. The admin user has access
to all groups, all sensors, and all system functions.
• Alert Manager—The Alert Manager has Full Control for Alerts, Details, Tickets, and Reports.
The Alert Manager has no access to Users, Sensor Config, CommandPost Config, and Audit.

• All new users are initially assigned to the default group.

• When a Vector sensor is registered to a CommandPost, no user will have access, except the
admin user and the user who created the sensor.

Define User Profiles

At Profiles, you can view all users. Each user will be denoted as Local or non-local users such as
RADIUS/TACACS+ within the profile list.

• Local users can be added, deleted, and managed from this page.
• LDAP users can be deleted at the Users>Profiles page. Management of these users is
performed by mapping your external LDAP or Active Directory server information to
CommandPost user access profiles. Refer to LDAP Configuration.
LDAP users are added to the table at their first login. The user name is extracted from their
entry at the login page. They will remain on the page as long as they remain active users or
until an administrator removes the account.
• RADIUS /TACACS+ users can be deleted at the Users>Profiles page. Management of these
users is performed at the RADIUS/TACACS page.
LDAP and other non-local users are added to the table at their first login. The user name is
extracted from their entry at the login page. They will remain on the Users page as long as they
remain active users or until an administrator removes the account.
To access user profiles:
Click System>Users>Profiles.
The Profiles page appears with a list of users . Clicking a column name reorders the list in
ascending or descending order. If a is next to a user name, that indicates a problem with the
profile such as a disabled account. Mouse over the icon to see the reason for the alert.

Expand User Information

Click on any user name at the Profiles page to see expanded information, and the Edit or Delete
buttons as appropriate.
The roles, groups, and component assignments are links that you can click to access the Roles,
Groups, or components pages.

Figure 36. users

Fidelis XPS Vector User Guide 114

Add or Edit a Local User
You can add, edit, or delete local users Adding a user involves the following:

• Provide identifying information for the user to CommandPost. This information includes user
name, password, and email address. This information is stored and managed within
CommandPost.

• Determine access to CommandPost features by assigning the appropriate role.

• Assign the user to the appropriate groups and components to implement assigned roles. Alert
Management Groups can be used to divide the work of violation review and to segregate
violations by type
The following restrictions apply when creating or modifying users:

• Create users with permissions equal to or less than their own permissions.
• Assign users to groups to which they belong. For example, a user that belongs to group A and
group B can only assign new users to those groups. Use CTRL+click to choose multiple
groups. Select No Groups to unassign a user from every group.
• Assign users to components to which they belong. For example, a User Manager assigned to
component A and component B can only assign new users to those components. Use
CTRL+click to choose multiple components. Select No Components to unassign a user from
every component.
To add or edit a local user:
1. Click Add User and the New CommandPost User page displays. To edit an existing user,
select the user and click Edit.

Figure 37. New CommandPost User page

2. Enter user name, password, and email address.
• User name is required for new local users and must conform to valid name restrictions.
Valid names start with a letter and may contain letters, numbers, underscores (_), or
periods ( . ).
• If needed, you can enter a full name to identify this user.
• Email is optional. If entered, a correctly formatted Internet email address is required. If
omitted, this user will not receive notification messages when alerts are assigned.
• Passwords are required for new local users. Passwords must conform to the
CommandPost password settings defined in CommandPost Configuration. For an
existing user, click the Change Password button to change the password.

Fidelis XPS Vector User Guide 115

 Note: Local users can change their account information after they log into
CommandPost. LDAP and other non-local users have limited ability to change their
account settings.
3. Select a role from the drop-down list.
4. Select the appropriate alert management groups for this user. Multiple groups may be
selected by dragging the mouse or using CTRL+click. Assignments may be reset by choosing
the “No Group” option.
5. Select the appropriate components for this user. Multiple components may be selected by
dragging the mouse or using CTRL+click. Assignments may be reset by choosing No
Component.
6. Click Save.
The new or modified user is included in the list on the users page.

Delete a User
30
Before you can delete a user, you must first reassign all alerts assigned to the user. Deleting a
user will delete all items authored by the user. These include:
• Exports
• Reports (public or private)
• Retention plans
• Investigations (public or private)
Note – Ensure that any Exports, Reports, or Retention plans are not part of any
established workflow or critical business processes. To reassign an Export, Report,
or Retention plan simply have the user that will manage the object make a minor edit
and then save the object. This will change authorship to that user.
To delete a user:
1. Click Profiles.
2. Click the appropriate user. Click the appropriate user. The Delete button becomes available.
The Delete button will not be available if open alert tickets are assigned to the selected user
or if you do not have permission to delete this user. Permission to delete requires that the
user has a role that is a subset of your own role.
3. Click Delete.
4. Click OK at the confirmation dialog box.
The user is deleted from the list on the Users>Profiles page.
To prevent future login from an LDAP user, you will need to change or remove this user from your
directory server or alter or remove the profile to which this user belongs.
To prevent future login from a RADIUS/TACACS+ users, you will need to change or remove this
user.
Refer to User Authentication.

30
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
Fidelis XPS Vector User Guide 116
Define Alert Management Groups
You can create alert management groups to which you can assign users and alerts.
The alert manager may move an alert to a different alert management group so that it may be
managed by members of other Alert Management Groups.
To access alert management groups:
Click System>Users>Groups. The Alert Management Groups page appears with a list of existing
groups. You can click on any group name to see expanded information, and the Edit and Delete
buttons.

Figure 38. Alert Management Groups page

Add or Edit an Alert Management Group

You can use groups to control user access to alerts.
To add or edit an alert management group:
1. Click Add Group. The New Alert Management Group page appears with empty text boxes. or
select an existing group and click Edit.
2. Enter a name and a description for a new group.
3. Enter an email address for the group. When an alert changes from one group to another, a
notice is sent to this email. The email address must be a single address, which can be a
group distribution list, and must conform to email syntax requirements.
4. Click Save.
A new group displays in the list with other alert management groups. You can now assign users to
the new group, or assign alerts to the group.

Fidelis XPS Vector User Guide 117

 Delete an Alert Management Group
Any group that contains alerts cannot be deleted. To delete such a group, move all alerts to
another group.
To delete a group:
1. Click the appropriate group. The Edit and Delete buttons become available.
2. Click Delete.
3. Click OK at the confirmation dialog box.
The group is deleted from the list at the Alert Management Groups page.

Fidelis XPS Vector User Guide 118

Chapter 11 Configure Fidelis XPS Vector
Components
The Components page allows you to view, manage, and configure Fidelis XPS Vector components
including sensors.

The Components Page

To access this page: click System>Components.

Figure 39. The Components page

The Components page provides a quick view of the embedded CommandPost, embedded sensor,
or any Fidelis XPSVectors controlled by this Vector.
From the embedded sensor, you can access the Alert Failover and Vector tabs.
Add Component – Clicking Add Component enables you to add a new sensor or secondary
sensor, a master or subordinate CommandPost, or a Collector. Refer to Add a Component.
Note: When adding a component, remember that all components must have either
IPv4 or IPv6 IP addresses. Mixing IP address types is not supported.
Add Component – clicking Add Component enables you to add and register another Fidelis XPS
Vector . Refer to Add a Component .

CommandPost Management Console and Sensor or

Vector Information
To add new components or to register and unregister components to a Subordinate
CommandPost, you must log in to the Subordinate and Add a Component. Once added and
registered to a Subordinate CommandPost, component configuration can be performed while
logged in to the Master CommandPost.
To register, unregister, configure, or see more details about a specific component, click the row for
that component. Component details provide a summary of the current status and relevant
configuration details.
Full configuration details can be accessed at each component configuration page.

Status Lights
Shown as a green, red, yellow or grey diamond at the top of the GUI, the status light indicates
whether a component is operational. Green indicates that the component is fully operational.
Yellow indicates a warning message, which may indicate operational problems or the detection of a
condition that warrants attention. Red indicates that the component is not communicating. This can
mean that the component is unreachable, offline, or being updated with a new version of Fidelis
XPS.
Grey indicates that there is no information available for the component.
By mousing over the status light, you can see a short description of any detected problem or
warning. The same description is available in the details of the component status.

Fidelis XPS Vector User Guide 119

 Details
Click a row to view details about a component. CommandPost information includes the Name,
Version, OS Version, CommandPost Time, Relationship, Setup, and any yellow or red
Notifications. The absence of notifications indicates that the component is fully operational.
Sensor information includes:

• Name– the name of the component which was given when it was added to CommandPost.
• Description – an optional field supplied when the component was added to CommandPost.
You can edit the description at any time.
• Version– provides the Fidelis XPS Vector software version installed on the component.
• Patch Version – provides the patch version installed on the sensor. If no patch has been
applied, this field will be empty.
• OS Version– provides the operating system version installed on the component.

• IP Address – provided when the component is added to CommandPost. If the component is

unregistered, you can change the IP address by editing the component information.

• Alerts – is a current count of alerts generated by this sensor. Clicking the count will take you
to an Alerts List showing alerts from this sensor. This field does not appear within the
information for a Collector.

• State – the state of the component; either registered or unregistered.

• Last Seen – tells you how long ago CommandPost last received communication from this
component. Each component posts statistical information to CommandPost every five
minutes, or with each alert from a sensor. The lack of information within a ten minute window
indicates a communication problem.
The green arrow indicates that communication is working properly.
A broken yellow arrow indicates that communication has been lost between CommandPost
and the component.
A broken red arrow indicates that the component has never communicated with
CommandPost.
A grey arrow indicates that the component is unknown.
• Notifications – displays messages from the component with a status light to indicate the
importance of each message, either medium (yellow diamond) or high (red diamond).
• User Assignments – provides a list of users assigned to the component. Clicking a user
displays the Profiles page for that user.
Note: If communication is lost, many of the details listed above cannot be obtained.

License Messages
The following license messages can display in the Notifications section for the Console or a sensor:

• Demo Mode – You need a valid license key. Refer to License.

• License Refresh Required – It is recommended that you get a new license for each sensor,
Collector, and CommandPost from Fidelis Technical Support.
• License will expire in – The license will expire in the stated number of days. Contact
Technical Support to request a new license. for each sensor, Collector, and CommandPost.

Component Buttons
When you click a component row for a component that has been added to the Console, several
buttons will appear. When you click a component row for a component at a subordinate
CommandPost, only the Config button may appear. Button availability depends on user access
privileges and communication status between CommandPost and sensor.

Fidelis XPS Vector User Guide 120

 • Register (Unregister) Sensor – click to register (or to unregister) a component. Upon
registration, CommandPost attempts to initiate an encrypted session to the component. The
session must be authenticated by a sensor with the given name and IP address as entered
into CommandPost. If successful, the component will come online. After registration, the
component will not communicate to any external device other than the CommandPost to
which it is registered.
Click Unregister to take a component out of service. You can then register this component to
a different CommandPost or change the IP address.
Note: If your product is a CommandPost with an embedded sensor, such as the Scout,
you will not see the Register or Unregister buttons. These products communicate
internally and do not require registration.
Primary Collector Controllers cannot be unregistered until the Failover Controller is
unregistered. Refer to Collector Configure

• Edit Sensor – click to change basic information about a component, including name, IP
address, and description. If the component is currently registered, name and IP address
cannot be changed. This button is not available for embedded sensors.

• Config – click to configure the component.

Figure 40. Subordinate CommandPost and its components

Configure CommandPost
The CommandPost configuration page enables you to specify settings for CommandPost
operations. Your role requires full access to CommandPost administrative functions to access this
page. Some Configuration settings may require additional access permissions, as noted in the
specific CommandPost sections. Refer to User Roles.
31
To access CommandPost configuration, click the CommandPost row at System>Components
and click Config.
License
Alert Retention
Alert Storage
Archive
Audit
Backup and Restore
Custom GeoIP
Diagnostics
Email Config
Exchange Config
Language Config
LDAP Config
Logs
Proxy Config
RADIUS/TACACS+ Config
Session Timeout
System Monitor
User Authentication
User Notification

31
Components enables you to set up licensing and configure Fidelis XPS components. This
includes adding and registering Fidelis XPS sensors, setting password strength, configuring e-mail,
and setting up user notification and LDAP among other features.
Fidelis XPS Vector User Guide 121
 License
License shows the Host ID information, the current license key, and an expiration date. Each
component requires a separate license.
To access the License page:
Click System>Components>CommandPost>Config and click the License tab.
When you initially install Fidelis XPS Vector on CommandPost, CommandPost will run in demo
mode. A sensor or CommandPost remains in demo mode until a license key is entered.

Figure 41. The License

Clicking Request License or the component's Host ID creates an email to
license@fidelissecurity.com, with the subject line automatically completed with the component’s
Host ID. Include in the body of the email your name, the location name and address, phone
number, and reseller name (if pertinent), and Fidelis Technical Support will respond within one
business day with a license key.
When you receive the license key, paste or type it exactly into the License Key box, and click Save.
If the information was entered correctly and matches the Host ID provided, the key will be
accepted. If there is a problem with the license, you will receive an error and the License Key field
will display <Invalid>.
Enter the Execution Forensics Key.

Expirati on
Fidelis XPS Vector begins displaying notices that your license will expire starting 60 days before
the expiration date. If you receive this notice, contact Technical Support to obtain a new license.

Modify a Li cense Key

To make changes to your license key in case of an entry error for example, just enter a new license
number in the License Key text box and click Save. Please remember that making changes to
license keys should be done with great care.

Demo Mode
If no license key is detected, the sensor and the CommandPost will operate in demo mode. The
sensor does not function in demo mode. A CommandPost in demo mode will not accept alerts from
any sensor and will only accept statistics.

Fidelis XPS Vector User Guide 122

 Alert Retention
CommandPost performs daily maintenance which includes three distinct processes:
• Optimization of the stored statistics that feed reports.This operation is performed hourly.
•
32
Alert purge is the removal of all alerts and recorded objects that are no longer required.
You can setup numerous plans to define when alerts are purged and whether or not to
archive the alert data before the purge operation. Alert purge will briefly lock the database
so that new alerts cannot be inserted during this time. This operation should last only a few
minutes or less and runs once a day at the defined time.
• Disk optimization is required after alerts are purged. This function is very important to the
long term integrity of CommandPost and must be run at least once a week. Optimization will
lock the database so that new alerts cannot be inserted during this time. This operation may
require several hours to complete, depending on the size of alertsstored by CommandPost.
Note: If CommandPost storage becomes full, new alerts will overwrite old alerts, even
if the retention period has not been exceeded.
To access this page:
Click System>Components>CommandPost>Config and click the Alert Retention tab.
The Alert Retention page is divided into two sections: Alert Retention Plans and Alert Maintenance
Configuration.

Figure 42. CommandPost: Alert Retention

Alert Retention Plans

Database Maintenance must be performed at least once per week to optimize the CommandPost
database. This process includes the removal of old alerts, per the default plan setting. Alert
Retention plans can be created to remove certain alerts sooner or to retain certain alerts for a
longer time period. Plans are created based on alert characteristics.

32
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
Fidelis XPS Vector User Guide 123
 Database Maintenance will also remove data associated with the alerts selected with a plan. This
data includes recorded objects.
Note: this data will be removed only after all alerts associated with the data are
purged.
For alerts that have been imported to the system from an archive file, the age of the alert is based
on the import date and not the timestamp associated with the alert. The system defines a single
plan named Default that purges all alerts older than 45 days as well as any remaining recorded
objects. The number of days (45) can be changed.
If any plans have been defined, they will be listed above the Default plan on the page. The list
provides a descriptive name, the retention period for the plan (in days), the archive setting (Yes or
No), and the Author, which provides the user name of the person who last saved the plan. An Edit
button and a Delete button is available for each plan in the list.
To change the Default plan:
1. Click Alert Retention.
2. Change the number of days to a value between 1 and 999.
3. Click the Archive checkbox if you wish to archive alerts before purging. Refer to Retention
Archive.
4. Click Save Default.
Any number of retention plans can be added to change the behavior of the alert purge operation. A
plan can define alerts by one or more attributes and can be set to retain the matching alerts for a
period shorter or longer than the default setting. If two or more plans identify the same alert, the
longer retention period will apply and archiving will be done if any matching plan had the archive
checkbox set. You can access the Edit page by clicking Edit next to an existing plan or by clicking
New Plan.
To create a new plan or edit an existing plan:
1. Click Alert Retention.
2. Click Edit next to a plan in the list or click New Plan.
3. The Edit Alert Retention Plan page displays.

Fidelis XPS Vector User Guide 124

 Figure 43. CommandPost: Alert Retention edit plan

4. For an existing plan, information about the plan is provided. This includes the name of the
plan, the name of the user that last saved the plan, and the date and time of the last save.
The username is important in this context because alerts are chosen based on the role,

Fidelis XPS Vector User Guide 125

 assigned alert management groups, and assigned sensors for this user. Refer to Users and
Groups.
5. Enter the retention period as 1 to 999 days.
6. Select the archive option, if desired.
7. Choose one or more of the available alert parameters to apply alerts to this plan. The
available options include:
• Sensors, which refers to the name of the sensor that generated the alert.
• The name of a Label applied to the alert
• The name of the group to which the alert belongs
• Ticket Status refers to the CommandPost workflow status.
• The Resolution of closed tickets
You must choose at least one filter criterion to distinguish this plan from the Default plan.
8. Enter a name for the plan in the Save As text box. This name will be the unique identifier of
the plan and should be descriptive.
9. Click Save Plan. Click Reset to revert to the last saved state for the plan. Click Cancel to
return to the Alert Retention page without saving.
When saved, the alert access will be determined by your role, assigned alert management groups,
and assigned sensors.
If you are saving a plan that was last saved by a different user, a warning message will appear
informing you of the potential change in alert access.

Alert Maintenance Confi guration

The Alert Maintenance Configuration enables you to control the master settings of alert
maintenance operations. These controls include the following:

• Execution time can be configured by Daily Execution Time and Maintenance Days. The Alert
Purge and database Optimization processes will be executed at the chosen time on the
chosen days. Based on this configuration, Purge and Optimization will run at most once per
day or at least once per week. The settings do not change the normal hourly optimization of
statistics.
• Archive options include the External Archive Directory, the Maximum Archive Attempts, and
the setting for Archival of Recorded Objects. Refer to Retention Archive.
Click Update to save any changes made to the Alert Maintenance Configuration.

Retenti on Archive
CommandPost appliances contain a local hard drive for storage of alert data. The local storage
may not be adequate for your long term storage requirements, therefore alert archival may be an
important feature in your environment.
There are three methods available for archival:

• Automated archiving at routine intervals; refer to Export.

• Manual archiving of alerts; refer to Export.
• Archiving alerts before the alert purge operation associated with Alert Retention.
Archiving alerts before a Purge has the following considerations and controls associated with
retention plans:

• Archive creates a Fidelis-formatted archive file and sends it to an external system. The name
of the external system and login credentials are defined at the Archive page. Refer to Archive.
• When a plan includes the Archive option, the maintenance process creates an archive file and
attempts to send it to an external system. If archive fails, no alerts associated with this plan

Fidelis XPS Vector User Guide 126

 will be purged. If a failure occurs, CommandPost status will indicate the problem. In this case,
you should correct the problem and visit the Archive page to test the correction. A successful
test will clear the CommandPost status error.
• If there are repeated failures of archive, CommandPost will increase the severity of the status
message. The setting for Maximum Archive Attempts defines the number of days for which
purge will be skipped upon archive failure. If archive fails for this number of days, alerts will be
purged without archive. The Maximum number of attempts can be set between 1 and 7 days.
• A successful archive transfers the archive file to the external system located in the directory
path provided by External Archive Directory. This must be a fully qualified path to the desired
location on the external system. Once the file is stored on the external system, you can move
it to any location required for long term storage. Refer to Archive for information about
importing archive files to CommandPost.
• The Alert Maintenance Configuration for Archive Recorded Object applies to all plans where
Archive is chosen. When this option is selected, the archive file will contain the recorded
objects associated with the alerts.

Alert Storage
Alert storage provides a control to encrypt alert information within the CommandPost database. By
default, alert forensic data and the associated recorded objects are stored in plain text. The
information is only accessible through the CommandPost GUI or API. Access requires an
authenticated user with the proper privileges. Refer to Define User Profiles. Database encryption
can provide another level of protection.
When you change the encryption setting, forensic data and recorded objects already stored by
CommandPost will no longer be available. An encryption change will provide a warning regarding
the availability of current information.
If encryption is important to your organization, Fidelis recommends that you enable this feature
immediately upon receipt of your CommandPost. Fidelis uses AES 128-bit key encryption. For
existing installations, you should archive your alerts before changing encryption status.
To enable encryption:
1. Click System>Components>CommandPost>Config and click the Alert Storage tab.
2. Enter an encryption key in the text box. Retain this key for future use. You will need the
original encryption key to disable encryption or to enter a new key.

Figure 44. CommandPost: DbEncryption

3. Click Encrypt. A dialog box warns that you will lose access to forensic data and recorded
objects.
4. Click OK to proceed.

When enabled, the Database Encrypted icon displays at the top right of the
CommandPost GUI.
To disable encryption:
1. Enter the original encryption key.
2. Click Unencrypt. A dialog box warns that you will lose access to forensic data and recorded
objects.
3. Click OK to proceed.

Fidelis XPS Vector User Guide 127

 Archive
Archive enables you to configure a name and login for a remote FTP server. CommandPost will
use the information to export archive files to the remote system. Refer to Export. Fidelis-formatted
archive files are encrypted. These files are decrypted upon import. Archive also enables you to
import files. Refer to Import from a Remote FTP Server.
Note: To see the CommandPost Config>Archive page, users need View privileges for
33 34
CmdPost Admin, Alerts , and Alert Details . With View privileges, the Archive page
header will display View Only and buttons will not be active.
To save configuration changes and access buttons, users need Full access to
CmdPost Admin, Alerts, and Alert Details.
Access to System>Export requires Alerts and CommandPost administration
privileges. This access allows you to export alert archives using the process set up
by the CommandPost administrator, as noted above.

Set Up a Remote FTP Server

To set up information for a remote server:
1. Click System>Components>CommandPost>Config and click the Archive tab.

Figure 45. CommandPost: Archive

2. Enter a name for the remote server.
3. Enter a login name and password for the remote server.
Note: Remote login name and password do not support the use of non-ASCII
characters.
4. To use an encrypted transmission channel, click Use Secure FTP. The remote server must
have an ssh service.

33
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
34
Alert Details is the most granular level for examining alert data.
Fidelis XPS Vector User Guide 128
 5. If needed, enter your encryption key to encrypt Fidelis archived alerts or leave this text box
blank to use the default encryption key. You will need the same encryption key to decrypt
Fidelis archived alerts.
6. Click Update Configuration.
After clicking Update Configuration, you may test communication between CommandPost and the
remote server. To test:
1. Click Test Archive Configuration.
Note: No alerts are transmitted during the test process, only test data.
2. Enter a directory name on the remote server where the archive file will be stored. The entry
must be a fully specified path. For example, on a Unix or Linux server: /home/Fidelis/archive.
If the remote directory does not exist, it will be created.
Be sure that the user name provided at the Archive page has permission to write to this
directory.
3. Click Execute Test.
The test process creates a small text file including a timestamp representing the exact time of
creation. This file is sent to the remote server, retrieved from the remote server, and compared to
the original. If the transfers complete and the file comparison passes, then the test succeeds. Any
failure represents problems with configuration of either CommandPost, your remote server, or
network problems that may prevent communication between the systems.
Following a test, the simple test file will reside on your remote server. You may remove it at your
convenience.

Import from a R emote FTP Server

The Archive page is also used to import alert and session data that was previously exported to your
remote server.
To import archive data:
1. Click Import Archive Data.
2. Enter the directory on your remote server that holds the archive files. All files in this directory
will be transferred to CommandPost and imported. If you do not want to import all files, you
will need to manage your remote server storage accordingly.
3. Choose how you would like to handle conflicts between imported alert and object information
and the information currently stored by CommandPost. Your options are:

• Reject duplicate alerts in your import data. The alert UUID is used to determine duplicate
alert information and the Object ID is used to determine duplicate objects. This choice
will ignore the imported data and CommandPost information will remain unchanged.
• Overwrite CommandPost data with information from the import file. Note that
CommandPost maintains an alert ID and a UUID for every alert. The alert ID is
sequential, but not universal across all CommandPosts. The UUID is a uniqueID per
alert. If you choose to overwrite CommandPost data, the local alert ID will most likely be
changed after import. The UUID will be maintained from the import file.
• Restore Alerts as Original preserves the original insert time and alert ID.
4. Click Execute Import.
This operation can be time consuming, based on the network speed between CommandPost and
the remote server, the number of alerts in the imported file, and the number of duplicates detected.
Upon completion, results will be displayed.

Fidelis XPS Vector User Guide 129

 Configure Audit
The CommandPost audit log tracks all user activity. Access is available to any user whose role
includes the audit privilege. A user that has both Audit and CommandPost privileges may configure
CommandPost to log only the activity of interest.
The CommandPost Audit configuration page enables you to select audit levels for actions on the
CommandPost and any sensors registered to it.
To configure audit:
1. Click System>Components>CommandPost>Config and click the Audit tab.

Figure 46. CommandPost: Audit

2. Enter the amount of time to retain audit records. The default is 190 days. Any audit record
older that this number of days will be removed.
Note: The audit log is stored on the CommandPost hard drive. When the allotted
audit space is full, old audits will be removed to make room for new entries to the
log. This event will also generate user notifications and turn the CommandPost
status to red. Adjusting the storage time can help avoid this situation.
3. Audit records can be exported to an external syslog server. To enable audit export, select
Enable and enter the IP address or host name for the syslog server. Audits will be written to
the external syslog as they are written locally to the CommandPost audit log.
4. Select Audit events as needed.
The audit system is broken into ten facilities with six events. By using the available
checkboxes, you can select the events of interest for your log. Checkboxes are available to
select or deselect all events within a facility as well as a checkbox to select or deselect all
events.

Fidelis XPS Vector User Guide 130

 T a bl e 1 5. Ev e nt s t o A u di t

Event Description

Access Events Logs login and logout events, API access and access violations. Access
violations can be caused when a user attempts to access data forbidden by
their role, sensor assignments, or alert management assignments. Access
violation events are also logged when users attempt to load invalid licenses,
upload invalid files, or attempt other actions to circumvent CommandPost or
sensor security.

Addition Logs an addition to the system such as a new user, or report.

Deletion Logs a deletion of system data, such as removal of a useror report. For Alerts
a purge is logged as a deletion as well as alerts and audits removed for disk
management and database maintenance operations.

Modification Logs a change modification of system data, such as a change of user

information or a report change.

Data Extraction Logs when data is exported from CommandPost. This may be the result of a
user action on the CommandPost GUI or the result of scheduled reports and
exports that occur in the absence of a GUI.

Page Access Logs when system information is viewed using the CommandPost GUI. This
applies to all pages of the CommandPost GUI.

Note: Not all events are available for each facility.

T a bl e 1 6. F a ci l i ty R o ws

Facility Description
35
Alerts Items on the Alerts page including Alert Details

Automated Data Items exported, purged, or modified by scheduled events, such as Alert
Access Retention, exports, and feed updates
36
Reports and Includes Saved Reports, Summary, and Network Reports
Exports
37
Users Items on the System>Users page

Device Config Any component configuration changes including the CommandPost and all
sensors
38
Audit Items on the System>Audit page

Login, Logout, Includes: all login attempts, both valid and invalid, logout, and any attempt to
Access Denied access data not permitted by the user's role

API Audits API calls from external sources. These sources are any API not
accessed by Fidelis XPS Web or regular reporting processes.

35
Alert Details is the most granular level for examining alert data.
36
Network Reports display statistical information about the data flow observed by Fidelis XPS
sensors.
37
Users enables you to create and manage users, their roles, and user access.
38
Audit enables you to search for audit information.
Fidelis XPS Vector User Guide 131
 5. Click Update to save your selections.

Backup and Restore

Backup enables you to back up configuration information for a CommandPost and any components
registered to it. The backup includes configuration information such asreports and user information
but does not include data such as alerts. You can also include a system backup with an automatic
export, provided that you select the Fidelis Archive export method. Refer to Export Methods.
Restore enables you to restore configuration information for a CommandPost and any components
registered to it.

Backup
To run backup:
1. Click System>Components>CommandPost>Config and click the Backup and Restore tab.
The System Configuration Backup and Restore page displays.

Figure 47. System Configuration: Backup

2. Click Run Backup. The backup stores configuration information in a file. The name of the
backup file and the MD5 hash for it display.
Note: Do not access other items on the page or attempt to navigate away from it while
backup is in progress.
1. Click Download. You can open the file or save it to your workstation.
To back up during an automatic export:
1. Click System>Export. A list of available exports displays.
2. Select Fidelis Archive export method at the System>Export page.
3. Click Include Configuration Backup.
4. Select Alerts to export: either All, By Criteria, or None. If None is selected, the checkbox:
Include Configuration Backup is automatically selected. In this case, the export will only
include the configuration backup file. The backup file is created and is exported to the same
location as the export. Refer to Define Exports for more information.

Restore
You can restore a CommandPost's configuration directly from the backup file or replicate the same
configuration to multiple CommandPosts. You can also select and restore configuration information
to components registered to the CommandPost.
To restore a CommandPost:
1. Select a backup file and click Upload restore file. The name of the Restore File displays.
2. If the Restore File name is correct, click Verify. The host ID , the version number, backup
time, and user information display. If the host IDs match, the license is automatically
restored.

Fidelis XPS Vector User Guide 132

 Figure 48. System Configuration: CommandPost Restore
3. Choose the restore mode.
Note: Restoring or Replicating from file overwrites any existing configuration
information. Use options 2 or 3 to replicate configuration information to another
CommandPost.
To restore and overwrite all existing CommandPost configuration information, select option 1.
To restore and overwrite configuration information except for sensor definitions, select option
2.
To restore and overwrite configuration information except for sensor definitions and User
information, select option 3.
4. Click Restore CommandPost.
5. Click OK at the dialog box to proceed.
Note: Do not access other items on the page or attempt to navigate away from it while
the restore is in progress.
To restore a sensor:
1. Select the backup for the sensor.
2. Select the target sensor. You can only restore backup files for a sensor to the same sensor.
The sensor must also have the same name.
This image cannot currently be displayed.

Figure 49. System Configuration: Sensor Restore

3. Click Restore Sensor.

Fidelis XPS Vector User Guide 133

 4. Click OK at the dialog box to proceed.
Note: Do not access other items on the page or attempt to navigate away from it while
the restore is in progress.

Custom GeoIP
Custom GeoIP provides the ability to customize Location information for IP addresses. Location
information appears in Dashboard widgets, Alert List, and in Alert Details .
Public IP addresses show the location provided by Maxmind. The names of countries are
maintained by ISO 3166 and augmented by special codes provided by MaxMind. Refer to
http://www.maxmind.com.
Private IP addresses will show the location as Unknown. You can use Custom GeoIP to change the
location information of both public and private IP addresses.
When you define locations, you may associate each with a flag using the ISO 3166 country codes
or one of the seven custom flags provided by Fidelis. Location information displayed on the World
Map and Globe dashboard widgets is based on the ISO 3166 flag. You may enter coordinates to
define a location for Unknown locations or any that use a custom Fidelis flag as the location
identifier.

Create the G eoI P Definition File f or Custom GeoI P

Ranges
To define GeoIP information for IP addresses, create a file that contains information about the IP
addresses that you need to specify. This file needs to be in text format and must contain tab-
delimited fields. The file may contain any IP addresses, private or public. If public IP address
ranges are defined, the definition in your file will override the locations that are provided by
Maxmind.
• Enter the low end of the IP range.
• Enter the high end of the IP range.
Note: IP address ranges must not overlap. IPv6 addresses are not supported.
• Enter a 3 to 8-letter code for matching against. This code can be used on multiple entries
but must always correlate to the same country name. This code is used for Location
fingerprints. This code does not display in the GUI.
• Enter a location name for a full display name that will appear as a country name in Alert
Reports and in the Alert Details. This information is also used for search and filter for
source/destination country.
This name must correlate with the country code and can contain up to 32 characters. The
country name, however, cannot be the name of an existing country.
• Secondary Location Name (Optional) You can also specify an optional secondary location
name to further narrow location information in Alert Details. The Secondary Location Name
displays as a city name in Alert Details. Similar to the actual country lookup, there can be
multiple entries that match a given country code.
• Flag (Optional) You can specify a country flag for the IP range at the Alert Details page.
You can use a two letter country code that complies with ISO 3166-1, alpha-2 such as US
or CA. Custom flags are also available as shown below. The Globe and World Map
Dashboard widgets will use the ISO 3166-1 country codes to display alerts on the map. If
you use a custom flag, you may specify a map location. Refer to Specify Map Coordinates
for Unknown and Custom Flags.
Custom flags are:
C1
C2
This image cannot currently be displayed.

C3
This image cannot currently be displayed.

C4

Fidelis XPS Vector User Guide 134

 C5
C6
C7
Below is a sample file:

Specify Map C oordinates f or Unknown and C ustom Flags

If you have not uploaded a Custom GeoIP file, all private IP addresses will appear as Unknown in
Alerts and Alert Details.
On the Globe and World Map Dashboard widgets, these Unknown alerts will appear in the Atlantic
Ocean. The location of Unknown locations on the Globe and World Map can be changed by
entering a latitude and longitude to map the location. If you have provided a Custom GeoIP file that
uses one of the seven Fidelis flags (C1 through C7), you may use latitude and longitude to define a
map location for each of these locations.
Refer to Dashboard for information about the Globe and World Map widgets.
1. Click System>Components>CommandPost>Config and click the Custom GeoIP tab.

Figure 50. CommandPost: Custom GeoIP: Address Ranges

2. Ensure that Enable is checked.
3. Specify a latitude and longitude location for Unknown locations. You can also keep the
default values to map the location in the United States.
4. Specify a latitude and longitude location for each custom flag used in your Custom GeoIP
file. You can also keep the default values to map the location in the United States.
5. Click Save.

Configure Custom GeoIP R anges

Upload the configuration file to CommandPost.

1. Click System>Components>CommandPost>Config and click the Custom GeoIP tab.

2. Ensure that Enable is checked.

Fidelis XPS Vector User Guide 135

 3. Click Upload New. The Upload Custom GeoIP Ranges displays.

Figure 51. CommandPost: Custom GeoIP

4. Click Browse and navigate to the file on your workstation.
5. Click Upload. This will overwrite earlier configuration files.
6. Click Save.

After uploading the GeoIP file, you can click to download and view the file.
Click OK at the confirmation dialog box.

Diagnostics
CommandPost problems may be caused by corrupt tables within the embedded database.
Diagnostics enables you to check database tables and to repair them if needed.
To check for and fix database corruption::
1. Click System>Components>CommandPost>Config and click the Diagnostics tab.
2. Select the extent of checking you want Diagnostics to perform.
Quick – Checks the integrity of indices on the table and usually executes quickly.
Medium – Performs a Quick check and verifies the checksum value on each row of each
table. A medium check may require several minutes to complete.
Extended – Performs a Medium check and a look up of each row and table index on the table
to verify 100 percent consistency. An extended check may require a long period of time.
Because checks and repairs can be time-consuming, it is recommended that you perform a
Quick Check and Repair first. If the problem is not corrected, attempt the Medium and
Extended Checks.
3. Click Check. A notice displays telling you that this process might take longer than expected.
4. Click OK to proceed. Check indicates the progress of the check and which tables it is
checking within a running dialog box. When complete, Check displays a message indicating
that the Check is complete. A list of files that need repair also displays.
Click + to view the dialog.
Click – to collapse the dialog.
5. Select a Repair option.
The Repair method should correspond to the Check method used. For example, if you
selected a Quick Check, then you should proceed with a Quick Repair.
Quick – Only attempt to fix the index tree.
Medium – Provides the same repairs as Quick.
Extended – Rebuild the index tree by row.
Repair is only available if one or more tables were determined to be corrupt in the preceding
Check operation.
6. Click Repair. A notice displays telling you that this process might take longer than expected.
Click OK to proceed. Repair indicates the progress of the repair within a running dialog box.
Click + to view the dialog.
Click – to collapse the dialog

Fidelis XPS Vector User Guide 136

 Email Configuration
Email Config enables you to set email parameters to identify messages sent from CommandPost.
1. Click System>Components>CommandPost>Config and click the Email Config tab.

Figure 52. CommandPost:Email Configuration

2. Enter a name and an email address for CommandPost. The sender’s name is the full name
that will be associated with the sender’s address. If left blank, this will be set automatically to
Fidelis CommandPost.
The sender’s address is the email address from which the reports will be sent. If either field is
left blank, email will not include a From name or address.
Note: If the email address is not a reachable address, some email servers might not
accept the message.
3. Configure Smart Relay by entering an IP address or a host name to specify an email server
on your enterprise's network. Any outgoing email will be forwarded to the specified server.
If the Smart Relay is set to a host name, a DNS lookup will be required and your
CommandPost will require DNS access. If the Smart Relay is set to an IP address, DNS
access is not required.
4. If Smart Relay requires authentication, select Yes at Smart Relay Authentication and enter the
user name and password.
If Smart Relay does not require authentication, select No at Smart Relay Authentication and
leave the user and password fields blank.
5. Click Update.
CommandPost will use these settings for messages from the ticketing system and for reports
delivered by email. Reports include user-generated and scheduled Alerts, Custom, and Summary
reports.

Fidelis XPS Vector User Guide 137

 Configure Exchange
Fidelis XPS Vector sensors can inspect encrypted Exchange messages only when presented with
the encryption keys for your domain. Configure Exchange enables you to configure CommandPost
to access and retrieve the necessary authentication information. The retrieved information is
encrypted when stored on CommandPost and sensor as well as the network connections between
CommandPost, Active Directory, and sensor.
Obtain the following information before you configure CommandPost:

• Domain Controller name (For example: DomainController_server)

• Domain Name (yourcompanyname.com)
• Domain Controller IP Address
• User name (Must belong to the Enterprise Admin group.)
• Password
Also ensure that the kerberos.[domainname.com] must be inserted into the DNS server with a
valid IP address of the Kerberos server. This must be done for Kerberos authentication to work.
Samba needs to find the kerberos server IP address which will be used for Kerberos
authentication.
To configure Exchange-server Communication:
1. Click System>Components>CommandPost>Config and click the Exchange Config tab.

Figure 53. CommandPost: Exchange

2. Enter the Domain Name, Domain Controller Name, and the Domain Controller IP Address.
3. Enter a user name. The user must belong to the Enterprise Admin group.
4. Click Password to change password and enter a password for authentication by your directory
server in the text box. The name and password will be used by your directory server to allow
CommandPost to retrieve information.
5. Click Update to save your settings.
6. Click Test to verify communication with the server.The Exchange Configuration Test Output
displays the results.

Fidelis XPS Vector User Guide 138

 CommandPost Language Configuration
CommandPost Language Configuration is necessary for Content fingerprint testing and generation
which allows these processes to correctly interpret the contents of your files.
Settings made on the CommandPost will not affect settings for the sensors. Sensors must be
configured separately.
Note: Fingerprint test results may not match sensor results on network traffic if
language configuration differs.
To specify language settings on the CommandPost page:
1. Click System>Components>CommandPost>Config and click the Language Config tab.

Figure 54. CommandPost: Language Configuration

2. Choose the appropriate mode:

• ASCII mode will recognize ASCII characters in any file. When applied to a sensor, ASCII
mode provides the optimal performance. If your sensors are running ASCII mode, you
should perform fingerprint testing and generation in ASCII mode.
• International mode will recognize Unicode (UTF-8, UTF-16, and UTF-32) characters as
well as all supported extended ASCII character sets. When International mode is
selected, a list of summarized character sets will appear. The list of supported character
sets is available within each summary.
Many file formats will indicate the character set used within the file, although this
information may not be visible within the file processing or editing application. For these
files, CommandPost will correctly interpret the contents in International Mode.
If the character set is not specified in the file, CommandPost will utilize the character
sets that you specify on this page. For fingerprint generation, including Keyword and
Keyword Sequence generation, Identity Profile training, Exact and Partial Content,
CommandPost will use the first character set in the list. For fingerprint testing,
CommandPost will translate your file using each character set in your list and test it
against your fingerprint.
3. In International Mode, click a character set summary, such as Latin or Cyrillic. Each opens to
display a list of specific character sets. Select one or more and click Add. Your selection
displays in the text box on the right. Use the arrow keys to change the order of the selected
character sets or to remove a selected set. Character set order matters for fingerprint
generation processes.

Fidelis XPS Vector User Guide 139

 4. Click Save.

LDAP Configuration
You can configure CommandPost to interface with an LDAP or Active Directory server. After
configuration, CommandPost will be able to authenticate logins via directory authenticationand to
associate user information detected within alerts to directory information.
To correctly configure the CommandPost interface with LDAP, you must have thorough
understanding of your local directory server data structure and login access to all user records
stored on your server. You may use your favorite LDAP/AD browser software to gain the required
information for configuration.
Obtain the following information before you configure CommandPost to work with an LDAP server:

• Server name (For example: ldap_server.yourcompanyname.com)

• Server port (usually is 389)
• Authentication method used (usually is simple). Simple means that the password entered is
sent in plain text to the LDAP server. Digest-MD5 sends a hash of the password.
Note: User name and password can be left blank for anonymous access if your LDAP
server supports this.
• LDAP User name (For example:
cn=Administrator,cn=Users,dc=yourcompanyname,dc=com)
• Password
• LDAP Base (example: dc=example,dc=com or cn=Users,dc=example,dc=com)
• Check the LDAP server before configuring LDAP at the CommandPost.
Fidelis XPS Vector systems that use LDAP request all records for a given base/filter
combination and cache the records locally on the CommandPost with a periodic refresh
functionality built in. By default, LDAP directories limit the number of objects that can be
returned from a single search filter. Please make sure this limit is disabled or at least large
enough to return all the records for the base/filter combination configured at the
CommandPost.
To configure LDAP Server Communication:
1. Click System>Components>CommandPost>Config and click the LDAP Config tab.

Fidelis XPS Vector User Guide 140

 Figure 55. CommandPost: LDAP/AD
2. Enter the Server Name or IP address of your LDAP or Active Directory server.
3. Enter the port number for the server or choose the default of port 389. Make sure that there
are no firewall settings between CommandPost and your directory server that will block this
port.
4. Select the authentication method that your directory server requires. CommandPost supports
simple or Digest-MD5 authentication.
5. If your directory server supports TLS, click Use TLS to encrypt communications between
CommandPost and your directory server. If your directory server's host certificate was signed
by a private CA:
a. Copy the CA certificate in PEM format to /etc/openldap/cacerts on CommandPost.
This CA certificate is from the CA that signed your directory server's host certificate.
b. On CommandPost, run the command: /usr/sbin/cacertdir_rehash
/etc/openldap/cacerts
6. Enter a user name and password for authentication by your directory server. The name and
password will be used by your directory server to allow CommandPost to retrieve information.
Either field may be left empty if your server allows anonymous access.
Note: Fidelis XPS user names are case-insensitive. LDAP or Active Directory
entries that are case sensitive will not be supported.
7. Enter the server timeout in seconds. CommandPost will stop communication attempts if the
server does not respond within this time. CommandPost will resume communication attempts
at the next refresh interval or login attempt.
8. Specify the refresh interval in hours. The refresh rate refers to the frequency of
CommandPost requests to download directory information. This applies to information used in
policies and alert attributes, but not to user authentication. For user authentication, the
directory is accessed with each user login attempt.

Fidelis XPS Vector User Guide 141

 9. Click Test to test communications between CommandPost and the LDAP server. Make sure
that the returned records are what you expected.
All records that match the base/filter combination that are returned from the server display in
the test results, but only records with email or user attributes are cached and used for
matching. Test results display a record count that gives the count of such validated records.
10. Click Update to save your settings.
After you establish communication to a directory server, CommandPost can use the link for
three distinct activities.

• User Authentication. To configure user authentication by your directory server refer to

LDAP Authentication.
• User Information Retrieval. When an alert is generated, information about the end user
who caused the violation can be extracted from your directory. This information will be
included with any applicable alert. The match information is based on email addresses or
IP-to-ID user mapping information from the A10 Networks server, if configured. To
specify which user attributes you would like to include with your alerts, complete the Alert
Attribute Insertion section on the LDAP Config page:
Note: You can use LDAP browser software on your PC to connect to the LDAP
server to get the correct base, filter, and attribute information.
To use LDAP to retrieve user information, you must first enter LDAP Lookup Parameters to locate
the appropriate user information in your LDAP or AD structure. You can also enter IP2ID User
Match information for an A10 Network Identity Management System or enter extra LDAP attributes
to include in alerts.
To enter LDAP Lookup Parameters:
1. Click Add Parameters to enter Base and Filter information.
Enter a Base to specify the LDAP starting point within your directory server hierarchy. User
information found under this base will be used to extract user information for alerts. For
example: "ou=abcdepartment, dc=mydomain, dc=com"
Enter one or more Filters in the text box, as needed. This enables you to filter search
results from those directory entries found at the Base.
For example, if you enter "cn=Joe*" in the Filter and "ou=abcdepartment, dc=mydomain,
dc=com" for Base, the server will return records for users whose names begin with Joe in
the abc department. Note: The email attribute is configured by default and generated
alerts will match on this attribute.
2. Click Add, then click Update.
In a large enterprise, the LDAP or AD server may not be able to return records for all users
with a single base and filter. If this is the case, you will need to identify multiple base and
filter pairs to extract all user information. There is no limit placed on the number or
parameters that can be added to CommandPost. At the configured refresh interval,
CommandPost will execute all LDAP queries and accumulate the results into its internal
cache of user information.
To edit or remove LDAP Lookup Parameters:

• To edit LDAP Lookup Parameters, click next to the Base and Filter entry you want to
change. Text boxes display that enable you to edit the base or filter entries. Enter your
changes and click Update.

• To remove LDAP Lookup Parameters: click next to the Base and Filter entry you wish to
remove. Click OK at the dialog box to continue with the deletion.
Enter IP2ID User Match information if you have an A10 Network Identity Management system.
When an alert is generated, the user ID will be matched against the provided LDAP attribute for a
match. If a match is found, user information from LDAP can be added to the alert information.
Extra LDAP Attributes can be defined to extract these fields from LDAP to include in alerts. Note:
If you do not have an A10 Network Management System, LDAP information will be used for all
email-based alerts, when the FROM address of the alerted email matches the email attribute in the
LDAP directory.

Fidelis XPS Vector User Guide 142

 Specify Extra LDAP Attributes to extract and display from your directory. You may enter RFC-
defined or user-defined attributes directory into the text box. Your list of attributes will be displayed
as user information within Alerts. Refer to Alert Details.

• Enter attributes into the text box and click . Use attributes defined in RFC 4519 or any
user-defined attributes.
The attributes name, email address, organization, organization unit, title, and user id are part
of the query to the server and are present by default.

• To remove attributes from the list, select an attribute and click .

Logs
Logs enables you to view log files from a sensor or from CommandPost that reside in different
directories, including/FSS/log and /var/log among others. Log files can help in troubleshooting
problems and are a valuable resource when interacting with Fidelis Technical Support. After
retrieving a log file, you can send it via email. Fidelis support is the default email recipient of all log
files.
To retrieve logs:
1. Click System>Components>[sensor name or Vector]>Config and click the Logs tab. You can
view logs for another component by selecting it at the Component list.
2. Select a file from the Log Files list.
3. Click Invert Log to reverse the order of log entries, if needed.
4. Click View Log. The selected log entry displays and the Email Log button is available.

Figure 56. Logs

Fidelis XPS Vector User Guide 143

 Create D ebug Log
In some circumstances you may need to send a large collection of logs to Fidelis Support for
problem diagnosis. The Debug Log button makes it easy to generate a single archive of many logs
and transfer it to your local workstation.
To do this:
Click Create Debug Log.
A popup message states that creating a system debug log file may requite several minutes. Click
OK to continue to generate the debug log.
When the debug log is successfully generated, you can click Download and either open the file or
save it.

Send Logs
You can view the log and send it via email.
To do this:
1. After retrieving a log file, click Email Log. The Send Log dialog box displays.

Figure 57. Email Logs

2. Enter the desired email addresses. The default recipient address is
support@fidelissecurity.com and the default sender email address is defined at the
CommandPost>Email Config page.
3. Enter a subject, if needed.
4. Click Send.
The log file displays in the body of the email message.
The log file is sent as an email attachment.

Fidelis XPS Vector User Guide 144

 Proxy Config
If external access from CommandPost goes through a proxy, you need to configure CommandPost
for proxy connectivity.
To configure the proxy server:
1. Click System>Components>CommandPost>Config and click the Proxy Config tab.
2. Ensure that Use Proxy is checked.
3. Enter the host name or the IP address for the proxy server
4. Enter the port number. Communication between CommandPost and the server usually
occurs on port 80.
5. If the proxy server requires authentication, enter a user name and a password.
6. Click Save Proxy Config.

RADIUS/TACACS+
RADIUS/TACACS+ configuration enables you to configure CommandPost for RADIUS and
TACACS+ authentication support for login access to Fidelis XPS. RADIUS is Remote
Authentication Dial -In User Service and TACACS+ is Terminal Access Controller Access Control
System+ .
1. Click System>Components>CommandPost>Config and click RADIUS/TACACS+ .
2. Enter the name of the RADIUS or TACACS+ server.
3. Enter the shared secret, a key parameter that needs to be in sync with the RADIUS or
TACACS+ server.
4. Enter a timeout value in seconds.
5. Enter a test user name and password that is already stored on the RADIUS or TACACS+
server. This user name and password are used for testing and are not saved with the rest of
your configuration.
6. Click Test to verify the server name and the shared secret.
7. Click Update to save your changes.
8. Click System>Components>CommandPost>Config>User Authentication to enable
RADIUS or TACACS+ authentication. Refer to User Authentication.

Fidelis XPS Vector User Guide 145

 Session Timeout
Session Timeout refers to the amount of time an inactive user account can remain logged into
CommandPost. User inactivity will cause the session to be timed out and the browser will return to
the login page. Inactivity is determined by contact with the server. For many sections of
CommandPost the action of opening and closing rows in the display will not cause interaction to the
server and may require accessing new pages to avoid session time out.
CommandPost Session Timeout can be configured in one of three modes of operation:

• Enable Timeout for All sessions. This is the default mode of operation with a timeout value of
15 minutes. You can change the timeout value to any number of minutes greater than zero.

• Disable Timeout for All sessions. In this mode, session timeout is completely disabled. This
setting is not recommended unless all users are well trained security professionals, diligent
about logging out from CommandPost if they leave their workstation.

• Disable Timeout by IP Address. This mode may be used to disable timeout for a large screen
display or for only those workstations used by properly trained professions. Enter the IP
addresses for client workstations from which you will disable timeout. Session Timeout
remains enabled for other IP addresses. Enter the number of minutes that these connections
can remain idle before being terminated.
To configure session timeout:
1. Click System>Components>CommandPost>Config and click the Session Timeout tab.

Figure 58. CommandPost: Session Timeout

2. Select either Enable Timeout for All sessions, Disable Timeout for All sessions, or Disable
Timeout by IP Address.
3. Click Update. The new configuration becomes effective with the next login to CommandPost.

Fidelis XPS Vector User Guide 146

 System Monitor – CommandPost
System Monitor is used to monitor the activity and health of a CommandPost. It monitors
CommandPost status including disk space, process restarts, and statistics counts. It attempts to
make sure that the system is running smoothly. If not, it can send warnings in a number of different
ways.
By default, System Monitor writes all of its messages to the standard system log file. In addition, it
can be configured to write to a remote system log file, to send an email, and to send an SNMP
message.
From System Monitor, you can also shut down the system.
To access System Monitor:
Click System>Components>CommandPost>Config and click the System Monitor tab.

Notificati ons
The Notifications page allows the configuration of Fidelis messages or notifications to be sent to
external entities. These notifications are produced by system monitor as it pertains toSoftware and
system resources required for Fidelis software.

Figure 59. System Monitor: Notifications settings

You can send messages to a system log, an email address, or to SNMP. You can configure the
types of messages sent to each.
Message types:

• Critical—system functioning is severely impacted

• High—a system function is at risk of a severe impact

Fidelis XPS Vector User Guide 147

 The System Log section allows for the entry of a remote system name. This system should be
configured to allow remote hosts to send syslog messages to be recorded in its standard syslog
file. Make sure to allow a remote sysmon message through any firewall in your network.
The Email Address section allows for the configuration of an email address and message types to
be sent to that email address. If one or more email relay hosts are configured, outgoing emails are
sent through email relayhosts.
The SNMP section allows for the configuration of a remote SNMP monitor and the message types
to be sent. SNMP traps may be sent to an external system which may be specified by a host name
or IP address.
Choose the alert information to include in these traps. To enable Fidelis SNMP traps, a MIB is
available with sample use instructions at. www.fidelissecurity.com/support.
Select SNMP version 1 or 3.
• If you select SNMP 1: You can change the entry for the SNMP Community String. The
default value is public.
• If you select SNMP 3: Engine ID, user names, and authentication and privacy tokens for
users should be configured on the remote SNMP server that runs the SNMP trap.
SNMP Engine ID: Enter the ID for the remote SNMP server.
SNMP User Name: Enter a user name associated with the Engine ID.
SNMP Authentication Protocol: Select Authenticated Only or Authentication and
Encrypted.
For Authentication Only:
Select MD5 or SHA1 Protocol. Enter the Authentication Token for the user in the text box.
For Authentication and Encrypted:
Select an Authentication Protocol and enter the Authentication Token.
Select either DES or AES Privacy (Encryption) Protocol. Enter the Privacy (Encryption)
token for the user in the text box.

Notification Messages
Listed below are examples of notification messages that can be sent by System Monitor.

Critical:
spool writes stopped when partition < 1GB
if a process is dying repeatedly
invalid license
spool writers dying too fast netspool can't start spool writers
export writers dying too fast exportd can't start exporters
one or more registered sensors lost connection
Unable to make space for alerts, alerts & sessions not being inserted
Unable to make space for sessions, alerts & sessions not being inserted
Insufficient disk space, alerts & sessions not being inserted
Archive failed - alerts deleted anyway, check FTP connection
feed handlers are dying fast
repdcp cannot start feed handler<s> <feed names>

High
demo mode or license expired or expiring in < 14 days
no sensors registered.
if alerts/sessions/pcaps deleted to make space for new
alerts
<number> alerts, <number> sessions & <number> pcaps deleted to create space
Fidelis XPS Vector User Guide 148
 if alerts are being spooled due to db maintenance running
Database maintenance running, alerts are being spooled
if archiving fails and it will be retried
Archive failed - alerts not deleted, check FTP connection
Archive failed - alerts deleted after next failure, check FTP
connection
problem running db_maint: see /var/log/messages
feed update error
feed "<feed name?" update error

System Logging ( OS)

System Logging of operating system notifications is available on your CommandPost. The
information produced is with regard to the underlying operating system on the appliance. The
information will be written to the system log on CommandPost and can be configured to write the
log to a remote server.Fidelis software notifications are not monitored at this tab.
System logging is performed by syslog-ng. Prior versions of Fidelis XPS used rsyslog, however,
rsyslog is being phased out.
If you previously enabled rsyslog, it will still be used as your operating system logger. However, it is
recommended that you switch to syslog-ng as rsyslog will be removed in a future release. Uncheck
rsyslog and click Save to enable syslog-ng. You will not be able to switch back to rsyslog.

Figure 60. System Monitor: System Logging

1. Enter a remote server to send logs. You can leave this value empty. System logging still
occurs if you do not make an entry for the remote server, but there is no remote logging. If
you do make an entry, ensure that you use a valid host name or IP address. If the host name
or IP address is not correct, syslog-ng stops running and this will be indicated in the status.
A sample entry is:
udp:host<:port> [Use UDP, default port 514]
udp:IPaddress<:port>
2. Click Save.

Fidelis XPS Vector User Guide 149

 Shutdown
This page enables you to restart all Fidelis Services.

Figure 61. System Monitor: Shutdown

You can also shut down the CommandPost or reboot.
Items to consider:

• Clicking Restart, Shutdown, or Reboot on the Console Config logs you out of CommandPost.
• Order does not matter when shutting down or rebooting CommandPost with sensors and
Collectors.
• For Shutdown, you need physical access to the CommandPost to start it again.

User Authentication
CommandPost supports user authentication locally or via LDAP (Active Directory) or
RADIUS/TACACS+. The User Authentication page contains a section for each authentication
method that can be hidden (or expanded) by clicking the title bar of the section.
Using CommandPost configuration, you may choose the authentication method for your
environment and modify configuration options. When a user accesses CommandPost,
authentication is performed as follows:

• First, CommandPost checks the user name to see if matches against the database of current
users. If it matches a user, then the configured authentication method (local, *LDAP,
**RADIUS, or **TACACS+) is used. Refer to Define User Profiles.
To use LDAP or Active Directory authentication, you must also configure communication
between CommandPost and your directory server. Refer to LDAP Config.

To use RADIUS/TACACS authentication, you must also configure communication between

CommandPost and your directory server. Refer to RADIUS/TACACS+.
• Second, if the user name does not match a current user in the database, CommandPost will
use any other authentication methods that are enabled (LDAP, RADIUS, or TACACS+) with a
configured User Profile. Upon success, user information is downloaded from the
authentication server to CommandPost and a user account is created.
Note: Only one authentication method per unique user name is supported. For
example, if a user has a local account with the name Joe and attempts to log in using
Joe with LDAP, the LDAP log in will fail. To change the authentication method for a
user, the currently configured user must be deleted. Refer to Define User Profiles.
If none of the above steps are successful, the user login is rejected.
Note: You must maintain at least one local CommandPost user that can be used to
create other local users and configure external communications. CommandPost ships
Fidelis XPS Vector User Guide 150
 with one default user (admin) for this purpose. You should create another account for
this purpose, and not rely on the default account. The default user cannot be removed,
but should not be used after initial system configuration.
LDAP and other non-local authentication provides access to the CommandPost GUI,
but no permission to directly access CommandPost using protocols such as sftp or
ssh. Therefore, users without local accounts will not be able to transfer files to or from
CommandPost.
To access this page:
Click System>Components>CommandPost>Config and click the User Authentication tab.

Configure Password Requirements for Local users

Before configuring password requirements for local users , refer to your enterprise's security
practices for password requirements. After you configure CommandPost password strength
requirements, all new passwords must conform to the new settings.
Note: Existing passwords will not be impacted by changes to password strength
requirements until this password is changed. Password age and account lock
settings take effect immediately for all users.
To configure password requirements:
1. Set Password Strength as needed.
Enter values for the minimum length, upper case, lower case, digits, and special characters. A
value of zero is equivalent to disabling the requirement. The default setting has all password
strength values set to zero, or disabled.
Note: The password length must be large enough to accommodate all other
requirements.
This image cannot currently be displayed.

Figure 62. CommandPost: password Requirements

2. Specify age requirements.
Expiration: Click Expiration and enter a number of days for passwords to expire. Users must
reset passwords before passwords expire or they will be locked out of the system.
Warning: If you change the password age requirements and your own password does
not comply, your account will be locked immediately upon saving the password
configuration.
Warn user: If you specify expiration, you may also specify when user warnings start about
the impending expiration. Enter the number of days before the expiration time that you want
warnings to start. If you set the value to the default state of 0, there will be no warnings. The
warning continues on each login until the password is changed or the account is locked
because of the expiration.

Fidelis XPS Vector User Guide 151

 Minimum Age: Click and specify a minimum number of days passwords must be in use
before user can change them. Users receive an error message and are prevented from
changing their passwords until the minimum age is met.
3. Specify Account Lock settings.
Inactivity: Select and specify a maximum number of days that an account can remain
inactive. If an account remains inactive beyond this time, the account will be locked.
Failed Login Attempts: Click and specify the maximum number of failed login attempts
allowed.
4. Click Update.
Local passwords are enforced by the Linux Pluggable Authentication Modules (PAM). These
modules can be used to enable many password controls that are not exposed to the
CommandPost User Authentication User Interface. Administrators with direct access to
39
CommandPost and knowledge of PAM can apply settings to include password history
changes, dictionary lookup, and several other attributes. Application of these changes must
be performed with caution because a misconfiguration could lock out all users. Contact for
more information.
Note: If an account is locked, attempts to log in will be denied. To activate the account,
an administrator must reset the password at the Users>Profiles page.

Enabl e LDAP Authentication

If you would like to authenticate users via LDAP or Active Directory, you must enable LDAP
authentication and create a profile. To correctly setup authentication, you must have a thorough
understanding of your local directory server data structure. This can be obtained by using your
favorite LDAP/AD browser software.
Note: You also need to configure CommandPost to LDAP communication. Refer to
LDAP Configuration.
To enable LDAP Authentication:
1. Click Enable LDAP authentication and click Update.

Figure 63. CommandPost: Enable LDAP authentication

2. Enter the Login Prepend. This login prepend specifies name of an attribute whose value
uniquely identifies the user across all profiles’ base/filter settings.
For example:
If the login prepend is: sAMAccountName=

39
Linux Pluggable Authentication Modules (PAM) provide dynamic authorization for applications
and services in a Linux system.
Fidelis XPS Vector User Guide 152
 Profile1 – Sales group
Base: CN=Users,DC=fidelissecurity,DC=com
Filter: memberof=CN=sales,DC=fidelissecurity,DC=com

Profile2 – Engineering group

Base: CN=Users,DC=fidelissecurity,DC=com
Filter: memberof=CN=engineering,DC=fidelissecurity,DC=com
In this example, users from the sales and engineering groups are allowed to log in. If a
user enters joeUser at login, the authentication process goes through all the LDAP profiles
and for each LDAP profile looks for the attribute sAMAccountName=joeUser on the LDAP
server.

The Login prepend setting can therefore be thought of as another filter which is internally
applied by the authentication process for each LDAP profile. In our example, joeUser must
be a unique value for LDAP attribute sAMAccountName for both sales and engineering
groups.

a. Enter the LDAP Base.

Members of a group can be represented using LDAP base/filter settings. In Active
Directory, users may have an attribute: memberof in their Active Directory record to
signify membership of a group. So the following example can retrieve all members of
the sales group.
Base: cn=Users,dc=fidelissecurity,dc=com
Filter: memberof=cn=sales,dc=fidelissecurity,dc=com
In this example, base points to root of all user records, and filter is applied to these
records returned from the base and therefore returns records of members of only the
sales group.
b. Enter the LDAP Filter to further define user attributes. The combination of Base and
Filter are used to define the set of users that fit this profile. You may use these
settings to identify a group of users, such as sales or engineering, or to define a
specific user for this profile. The values entered for Base and Filter depend on the
structure of your directory server.
Filter examples could be:
(|(mail=joe*) ( mail=fred*)) This entry would return users with email beginning with joe
or fred.
(&(mail=joe*) (sn=b*)) This entry would return users with an email beginning with joe
and a last name starting with b.
Note: Please see rfc4515 (http://www.rfc-editor.org/rfc/rfc4515.txt) for more
examples of LDAP filter expressions.
3. Select an appropriate role for users identified by the Base and Filter. This determines access
to CommandPost functionality.
4. Select appropriate alert management groups. Users identified by the Base and Filter will be
able to access alerts in the selected groups. Refer to Alert Management Groups.
5. Select appropriate components. Users identified by the Base and Filter will be able to
configure and manage the selected components and access alerts from the selected
components. Refer to Define User Profiles.
6. Click Save.
7. Add other profiles as needed and click Save.
After a profile is defined, it will appear in the list of profiles. You can click a profile to expand it to
view all settings for this role and to access the Edit and Delete buttons which allow you to change
or remove the profile.
Important: Use caution in deleting a profile. Multiple users might use a single profile to
access CommandPost.
Note: The profile is applied when a user logs into CommandPost. Any changes to the
system will not change the profile. Therefore, if new groups or components are added
by an LDAP user, the user will retain access to the new group or components for the

Fidelis XPS Vector User Guide 153

 duration of the current session. Unless the user profile is updated, upon the next login,
the user will no longer have access to the new group or component.

RADIUS/TACACS+ User Profiles

After configuring RADIUS or TACACS+ authentication, you need to configure CommandPost to
RADIUS/TACACS+ communication. Refer to RADIUS/TACACS+ Configuration.
1. Click Enable for RADIUS or for TACACS+ authentication and click Update.
2. Click Edit to select a Role, Group Assignments, and Component Assignments.

Figure 64. CommandPost: Enable RADIUS/TACACS+ authentication

3. Select an appropriate role for users. This determines access to CommandPost functionality.
4. Select one or more alert management groups. Refer to Alert Management Groups.
5. Select one or more components. Refer to Define User Profiles.
6. Click Save. Refer to RADIUS/TACACS+.

LDAP and RADIUS/TACACS+ User Expirati on

Management
By default, user accounts that are not local (such as LDAP or RADIUS) are removed after 45 or
more days of inactivity. All data associated with the user account is also removed. To change this:
Click Delete inactive user and specify a number of days after which the inactive user is deleted.
Uncheck Delete inactive user to prevent inactive users from being deleted.
Click Update.
Fidelis recommends that system configuration for notifications, including reports, should be
maintained from Local accounts and not those that are subject to removal after inactivity.

Fidelis XPS Vector User Guide 154

 User Notification
CommandPost can be configured to generate a notification message to a user whose email
triggered an alert. The terms "user” and “end user” in this section refer to someone transmitting
data over the network on which your sensor is installed. In this section, “user” does not refer to an
authorized CommandPost user.
The CommandPost user notification feature is limited to alerts generated over email or webmail
protocols. CommandPost can respond to each alert, however, when compression is active or when
40
the violated rule does not include an alert action, CommandPost may not respond to every event .
For end users receiving a notification message, the body of the message contains two sections: a
message that can be configured by a CommandPost administrator and details of the violating
email. The configurable message can be customized to include information appropriate for the
environment. The details section cannot be customized; it will include the From, To, Subject, and
time of the violating email.
To set up email notification:
1. Click System>Components>CommandPost>Config and click User Notification.

Figure 65. CommandPost: User Notification

2. Select the notification email for No, Alerts, Prevented or All.

• No: Disables this feature. No is the default setting.

• Prevented: Alerts with the action of alert and prevent generate email notification.
• Alert: Alerts with the action of alert generate email notification.
• All: All alerts generate email notification.
3. Enter a domain name to control who receives the email notification. You can provide an
unlimited number of domains by clicking Add domain. Only users in the specified domain
receive the notification.
If you do not enter a domain email is sent for every email alert. This may cause notification
messages to leave the local network.
4. Select one or more email protocols from the list. CommandPost will send user notification
email for all alerts generated by the selected protocols. User notification would be generated
for the SMTP protocol if no email protocols are selected from the list.

40
An event refers to a network violation detected by the sensor.
Fidelis XPS Vector User Guide 155
 5. Enter a subject for the notification email. The default value is “You have violated company
protocol....”
6. Enter the body of the email by either entering text into the text box or by uploading a file.
7. Click Update.
Note: Some email systems will not deliver email when the sender cannot be
identified. If you have not properly configured CommandPost email, users may not
receive the notifications.

Add Component
You can add a second Fidelis XPS Vector and control it from your primary Fidelis XPS Vector.
The new Vector must be:
• A Vector appliance.
• Connected to a network and set up. Refer to the Vector Enterprise Setup and Configuration
Guide.
To add a Vector:
1. Click System>Components.
2. Select the embedded sensor and unregister it in your primary Fidelis XPS Vector appliance.
3. Click Add Component.
4. Select Vector at the drop down list..
5. Enter a name, IP address, and an optional description for the second Fidelis XPS Vector.
The IP address identifies the second Vector to the primary Vector.
6. Click Register. The primary Vector attempts to communicate to the second Vector at the
specified IP address.
After the primary Vector begins to communicate to the second Vector, the status indicator
turns green and the Last Seen value indicates the time of the last communication.
The primary Fidelis XPS Vector appliance will function as a CommandPost to the newly
registered second Vector.
You can now configure the second Vector by clicking Config.
7. If needed, add the second Vector to user profiles.
For local Vector users:
After you add a second Vector, your user profile is automatically updated to include an
41
assignment to the second Vector. The system default user (admin) will also be assigned to
the second Vector. Note: No other user will have access to the second Vector until the
User Profile is updated. Refer to Define User Profiles.
For LDAP users:
If a second Vector is added by an LDAP user, this Vector will not be accessible to the LDAP
user after logout. To avoid this situation, LDAP users should update the appropriate profile to
set security settings to the second Vector. LDAP users may need to add profiles to establish
this access. If profiles are not updated before logout, only the system admin will have access
to the new Vector. Refer to User Authentication.

41
In Fidelis XPS, an assignment maps policies to sensors on the CommandPost. Policies have no
impact until they are assigned to a sensor and the sensor is updated. Assignment can also refer to
user roles and assignments to resources.
Fidelis XPS Vector User Guide 156
Edit a Sensor or Vector
You can change the sensor name or IP address (if unregistered). You can also change the
description as needed.
To edit a local embedded sensor or Vector:
1. Click System>Components.
2. Select the sensoror Vector.
3. Click Edit Sensor.
4. At the Edit Sensor page, enter needed changes.
5. Click Save.
Note: After a sensor (or Vector) is renamed, all alerts associated with that sensor (or
Vector) are automatically associated with the new name.

Configure Sensor or a Vector

42
To configure a sensor (or a Vector), click System>Components and click Config for the selected
sensor or Vector. You can select a configuration option by clicking the appropriate tab at the left
sidebar menu on the Config page.
Note: The Config button only displays if the user permissions are adequate and if
there are no communication problems.

Runtime Information
The table at the top of a sensor (or a Vector) configuration page shows runtime information for the
sensor, the time since last restart, name, and how much activity has occurred. The type of activity
depends on the type. Time since last restart is the time since the last restart of Fidelis XPS
software. The information will automatically refresh every few seconds.

Figure 66. Runtime information

You can switch components from the Config page by choosing a different name in the drop down
box. When you click Go the component changes.

42
Components enables you to set up licensing and configure Fidelis XPS components. This
includes adding and registering Fidelis XPS sensors, setting password strength, configuring e-mail,
and setting up user notification and LDAP among other features.
Fidelis XPS Vector User Guide 157
Config Page
The configuration page provides access to the tabs listed below.
For products that contain an embedded CommandPost and an embedded sensor, the configuration
is located at CommandPost Config. Refer to Components.
License & Time
Sensor (or Vector) configuration
Alert Failover
Email Relayhost
Language Config
Logs
System Monitor

License & Time

License shows the Host ID information, the current license key, and an expiration date. Each
component requires a separate license.
When you initially install and register a Fidelis XPS Vector sensor the License Key field displays
<demo mode>.
To access the License & Time page:
Click System>Components>[sensor name or Vector]>Config and click the License & Time tab.
When you initially install Fidelis XPS Vector on CommandPost, CommandPost will run in demo
mode. A sensor or CommandPost remains in demo mode until a license key is entered.

Figure 67. The License and Time

Clicking Request License or the component's Host ID creates an email to
license@fidelissecurity.com, with the subject line automatically completed with the component’s
Host ID. Include in the body of the email your name, the location name and address, phone
number, and reseller name (if pertinent), and Fidelis Technical Support will respond within one
business day with a license key.
When you receive the license key, paste or type it exactly into the License Key box, and click Save.
If the information was entered correctly and matches the Host ID provided, the key will be
accepted. If there is a problem with the license, you will receive an error and the License Key field
will display <Invalid>.

Fidelis XPS Vector User Guide 158

 Expirati on
Fidelis XPS Vector begins displaying notices that your license will expire starting 60 days before
the expiration date. If you receive this notice, contact Technical Support to obtain a new license.

Modify a Li cense Key

To make changes to your license key in case of an entry error for example, just enter a new license
number in the License Key text box and click Save. Please remember that making changes to
license keys should be done with great care.

Demo Mode
If no license key is detected, the sensor and the CommandPost will operate in demo mode. The
sensor does not function in demo mode. A CommandPost in demo mode will not accept alerts from
any sensor and will only accept statistics.

Sensor Time
Click Sync time to synchronize sensor and CommandPost times. This can be done for each sensor
that has no access to other time synchronization methods such as NTP. If the sensor is
synchronized with CommandPost, a message displays indicating this and the Sync time button will
not be available. If the sensor and CommandPost are not synchronized, a message indicates this
status and the Sync time button becomes available.

Local Embedded Sensor or Vector

To access the Local Embedded Sensor or a Vector, click System>Components> select Vector and
click Config.
Ensure that it is enabled and select active interfaces.
This image cannot currently be displayed.

Figure 68. Vector Connectivity in Inline Mode

Fidelis XPS Vector User Guide 159

 Figure 69. Vector Connectivity in out-of-band mode

T a bl e 1 7. V e c t or P ar a m et ers …

Parameters Description

Enable Vector Click to enable.

Inline Mode/Out-of- Choose the setting that reflects the network configuration of your module.
Band Mode Out-of-Band mode is used for monitoring via a network tap or SPAN port,
while inline is used when the component is directly in the network flow.
When a component is deployed inline, prevention is performed by dropping
packets received on offending sessions.
Note: To activate inline mode, the component must also be operating
in full duplex mode.
Inline mode also enables you to use a Bypass NIC, if supported by your
appliance. The statement: Bypass Card on Sensor: Available indicates that
the appliance supports this capability.
After clicking the checkboxes for the Bypass NIC interfaces, select the
failure mode: either Drop Packets or Fail-to-wire.
Refer to chapter 3 in the Vector Enterprise Setup and Configuration Guide
for information about connecting and configuring a Bypass NIC.

Throttle Mode When Inline Mode is chosen the Throttle Mode checkbox displays if
available. Throttle is typically used to identify applications (such as peer-to-
peer or instant messenger) that are allowed on the network, but to control
their use by throttling activity to an acceptable level. Throttle mode enables
the sensor to react to throttle rule actions. If throttle mode is disabled, the
component will ignore the throttle action.
Link Failure In Inline mode, if one link is down, the sensor cannot forward traffic.
Propagation When Link propagation is enabled, if one link goes down (link 1) the other

Fidelis XPS Vector User Guide 160

 Parameters Description

link (link 2) will be brought down so that the other device will know that the
link is broken. The sensor then starts sending notifications to Vector. If link 1
recovers, it will restore link 2 and the sensor will stop sending error
notifications.

Primary TCP Reset When checked, TCP Resets are enabled to provide prevention, as indicated
by the action setting when a rule is violated.
When used in out-of-band mode TCP resets used for prevention, you must
specify the dedicated Ethernet interface (Prevent /eth1) used for packet
injection. Make this choice at the drop-down menu. When used in Inline
Mode, the sensor will inject TCP Reset packets (in addition to dropping
received packets) to implement prevention. In Inline Mode, the component
will choose the correct Active interface for injection of reset packets based
on the information flow.
Secondary TCP Reset
When a second reset is enabled, resets will also be sent to the chosen
Ethernet interface. This setting should only be used when the sensor is
physically connected to a redundant network.

Active Interfaces Active Interfaces determine which Ethernet adapters the component will
monitor. Click the appropriate checkboxes to select interfaces. One adapter,
such as Monitor A /eth2, indicates that the component is listening in half
duplex mode. Two adapters, such as Monitor A /eth2 and Monitor B /eth3,
indicate full duplex mode.
Messages in brackets indicate the interface type and whether or not it is
available.

Bypass Card on Indicates either Available or Not Available .If your appliance supports this
Sensor capability, the sensor configuration page on CommandPost will indicate:
Bypass Card on Sensor: Available.

Select Failure Mode Configuration of the Bypass NIC includes the operation in case of a power
for the Bypass NIC or software failure. If needed, you can also immediately set the NIC into
bypass mode.
After clicking the checkboxes for the Bypass NIC monitors on your
appliance, select the failure mode: either Drop Packets or Fail-to-wire.
Refer to chapter 3 in the Vector Enterprise Setup and Configuration Guide
for information about connecting and configuring a Bypass NIC.

Alert Failover
When the sensor cannot reach a CommandPost, its default operation is to store data locally until
the connection is restored. If an Alert Failover is configured, the sensor will begin to send data to a
backup CommandPost.
To set up a backup CommandPost:
1. Identify a primary and a backup CommandPost for each sensor.
2. Add the sensor to both the primary and backup CommandPost systems. Refer to Add a
Vector . The sensor name should be the same on the primary and the backup
CommandPosts. If the sensor names differ, spools from the sensor are rejected by the
backup CommandPost.
Note: Do not register the sensorto the backup CommandPost.
3. On the primary CommandPost, register the sensor. Refer to Add a Vector . The registration
process identifies the primary CommandPost.
4. On the primary CommandPost: Click System>Components>[sensor name or
Vector]>Config and click the Alert Failover tab.

Fidelis XPS Vector User Guide 161

 Figure 70. Alert Failover
5. Enter the IP address of the backup CommandPost.
6. Click Save.
When the configuration is saved the sensor will operate normally and send alert
information to the primary CommandPost. The primary CommandPost is identified by the
registration process.
Clicking Reset will revert to the last saved IP address for the backup CommandPost.
Failover operation proceeds as follows:
a. The sensor attempts to connect to the primary CommandPost to transfer alerts but this
attempt fails.
b. The sensor then attempts to connect to the backup CommandPost. If successful, data will
be sent to the backup CommandPost. All alerts will be sent to the backup until the sensor
reconnects to the primary CommandPost. The sensor will repeatedly attempt to reconnect
to the primary CommandPost.
If neither the primary nor the backup CommandPost can be reached, data will be stored on
the sensor.
During failover operations, the sensor will continue to operate under its most recent configuration
change. Configuration changes cannot be performed by the backup CommandPost. Failover data
refers to all data sent from a sensor to a CommandPost including alerts and network statistics .

Email Relayhost
Email Relayhost will direct email from System Monitor for each sensor to the email server you
specify. Only one entry is allowed for Relayhost.
To access this page:
Click System>Components>[sensor name or Vector]>Config and click the Email Relayhost tab.

Figure 71. Email Relayhost

Enter an IP address or a host name to specify an email server on your enterprise's network. Any
outgoing email will be forwarded to the specified server.
Clicking Reset will revert to the last saved IP address or host name.

Fidelis XPS Vector User Guide 162

 Sensor Language Configuration
Sensor language configuration enables the sensor to recognize content using international
character sets. There are two modes of operation:

• In ASCII mode, the sensor will recognize ASCII characters in any file. This mode provides the
optimal performance of your sensor and works well with most files written in English. Files
written in another language may be interpreted as binary files and the content will not be
decoded.

ASCII mode is the default setting for the sensor.

• In International mode, the sensor will recognize Unicode (UTF-8, UTF-16, and UTF-32)
characters as well as all supported character sets. When International mode is selected, a list
of summarized character sets will appear. The list of supported character sets is available
within each summary.

Many files and Internet protocols will indicate the character set used within the content,
although this information may not be visible within user application. For these files and
protocols, the sensor will correctly interpret the content in International Mode, as long as the
character set is supported.

If the character set is not specified in the file or protocol, the sensor will attempt to translate
the content using the character sets that you specify on this page. If you specify many
character sets, the sensor will use each one, first translating, then decoding, and analyzing.
This process may be time consuming and may impact sensor performance.

To operate in International mode, you must select at least one character set to be used when
the character set cannot be determined from the file or protocol.
Language Config settings are done separately for each sensor since each may need to have
different language settings based on their physical location and the expected content at each site.
Language configuration must also be done separately for CommandPost. Refer to CommandPost
Language Configuration.

Fidelis XPS Vector User Guide 163

 To set up sensor language configuration:
1. Click System>Components>[sensor name or Vector]>Config and click the Language Config
tab.

Figure 72. Language Configuration for the Sensor

2. Click International Mode to display the summarized list of all supported character sets. Each
summarized list can be clicked to display specific character sets.
3. Select one or more and click Add. Your selection displays in the text box on the right.
Use the arrow keys to change the order of the selected character sets or to remove a
selected set. The order is used when the sensor attempts to decode a file or protocol whose
character encoding cannot be determined.
4. Click Save.
5. Repeat as needed for each sensor.

Fidelis XPS Vector User Guide 164

 Logs
Logs enables you to view log files from a sensor or from CommandPost that reside in different
directories, including/FSS/log and /var/log among others. Log files can help in troubleshooting
problems and are a valuable resource when interacting with Fidelis Technical Support. After
retrieving a log file, you can send it via email. Fidelis support is the default email recipient of all log
files.
To retrieve logs:
1. Click System>Components>[sensor name or Vector]>Config and click the Logs tab. You can
view logs for another component by selecting it at the Component list.
2. Select a file from the Log Files list.
3. Click Invert Log to reverse the order of log entries, if needed.
4. Click View Log. The selected log entry displays and the Email Log button is available.

Figure 73. Logs

Create D ebug Log

In some circumstances you may need to send a large collection of logs to Fidelis Support for
problem diagnosis. The Debug Log button makes it easy to generate a single archive of many logs
and transfer it to your local workstation.
To do this:
Click Create Debug Log.
A popup message states that creating a system debug log file may requite several minutes. Click
OK to continue to generate the debug log.

Fidelis XPS Vector User Guide 165

 When the debug log is successfully generated, you can click Download and either open the file or
save it.

Send Logs
You can view the log and send it via email.
To do this:
1. After retrieving a log file, click Email Log. The Send Log dialog box displays.

Figure 74. Email Logs

2. Enter the desired email addresses. The default recipient address is
support@fidelissecurity.com and the default sender email address is defined at the
CommandPost>Email Config page.
3. Enter a subject, if needed.
4. Click Send.
The log file displays in the body of the email message.
The log file is sent as an email attachment.

Fidelis XPS Vector User Guide 166

 System Monitor – Sensor or Collector
System Monitor is used to monitor the activity and health of a sensor . It monitors a component's
status including disk space, process restarts, and statistics counts. It attempts to make sure that
the system is running smoothly. If not, it can send warnings in a number of different ways.
By default, System Monitor writes all of its messages to the standard system log file. In addition, it
can be configured to write to a remote system log file, to send an email, and to send an SNMP
message.
From System Monitor, you can also shut down the system.
To access System Monitor:
Click System>Components>[sensor name or Vector]>Config and click the System Monitor tab.

System Logging ( OS)

System Logging of operating system notifications is available on your CommandPost. The
information produced is with regard to the underlying operating system on the appliance. The
information will be written to the system log on CommandPost and can be configured to write the
log to a remote server.Fidelis software notifications are not monitored at this tab.
System logging is performed by syslog-ng. Prior versions of Fidelis XPS used rsyslog, however,
rsyslog is being phased out.
If you previously enabled rsyslog, it will still be used as your operating system logger. However, it is
recommended that you switch to syslog-ng as rsyslog will be removed in a future release. Uncheck
rsyslog and click Save to enable syslog-ng. You will not be able to switch back to rsyslog.

Figure 75. System Monitor: System Logging

1. Enter a remote server to send logs. You can leave this value empty. System logging still
occurs if you do not make an entry for the remote server, but there is no remote logging. If
you do make an entry, ensure that you use a valid host name or IP address. If the host name
or IP address is not correct, syslog-ng stops running and this will be indicated in the status.
A sample entry is:
udp:host<:port> [Use UDP, default port 514]
udp:IPaddress<:port>
2. Click Save.

Fidelis XPS Vector User Guide 167

 Shutdown
This page enables you to restart all Fidelis Services.

Figure 76. System Monitor: Shutdown

You can also shut down the component or reboot. Items to consider:
• You can shut down or reboot either a sensor.
• Order does not matter when shutting down or rebooting sensors.
• For Shutdown, you need physical access to the component to start it again.

Fidelis XPS Vector User Guide 168

Chapter 12 Malware
From this chapter section, you can enable and configure the following:
Execution Forensics—select file type for automatic submission to Execution Forensics.
Reaction—configure malware action for each alert severity.
Host Activity—configure Host Activity to integrate with the Carbon Black server.
File Check—upload files from your workstation and submit to the MDE for analysis.

Execution Forensics
Execution Forensics uses an external sandbox technology to execute files and determine if the
behavior is malicious. When Execution Forensics is enabled, confirmed hits from the Malware
Detection Engine (MDE) are sent to Execution Forensics for analysis. In addition, highly suspicious
files are sent to Execution Forensics to determine if the behavior is malicious.You can manually
submit any file from the Alert Details page for analysis. You can change the default so that only
specified file types are automatically analyzed. You can select from three options:

• All supported file types (the default) – automatically sends all supported files to Execution
Forensics for analysis. For a list of supported file types, click Selected file types to view.
Note: Java-Class files can be analyzed only if they are contained within a valid JAR
file.

• No files – No files will be automatically sent for analysis. You still have the option of sending
files for analysis at the Alert Details page if execution forensics is enabled and a valid
execution forensics license has been entered.
• Selected file types – Click and select file types from the list. The files you select will be sent
automatically for analysis. You can send other files for analysis at the Alert Details page.
When the Malware Detection Engine on a Fidelis XPS sensor determines that a file is highly
suspicious, but cannot determine if the file is malicious, the file will be sent to Execution Forensics
for determination. The rationale for sending the file and the determination of malicious behavior is
embedded within the MDE. You may disable this function by unchecking the checkbox: Use for
Determination at System>Malware>Malware Detection. This checkbox will only appear if Execution
Forensics is enabled.
Note: Execution Forensics is only performed when a valid Execution Forensics key is
entered. This applies to automatic and manual file submissions.

Fidelis XPS Vector User Guide 169

Reaction
Reaction enables you to select an action and assign an Alert Management Group for malware
alerts detected by the Fidelis XPS sensor. Malware Reaction is configured for each of the four alert
severities. By default, all alerts are assigned to the default alert management group and the
reaction is Alert.
If your sensor is incapable of Malware detection, then detection is performed by CommandPost and
the configuration on this page does not apply. To verify that your sensor is capable of detecting
Malware, check the sensor.

Figure 77. Malware Reaction Configuration

Configure Malware Reaction

1. Select an action: either Alert or Alert and Prevent.
Alert: An alert is generated upon malware detection. All information about the violating
transmission will be sent to CommandPost and can be accessed through the Alert page.
Alert and Prevent: Prevent takes the following actions, based on sensor type and the
sensor configuration. R Refer to Local Embedded Sensor or Vector for information on
sensor configuration.

• A Direct or Internal sensor in out-of-band mode with TCP Reset enabled: the sensor
issues TCP reset packets to kill the session. If TCP Reset is disabled: the prevent
action has no effect.
• A Direct or Internal sensor in inline mode: the sensor drops all incoming packets for
the remainder of the TCP session. If TCP Resets are enabled, the sensor will also
issue reset packets to the appropriate endpoint to more efficiently terminate the
session.
• A Web sensor, including the Web sensor within an Edge sensor, cannot perform
prevention on malware.
2. Select an Alert Management group to associate with any resulting alerts. Refer to Define
Alert Management Groups.
3. Continue for each severity level.
4. Click Save.
The selected alert management group and reaction will apply to all registered sensors. If new
sensors are added at a later date, the configured malware reaction will be applied immediately after
registration.

Fidelis XPS Vector User Guide 170

Host Activity
The Host Activity page enables you to configure the Carbon Black server and the Bit9 server to
integrate with Fidelis XPS.

Carbon Black
By integrating with the Carbon Black server, Host Activity Monitor Configuration can detect if
malware seen on the network actually reaches the endpoint and if it is written to disk or executed.
The Host Activity report from Carbon Black is only available when actual malware (whose md5
matches the alert md5) is saved to disk or executed. If the malware is contained in a zip, tar, or
other container file; however, then saving the container file will not trigger a Host Activity report.
Even when a report is triggered, a delay can occur in receiving a Host Activity report depending on
the Carbon Black client.
You need to enable and configure access to the Carbon Black server at CommandPost. To do this:
1. Click the checkbox for Carbon Black Integration.
2. Enter the URL for the Carbon Black server.
3. Enter the token for authentication on the server.
4. Click Use Proxy if the server is outside of your network.
5. Click Verify Certificate if the Carbon Black server uses a verifiable certificate.
6. Click Save.

Bit9
By integrating with the Bit9 server, the Alert Details page will show a link to Bit9 server next to the
MD5 in alerts for exe files. The link will take users to the Bit9 console and search for that MD5.
You need to enable and configure access to the Bit9 server integration at CommandPost. To do
this:
1. Click the checkbox for Bit9 integration.
2. Enter the server name. Server names must start with an alphanumeric character.
Alphanumeric characters and special characters such as _ - . and : are allowed.
3. Click Save.

File Check
This feature enables you to upload any file from your workstation and submit it for malware
analysis. Click Browse or Choose File (depending on your browser) to navigate to a file on your
workstation.
To submit a password-protected ZIP file for analysis, click the checkbox next to Password
protected ZIP? and enter the password into the text box. This unzips the password-protected ZIP
file and enables you to submit it for analysis.
Only traditional PKWARE encryption, also known as standard zip 2.0 encryption or ZipCrypto is
supported for this functionality.
Click Upload.
The file is sent to the Malware Detection Engine (MDE). When MDE completes its analysis, a link
displays stating that the results are available in an alert.
Click the link to open the Alert Details page for that alert.
Files scanned by File Check and found to be malicious are added to the list of files to alert or
prevent for all sensors registered to this CommandPost if Malware Reaction is configured. Refer to
Malware Reaction.
The alert generated by File Check is like any created by Fidelis XPS with the following exceptions:

• The sensor name will be set to [CommandPost]. This name will not appear as a sensor
elsewhere in the system.

Fidelis XPS Vector User Guide 171

 • The Target column at the Alert List will display File Upload.
• The Malware Information section will always be present. If Malware was not detected, the
Malware section will state this.
• Files will not be automatically sent for Execution Forensics, regardless of the configuration at
System>Malware>Execution Forensics. All alerts will include a button to submit the file
manually. The execution will determine if the file can be executed and will return an error for
files than cannot be executed.
• One alert will be created for the uploaded file, which will contain results. If the file is an archive
file, such as a zip, rar, or tar file, one alert for each malicious file will be generated. These
alerts will appear as related alerts on the Alert Details page. Note that benign files within the
archive file will not create new alerts.

Fidelis XPS Vector User Guide 172

Chapter 13 Version Control
With Version Control, you can manage the software version of Fidelis XPS Vector components.
• The Install page enables you to install a new version of Fidelis XPS Vector software.
Installations can be done at the click of a button or scheduled for installation at a future
time.
• The Scheduled Installs page provides the ability for you to view and cancel scheduled
software installations.
• The Download Control page enables you to configure and manage automatic notifications
about new versions of Fidelis XPS Vector software.
• The File Management page provides the ability for you to manually upload and manage
installation packages.
The software installation process is performed as follows:
• First an update package is copied to the CommandPost Management Console. This
process can be performed automatically if Download Control is properly configured for
automated download. The package can also be manually uploaded to CommandPost using
File Management.
• Once installation begins, CommandPost will copy the package to the desired component.
This operation is performed as part of the installation process. The time required for this
operation depends upon the network bandwidth available between CommandPost and
registered components.
• When the package reaches the intended component, the component will then be shut
down, installed, and restored to functionality at the new version. For a sensor, this process
typically requires a few minutes. For a CommandPost or Collector, the process requires
more time and depends on the amount of data stored by the device. Refer to the specific
release notes associated with the software version for detailed information about installation
times.
• Update packages can be quite large. Fidelis XPS Vector components can store, at most,
one update package at a time. Therefore, it is not possible to update some components to
one version while updating other components to a different version.
• When you install on CommandPost, the screen will be redirected to a status page. All users
currently logged onto the CommandPost Management Console and any user that attempts
to log on during the installation process, will be directed to the same screen.

Fidelis Release Naming Conventions

Fidelis provides software updates in the following forms:

• Major releases provide new capabilities for Vector . These releases are identified by two-
digit version numbers, for example, versions 7.0, 7.1, and 7.2. Updates must be installed on
systems running the last major release.
Updates should always be applied in sequence from version 7.0 to 7.1 to 7.2 and so on.
Refer to the latest Release Notes for information.
• Minor releases provide minor features and correct known software problems. These releases
are identified by the third number in the version, for example 7.2.1 and 7.2.2. Updates are
usually applied to the last major release, not necessarily the last minor release. For example,
you may install version 7.2.3 on a system running 7.2.1 without installing the 7.2.2 version.
You may also install version 7.2.3 on a system running any version of 7.1. Refer to the
Release Notes for specific instructions as this may not always apply.
• Patch releases provide fixes for known issues, which may be software problems or may be
the result of a change in proprietary network protocols such as webmail, peer-to-peer, instant
messenger, and social networking protocols. Patch releases are given the version number of
Fidelis XPS Vector User Guide 173
 the last release followed by a patch date. For example, 7.2.1-20120924. Patch releases must
be installed in a system running the version stated in the version (7.2.1 in the example). Patch
releases do not need to be installed in any order. All patches will become available in a future
release in one of the categories listed above.
Generally, patches are made available on a limited basis to specific customers that
experience a problem that requires an immediate patch. Once the problem is confirmed, the
fixes will be made generally available in the next major or minor release. Generally available
releases will be available for automated download if enabled using Version Control. Patches
will need to be installed using the manual file upload process.

Installing Fidelis XPS Vector Software

Version Control enables you to install software to CommandPost, subordinate CommandPosts, and
any components registered to CommandPost or its subordinate CommandPosts.
Depending on your system load and network bandwidth between Command Post and sensor,
installing a sensor may take a few minutes to an hour to complete. Installing CommandPost can
take between a few minutes to several hours, depending on the number of alerts in the system and
the specific features added in the new software version. These times can increase significantly if
the network bandwidth between CommandPost and registered components is slow. Refer to the
Release Notes of each release for time estimates.
After a sensor update, it will begin to process traffic immediately. Alerts will not be sent to
CommandPost while it is being updated. In this case, alerts will be stored locally. When the
CommandPost update is complete, all alerts stored on sensors will be sent.
Ideally, all system components are running the same software version. Updates do not need to be
performed in parallel, but all registered components must be upgraded before CommandPost. If
you have a Subordinate CommandPost, you must first update all sensors registered to the
Subordinate, then the Subordinate CommandPost, then sensors registered to the Master
CommandPost, and finally the Master CommandPost. Everything registered to the Master must be
updated before the Master CommandPost.
If you choose all components to Install Now or to schedule an install time, the installation process
will choose the correct order for installation. Each component will be installed in sequential order to
minimize the bandwidth requirements on your network for transfer of install files to each
component.

Prepare to Install
Before proceeding with the installation, refer to the Release Notes associated with the software
version. Release Notes contain information specific to the software version and describe any
procedures you might need to follow before installing.
To prepare for the installation:
If you plan to manually download installation files:
• Download the Fidelis XPS Vector update installation file from:
www.fidelissecurity.com/support to a folder on your local workstation. Refer to File
Management.
To use automatic downloads:
• Setup credentials and configure automatic downloads at Download Control.
Log into the CommandPost as a system administrator. Your role must provide access to Version
43
Control to proceed.
The installation process automatically saves configuration data stored in the database such as
users, and sensors. If the update fails, the automatic rollback procedure restores configuration data
and returns the system to its previous working version.

43
Version Control enables you to update the CommandPost and Fidelis XPS sensors.
Fidelis XPS Vector User Guide 174
Install
The Install page enables you to install software that is available. If you have enabled automated
notifications at Download Control, available software will include all applicable software versions
listed on the Download Center. If you have not enabled automated notifications, available versions
are relative to the file uploaded at File Management.
The Release Notes for all available versions are available by clicking the button on the bottom left
of the page. If no new versions are available, there will not be a Release Notes button. Click the
button to view a list of all available versions and release notes. Click Download Release Notes to
download the PDF of the release notes to your workstation. For the version available on the local
disk, the release notes will be extracted from the package and provided to you. For all other
versions, the release notes will be downloaded from the Download Center.
For each component, the following information is displayed:

• A checkbox to select a component for installation. The checkbox is disabled if no new

software versions are available for this component or if the component is down. The checkbox
will also be disabled if there are ongoing installations or scheduled installations on this
component.
• The component name, IP address, and current version installed on the component.
• The software versions available to be installed on the system. If there are no versions
available, the associated checkbox will be disabled and a message of No Updates Available
displays. If you choose the component for installation, select from the available versions for
installation.
• Clicking a row displays Component Details that list applied patches, the OS version, and
when the last installation occurred. Clicking the View Log button enables you to see a log file
that provides the history of installations on the component. The log is provided in reverse
chronological order, displaying the most recent installation at the top. Each installation
includes a header that indicates what time the install started and a footer to indicate when the
install finished. Note: the install header and footer was added in version 7.7 any installation up
to and including the installation to version 7.7 will only indicate the completion time of the
install.
Clicking the Email Log button enables you to send the log file as an email attachment. At the
Email Log popup, the To address is Support, From is the address defined at the
CommandPost>Email Config page, and Subject is the component name and the results of
the last install.

If Available Version displays: Not Operational, this indicates that the component is not
available for software installation. Check the component status by hovering the cursor over
the System Status and then hovering over the component health diamond.

Figure 78. Install

Fidelis XPS Vector User Guide 175

Install Now
To perform an installation:
1. Select the components you wish to install by using the checkbox next to each component.
2. Select the version to install for each selected component. The same selection must be made
for all components.
Note: It is possible to reinstall the current version if the update package for the
version is currently stored on the local disk.
3. Click Install Now to proceed with the install.
4. Click Install at the confirmation dialog box to proceed or Cancel to stop.
5. After the Install completes, information about the last installation will appear in place of the
status. A pop up message will tell you that the install is complete.
6. Click OK at the popup to reload the Install page. Click View Log to see details.

Schedule an Install
Software installation can be scheduled for a date and time in the future.
To schedule an install:
1. Click System>Version Control>Install.
2. Select the appropriate components.
3. Select an available version for each component.
4. Click Schedule Install.

Figure 79. Schedule Install

5. Enter a date and time into the text box or select from the calendar. The entry must be at least
10 minutes in the future.
Note: You might want to schedule an update during off peak hours, especially for
CommandPost.
6. Click Done when you finish selecting the date and time.
You can view or, if needed, delete scheduled installs at Scheduled Installs. When the scheduled
time arrives, status is available as described in Install Now.

Fidelis XPS Vector User Guide 176

Update Progress
Status screens display for all components and these screens vary for each.

CommandPost Management Console

When an update is in progress for the CommandPost Management Console, a status screen
displays that provides messages about the status of the update. All users attempting to use
CommandPost will see this screen. You cannot access CommandPost until the Install completes.

Figure 80. Update in Progress: CommandPost

When complete, a message indicates if the update was successful.
Click Return to Login to access CommandPost. You will need to either clear the browser cache or
restart your browser for proper operation of the new version of CommandPost.

Fidelis XPS Vector User Guide 177

 Vectors
Update status for Vector. Click Return to Login to access Vector.

Figure 81. Update in Progress: Vector

Scheduled Installs
Click to see a list of scheduled installs.

Cancel Scheduled Installs

You must cancel a scheduled install before scheduling another one for the same component.
To cancel a scheduled install:
1. Click Scheduled Installs. A list displays of all scheduled installs.
2. Click Delete next to the appropriate install.
3. Click OK at the confirmation dialog box. Clicking Cancel stops the procedure.
You can now perform an Install or schedule another job.

Fidelis XPS Vector User Guide 178

Download Control
At Download Control, you can enable CommandPost to automatically check for and download the
latest update packages. When configured, CommandPost will periodically access the Download
Center to check for new updates. If a new update is detected, will appear on the top right of
every CommandPost page.
If you do not want to set up automatic downloads, ensure that Never is selected at Check for
Updates. Never is the default setting. You can manually download updates from Technical Support
and save them to your workstation. Refer to File Management.
Before configuring downloads, you must set up credentials.
To configure downloads:
1. Determine when you want to check for updates. You can select daily, weekly, or monthly.
For daily, select a time. For weekly, select a day of the week and a time. For monthly,
specify the day of the month (1 through 31) and a time. Simply checking for updates does
not impact the system in any way. However, if you choose to download new packages, you
should configure the operation for off-peak times.
2. Select an action when a new download is available either: Notify Only or Notify and
Download the Update Package.
If you select Notify Only, an email will be sent when a new software version is detected and
the icon on the top right of CommandPost will change to reflect the new version availability.
When you choose to install this version, the package will first be downloaded to
CommandPost which may extend the installation time depending on network bandwidth
between CommandPost and the Download Center.
If you have a slow network connection to the Download Center, the recommendation is to
download the package automatically when detected at off-peak times.
3. Enter the email address for notifications. This is the email address that will receive a notice
when a new version is available.
4. Enter Download Credentials. This is necessary to download the update package, either at
the time of detection or at the time of installation. These credentials are the same as those
used to log into: http://www.fidelissecurity.com/support/login. If you do not enter Download
Credentials, you may be notified of new software availability, but you must use the manual
download process. Refer to File Management.
To change download credentials:
Click the box next to Click to change credentials. Two text boxes display.

Figure 82. Download Control: Credentials

To verify that CommandPost can access the Download Center:
Click Check Now. A list of new versions and release notes displays. If it does not, check your proxy
settings at Proxy Config and verify your network and firewall settings.

Fidelis XPS Vector User Guide 179

 Select from the list and click Download. Download will only be operational if Download Credentials
are entered.

File Management
File Management enables you to manually upload software installation packages and manage the
packages stored on the local disk. CommandPost can only support one file on disk at a time, which
may be the result of an automated download from the Download Center or a manual upload. If
multiple files are detected, you will need to remove all but one to perform installations.
To manually upload the installation package:
1. Download the Fidelis XPS Vector installation file from the Download Center at:
www.fidelissecurity.com/support to your local workstation. Contact Technical Support if you
cannot access this address or are not sure which file to download. Release Notes are
available from the Download Center.
Files available on your workstation can be uploaded at File Management.
2. Click Upload New File and a dialog box will appear.
3. Enter the file from your workstation and click Upload. A progress message will appear.
The time to upload the file will depend on the level of activity on CommandPost and the
network bandwidth between your workstation and CommandPost. Once the file has been
completely transferred to CommandPost, the progress message will be updated.
Your internal network likely has a timeout for HTTP transfers. If the upload time exceeds
the network timeout, your browser will not complete the file transfer. If this occurs, you
have two options: a) increase the gateway timeout setting of your network, b) manually
copy the package to CommandPost. In most cases, the latter is the only viable option.
Refer to Manual Transfer of Installation Packages for information on the manual transfer
process.
4. After the upload and verification process is complete, a log file is available to view any
errors that may have been detected. If the upload was successful, information about the file
is displayed, release notes can be extracted, and the package will appear as an available
version on the Install page for any applicable component.

Figure 83. File Management

Fidelis XPS Vector User Guide 180

 Chapter 14 Configure Exports
Export enables you to integrate with a third-party system by transferring alert and recorded object
data from CommandPost to a remote system. You can also export data in a Fidelis Archive format
which can later be imported to CommandPost (either the original CommandPost or another). The
following export methods are available. For more specific information about each, refer to Export
Methods.

• ArcSight
• Email HTML table
• Email user-defined
• Email Excel File (TSV attachment)
• Fidelis Archive
• SNMP traps
• Syslog
• Syslog LEEF
• Syslog Splunk
• McAfee ESM
• Verdasys Digital Guardian
Refer to Define Exports for instructions on setting up a new export.

Export Methods
This topic provides specific information for each of the export methods. For general instructions
about creating an export, refer to Define Exports.

Fidelis Archive
For this export method, the remote server name, login, and directory information need to be set up
at the System>Components>CommandPost Config>Archive page. Refer toArchive.
Specify the remote directory for export at Destination.
Select Include Sessions or Include PCAPs to include in the export, if desired.
Select Include Configuration Backup to add a configuration backup. A separate backup file will be
created and exported to the same directory as the archive file. Refer to Backup and Restore for
more information.
When exported, a file named archive.<extension> will be created and sent to your remote system
and placed into the directory specified in the Destination field. Notes about Fidelis Archive exports:

• An <extension> is a number created based on the time of the export.

• If the remote directory does not exist, it will be created.
• Fidelis uses FTP to transmit archive files to the remote system.
If you encounter errors, check your Archive configuration, your network settings, and the
configuration of your remote system.

Fidelis XPS Vector User Guide 181

 Email User-Defined, Syslog, and Syslog Splunk
Syslog, Syslog Splunk, and email exports can be freely formatted by selecting keywords and
clicking Add Keyword. You can use the text box to create a comma-separated list of values, a link
to the alert on CommandPost, and any other required format for your external system.
44
To create a link to the alert CommandPost, enter:

https://<commandpost>/j/alert.html?%ALERTUUID%

The destination for email is provided by a single or comma-separated list of email addresses. The
destination for Syslog or Syslog Splunk is the name or IP address of your external Syslog server.
For Syslog and Syslog Splunk, you can also specify a port, for example 10.0.1.3:::1800
Syslog Splunk has a preformatted key=value message format that is parsed by Splunk server. You
can also modify this format if needed.

T a bl e 1 8. A l e rt E x p or t k ey w or d s

Keywords Description Type (values)

%ACTION% The action taken by the sensor in String: Can be alert, prevent, or
response to the violation. throttle.
Can also include valid
combinations of actions.

%ALERTUUID% Displays a unique UUID belonging to an Link

alert. If you selected ArcSight this will
send a link back to the CommandPost
45
Alert Details page.

%COMPR% Indicates the number of additional Numreric

events represented by an alert.

%DSTADDR% The IP address of the recipient of the data. IP address

When available, both IPaddress and
resolved host name are provided.

%DSTPORT% Destination port number Numeric

%FILENAME% File name that caused the alert String

%FROM% email address source String

%GROUP% The alert management group to which the String

alert belongs.

%HOSTIP% The Host IP address String

%MALWARE_NAME% Malware name String

%MALWARE_TYPE% Type of malware String

%MD5% MD5 hash of file String

%PROTO% The application protocol on which the String

violating transfer occurred.

%SENIP% Sensor IP address String

44
An alert is the recorded and displayed incidence of at least one event.
45
Alert Details is the most granular level for examining alert data.
Fidelis XPS Vector User Guide 182
 Keywords Description Type (values)

%SENSOR% Sensor name String

%SEVERITY% Severity level String: Can be low, medium, high,

or critical

%SRCADDR% The IP address of the sender of the data. String

When available, both IPaddress and
resolved host name are provided.

%SRCPORT% Source port number Numeric

%SUBJECT% Email subject line String

%SUMMARY% Displays summary text associated with String

the rule.

%TIME% Time when the alert was detected. String in the format: YYYY-MM-DD
hh:mm:ss

%TO% Email address destination String

%USER% Protocol user String

Email HTML Table and Email Excel File (TSV

attachment)
The items in the column list determine which alert information is included for each alert and the
order in which they are sent.
The destination for email is provided by a single or comma-separated list of email addresses.

Figure 84. Export: Email Excel File

You can use the default column list or select columns from the Column Choices box and click

to move them to the column list. At the column list, you can order choices using and .
Remove a column from the Column List by selecting it and clicking .

Fidelis XPS Vector User Guide 183

 Syslog LEEF
Similar to Syslog, but in LEEF (Log Event Enhanced Format). When this export method is selected,
you do not need to enter keywords as in Syslog, but need to specify destination, event criteria for
alerts and malware events, and export frequency.
The destination for Syslog LEEF is the name or IP address of your external Syslog LEEF server,
and an optional port number for example: 10.1.1.3 or 10.0.1.3:::1800.

McAfee ESM
McAfee Enterprise Security Manager (ESM) is a predefined Syslog format designed for use with
the McAfee server. For McAfee ESM, you do not need to enter keywords as in Syslog, but need to
specify destination, event criteria for alerts and malware events, and export frequency.
The destination for is the name or IP address of your external McAfee ESM server.
For McAfee ESM, you can also specify a port for example: 10.0.1.3:::1800.

SNMP Trap and ArcSight

You may choose the information to export by SNMP or ArcSight. The items in the column list
determine which alert information is included for each alert and the order in which they are sent.
SNMP traps may be sent to an external system specified by a host name or IP address entered at
Destination. To enable Fidelis SNMP traps, an MIB is available with sample use instructions at.
www.fidelissecurity.com/support.
Select SNMP version 1 or 3.
• If you select SNMP 1: You can change the entry for the SNMP Community String. The
default value is public.
• If you select SNMP 3: Engine ID, user names, and authentication and privacy tokens for
users should be configured on the remote SNMP server that runs the SNMP trap.
SNMP Engine ID: Enter the ID for the remote SNMP server.
SNMP User Name: Enter a user name associated with the Engine ID.
SNMP Authentication Protocol: Select Authenticated Only or Authentication and
Encrypted.
For Authentication Only:
Select MD5 or SHA1 Protocol. Enter the Authentication Token for the user in the text box.
For Authentication and Encrypted:
Select an Authentication Protocol and enter the Authentication Token.
Select either DES or AES Privacy (Encryption) Protocol. Enter the Privacy (Encryption)
token for the user in the text box.
ArcSight may be selected if you desire to export alert information to an ArcSight event
management system. The ArcSight export uses an (unencrypted) CEF connector over UDP. In
addition, we should emphasize that the three colons ":::" between the IP and port number must be
used. A single ":" in the IP address does not work.
Identify your ArcSight system by entering an IP address or host name at Destination.
Destination also enables you to specify a port number, for example: 10.0.1.3:::1800. Use three
colons ::: between the IP and port number as shown in the example. A single colon between the IP
address and port number will not work.

Fidelis XPS Vector User Guide 184

 Figure 85. Export: SNMP trap and ArcSight
You can use the default column list or select columns from the Column Choices box and click

to move them to the column list. At the column list, you can order choices using and .
Remove a column from the Column List by selecting it and clicking .

Verdasys Digital Guardian

46
Verdasys Digital Guardian may be selected if you desire to export alert information to the
Verdasys Digital Guardian product.
To configure this output, enter the URL for your Digital Guardian at Destination. All alert information
will be exported to the appropriate fields within Digital Guardian.
For more information, contact Fidelis Technical Support or your Verdasys representative.

Define Exports
This topic provides instructions on setting up an export. Refer to Export Methods for information
specific to each export delivery method.
1. Click System>Export. A list of available exports displays. The first time Exports is accessed,
the list is empty.

Figure 86. Export page

46
An alert is the recorded and displayed incidence of at least one event.
Fidelis XPS Vector User Guide 185
 2. Click New to create a new export or click next to the appropriate export. The Export
Editor displays. (Click to delete an existing Export.)

Figure 87. Export Editor

3. Select an export delivery method. The Export Editor changes to reflect your choice. Refer to
Export Methods.
If you select Fidelis Archive, you can select Include Configuration Backup to back up during
an automatic export. Refer to Backup and Restore.
4. Enter a Destination. This can be an email address, directory name, IP address, or port
depending on the export method.
Note: Destination does not support the use of non-ASCII characters.
5. Select to export either All alerts, alerts By Criteria, or None.

• All–enables you to select all available alerts. Exporting all alerts in your database can
take time. With this option, you might want to limit this export by selecting a maximum
number of alerts.
• By Criteria–enables you to select alerts based on multiple search criteria. These criteria
vary depending on the export method.
• None–No alerts will be exported.
6. Select alert criteria as needed to determine the alerts you want to export. You can select
multiple entries.
For sensors, no selection means all sensors are selected. If user permissions or sensor
assignments change, assignments for the export will not change.
For Time Range, you can select a specific time such as 24 hours or 7 days or enter a date or
date range. Refer to Time Range. You can also select Oldest Alerts to include alerts older
than a specified amount of time (1 - 99 days). If you enter 99, you get alerts older than 99
days.
Other export criteria include severity, rules, labels, and actions associated with the alert.
Refer to Filters for specific information about these criteria.
7. Select the Export Frequency.

Fidelis XPS Vector User Guide 186

 • Manually–exports only when you run the export by clicking the Run Now button. This
method is useful to test communication with the external system and for Fidelis Archive.
It is less useful for other export methods.
• Every Alert–exports all new alerts that meet selected criteria. Exporting for each new
alert is guaranteed to export each alert exactly once. The Export occurs immediately
when the alert is received from the sensor. This method is recommended for integration
with external systems. It is not available for Fidelis Archive.
• Periodically–enables you to specify a time and day to run the export. This method is
recommended only for Fidelis Archive, email, and Syslog exports. All other types of
exports should be performed on Every Alert to provide synchronization between the
Fidelis system and the external system.
ArcSight and Syslog export methods support using transport protocols for message delivery.
If you select an Export Frequency of Manual or Periodically the UDP protocol is available. If
you select Every Alert, then UDP, TCP, and TLS are available.
To use TLS with Fidelis XPS, you need to upload certificates (in PEM format) into the
appropriate directory: /usr/local/syslog-ng/3.5.6/etc/ca.d/
You also need to run the following command:

/usr/sbin/cacertdir_rehash /usr/local/syslog-ng/3.5.6/etc/ca.d/

8. Select the maximum number of alerts to be sent. This option is very useful when testing
communication to external systems and is not recommended in any other case. When you
choose this option, the selected alerts will be random, based on your criteria. You should not
depend on the exact alerts exported when this option is selected.
9. Enter a name for the export in Save As. You must save the Export before you can run it.
Clicking Reset restores settings to what was last saved.
10. Click Run Now to export.

Available Export Buttons

• Save will save the export as currently configured. You must save before you can Run.
• Run Now is used to test communication. This button is not available until you save any
changes made to the Export. Run Now is also not available if you select Every Alert for Export
Frequency.
• Reset will restore the export to the last saved state. This will enable the Run Now button if you
have made changes that you do not wish to save.
• Cancel will return you to the list of Exports.

Testing Export Communication

The Run Now button is provided as a mechanism to test communication with the external system
provided by the Export Method and Destination. When clicked, alerts are exported immediately
regardless of the chosen Export Frequency.

• If the Export Frequency is set to Every Alert, Run Now will export exactly one alert, if one can
be found to match the criteria of the alert. This alert will be transported to the external system
and handled accordingly.
• If the Export Frequency is set to Manual or Periodic, all alerts that match your criteria will be
exported to the external system. Note that this can be millions of alerts and can take a very
long time to execute. You can use the maximum number of alerts to limit the size of the
export for testing purposes.
Run Now can only be performed after the Export is saved. If you make any changes on the Export
page, the Run Now button will be disabled until you either Reset or Save.

Fidelis XPS Vector User Guide 187

Delete Exports
To delete an export:
1. Click System>Export.
2. Click Delete next to the appropriate export.
3. Click OK at the confirmation dialog box. The Export is removed from the Exports page.

Fidelis XPS Vector User Guide 188

Chapter 15 Audit
The CommandPost audit trail is used to monitor user activities throughout Vector . User actions
that modify system configuration or system data or export information result in an audit entry.
Auditable actions include:

• CommandPost user login (successful or not)

• CommandPost user actions that change system configuration, including sensor and
CommandPost configuration, sensor registration.

• CommandPost user actions to remove or export data from the system. This includes alert
purge, alert export, and user-generated reports.

•
47
CommandPost user actions to add, modify, or delete system components such as users,
groups, etc.
You can access the Audit Log from the CommandPost GUI to find audit entries.
Note: Fidelis recommends that you restrict audit log access to system administrators
and network security personnel. A user with Audit access can see all auditable actions.

Access Audit
Click System>Audit at the main menu. The Audit Log displays.

Figure 88. Audit Log

Clicking on a column heading sorts all rows by that column. By default, the Audit Log displays
content in descending order of time. To change this sort order, click the header of any column. If

47
Components enables you to set up licensing and configure Fidelis XPS components. This
includes adding and registering Fidelis XPS sensors, setting password strength, configuring e-mail,
and setting up user notification and LDAP among other features.
Fidelis XPS Vector User Guide 189
 the column header is clicked multiple times, the order alternates between descending and
ascending order.

T a bl e 1 9. A u di t L o g c ol u m ns

Column Description

ID The audit log ID number.

Timestamp The date and time when the action occurred.

User The user who performed the action.

Category The general type of action that occurred. For example, roles, users, and
audit.
Action The specific action that occurred. Most actions relate to the section of the
CommandPost used to trigger the action. For example, Alerts and Reports.
The Action column may also include information about what occurred,
such as a login.
Click a row to display more detailed information about an audit log entry. Expand all displays more
details about all rows. Detailed information includes the effect and a description of the action.

Figure 89. Audit Log details

Search for Audit Entries

Searching for audit entries can be done by entering criteria at the Search bar. If the searching
options are not visible, click in the upper right corner of the Audit Log to open it.
You can search for specific audit entries by entering terms into the Find: text box. This enables you
to focus the search on specific areas of the audit entry.

Search Terms
Entering an ID number returns one and only row. For example, entering 21 matches only 21 and
not 211. Ranges are not supported for ID searches.
Enter specific terms in the Find: text box. Searching for term will match any audit entry containing
term in the chosen field. This will match audit entries with words such as term, terminate, and
exterminate.
Entering multiple words such as
term1term2
matches any audit entry containing both term1 and term2. The terms can be found in any order and
with any amount of separation between them.
The use of quotes around a phrase will be treated as a single search term. The phrase “term1
term2” will match any audit entry containing the exact phrase within the quotes. Any spaces in the
phrase will match any space characters in the audit entry, including a space, a tab, a new line, etc.
Matching is done on the character boundaries, not word boundaries. Therefore, a phrase of “top
secret” will match an audit entry containing a phrase such as “stop secrets.”
Multiple phrases such as a “literal phrase 1” and a “literal phrase 2” can be included in the Find
field. This will match any audit entries containing all of the phrases listed.
You can combine word-terms and phrase-terms. Any combination is allowed, such as “literal
phrase 1” word word1 word2 “literal phrase 2”

Fidelis XPS Vector User Guide 190

 Matching does not consider the order of the terms, only that all are found within the search field.

Notes about Search Options

All searches are case insensitive.
There is a limit of 40 terms (words or literal phrases) in the search bar. If more terms are entered,
the 41st and beyond will be ignored.
Clicking Search without entering a search term, results in the Audit Log list redisplaying.
You can change the time frame by selecting any value at the During Last list and clicking Search,
without making any other entries.

Time Periods
To specify a new time period, select a value from the During Last list, select hours or days, and
click Search. Options range from 1 hour to 96 days and also include the default value of all.

Fidelis XPS Vector User Guide 191

Appendix A: Manual Transfer of Installation
Files
CommandPost offers an interface to upload software installation packages by using the UI
available at Version Control>File Management. However, in many enterprise settings, the use of a
browser-based HTTP interface is not sufficient to transfer large files such as the installation
package. If you are unable to perform this task without a network timeout, you will need to find an
alternate method to transfer the package. Use of the automated download capability from the
Download Center is recommended whenever possible. If neither the automated download nor the
CommandPost interface is acceptable, you can follow these instructions:
1. Create an SSH commandline session to CommandPost and log in using the fidelis account.
Note: You must use the fidelis account and password for the first four steps in
this process.
2. Once logged in, change directory to /FSS/jail/TARUPDATE.
3. Remove all files located in this directory.
Note: The system does not support multiple update packages at one time. If
old packages are not removed, GUI operations and installations will not
function properly.
4. Transfer the installation package to /FSS/jail/TARUPDATE. The name of the file must be
the same as the file found at the Download Center, for example, fidelis_xps_update-
7.3.x86_64.tar.
5. Make sure that the copied file is owned by Fidelis with read and write permissions for owner
and group. Use Linux chown and chmod functions to modify file ownership and permissions
if necessary.
6. Access CommandPost Version Control>File Management. CommandPost access for this
step can use your personal CommandPost account. If steps 3 through 5 were executed
properly, the UI will perform verification of the file found at /FSS/jail/TARUPDATE. If
there are no problems, the file version, MD5, and usage will be updated on the screen
within a few minutes. If there is a problem with the file, the error will be shown at the bottom
of the page.
Contact Fidelis Technical Support if you experience any problems with this process.

Fidelis XPS Vector User Guide 192