NetWitness Endpoint Role-Based Access Control

Document created by Nick Merante Employee on Dec 9, 2016Last modified by Nick Merante Employee on Dec 23, 2016
Version 3Show Document
  • View in full screen mode

Role-based access control in NetWitness Endpoint allows NetWitness Endpoint Administrators to more precisely control what information each user can access and manipulate by assigning a specifically configured role to each NetWitness Endpoint user.

 

Two static primary RBAC roles are defined within the NetWitness Endpoint UI.  These static roles cannot be changed.

  • ReadOnly – Restricted access to the NetWitness Endpoint UI in a limited, read-only mode
  • Admin – Full administrative access with read/write/execute and the ability to create and manage additional roles

 

Additional user-defined roles may be created and granted any of the following 18 permissions:

  • Agent Maintenance – Update or uninstall agents, reset driver
  • Analyse – Analyse with Security Analytics / NetWitness, Analyse a module
  • Basic Scan – Request or cancel a scan
  • Certificates – Flag a certificate vendor as trusted, remove trusted flags, edit trusted status, edit trusted domains
  • Configure – Configure connection, timezones, internet search engines, monitoring & external components, global parameters, administrative status, machine groups, update certificates
  • Edit Module Status – Edit Blacklist/Whitelist status, edit trusted domains, modify status, modify comments, modify modules to block
  • Forensices – Request files, request MFT, request full memory dump, reboot endpoint
  • IIOC – Modify IIOCs: Clone, delete, edit, create new
  • Import/Export – Export to Excel, standalone scan - export scan configuration, standalone scan – import scan data, import/export blacklist/whitelist file, RSA Live
  • Module Related Tools – Module Analyser, MFT Viewer, Search with File Advisor, Google & Virus Total, Open in new module view, View certificates
  • Modules Actions – Add to trusted domains, download to server, save a local copy, assign module, add to custom hashset
  • Remediation – Reboot, remediate, show diagnostics, remove selection from database, module blocking
  • Scan Groups – Configure groups, add machine to group, remove machine from a group
  • Scan with External – Scan with yara or OPSwat
  • Schedule Time Spec – Local to client, local to server, UTC
  • Server Configuration – Commission new server, change DNS or IP, Decommission server, configure cloud
  • Server Configuration Discovery – Start or pause discovery
  • UI Related – Copy data, copy data with header, access dashboard, configure skins

 

Two default customizable roles are created upon UI installation and serve as a recommended starting point.  Permissions appearing in strikethrough are absent from these default roles.

 

NetWitness Endpoint L1 AnalystNetWitness Endpoint L2 Analyst
  • Agent Maintenance
  • Analyse
  • Basic Scan
  • Certificates
  • Configure
  • Edit Module Status
  • Forensices
  • IIOC
  • Import/Export
  • Module Related Tools
  • Modules Actions
  • Remediation
  • Scan Groups
  • Scan with External
  • Schedule Time Spec
  • Server Configuration
  • Server Configuration Discovery
  • UI Related
  • Agent Maintenance
  • Analyse
  • Basic Scan
  • Certificates
  • Configure
  • Edit Module Status
  • Forensices
  • IIOC
  • Import/Export
  • Module Related Tools
  • Modules Actions
  • Remediation
  • Scan Groups
  • Scan with External
  • Schedule Time Spec
  • Server Configuration
  • Server Configuration Discovery
  • UI Related
3 people found this helpful

Attachments

    Outcomes