Investigation: Roles and Permissions for Malware Analysts

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 10, 2017
Version 2Show Document
  • View in full screen mode
  

This topic identifies the user roles and permissions required for a user to conduct malware analysis in Security Analytics. If you cannot perform an analysis task or see a view, the administrator may need to adjust the roles and permissions configured for you.

Required Roles and Permissions

RSA Security Analytics manages security by providing access to views and functions using both system permissions and permissions on individual services.

On the system level, the user needs to be assigned a system role, in the Administration > System view, that provides access to specific views and functions. The default Malware_Analysts role in Security Analytics 10.5 is assigned all of the permissions listed below. If necessary, an Administrator can create a custom role with some combination of the following permissions:

  • Access Investigation Module (required)
  • Investigation - Navigate Events
  • Investigation - Navigate Values
  • Access Incident Module
  • View and Manage Incidents
  • View Malware Events (to view events)
  • File Download (to download files from the Malware Analysis service)
  • Initiate Malware Scan (to initiate a one-time service scan or one-time file upload)
  • Dashlet permissions for convenience: Dashlet - Investigate Top Values Dashlet, Dashlet - Investigate Service List Dashlet, Dashlet - Investigate Jobs Dashlet, Dashlet - Investage Shortcuts Dashlet.

Note: When upgrading from Security Analytics 10.4 to Security Analytics 10.5, the Security Analytics 10.4 default MalwareAnalysts role is renamed to Malware_Analysts  with no changes to the assigned permissions.
When upgrading from Security Analytics 10.3 and earlier, the Malware Analyst role includes a subset of these permissions. The default Malware Analyst role is renamed to MalwareAnalysts if it exists and the new permissions are added. If the Malware Analyst role did not exist, the new MalwareAnalysts role is created. 

A use case for creating a custom role would be a Junior Malware Analyst role, with limited permissions that do not include the File Download permission.

On specific services, a malware analyst needs to be a member of the Analysts group, or to a group that has the two default permissions assigned to the Analyst group: sdk.meta and sdk.content. Users who have these permissions can use specific applications, run queries, and view content for purposes of analysis on the service.

You are here
Table of Contents > How Investigation Works > Roles and Permissions for Analysts

Attachments

    Outcomes