Existing Netwitness Endpoint Roles
- It helps to start with existing ECAT Roles. The main roles are: Admin, who has everything, L1 Analyst, the most basic type of user, and L2 Analyst. The roles we are most interested in are L1 and L2 Analyst.
- L1 Analyst - Used for basic level analysis, the default permissions are Basic Scan, Edit Module Status, Forensics, Import/Export, Modules Actions, Scan Groups, and UI Related.
- L2 Analyst - Used for more upper level analysis as well as most features of the product. It includes: Analyse, Basic Scan, Certificates, Configure, Edit Module Status, Forensics, IIOC, Import/Export, Modules Actions, Remediation, Scan Groups, Scan with External, Schedule Time Spec, Server Configuration Discovery, UI Related.
Custom roles are used when the defaults are insufficient for an organization. To remedy this, the UI allows for organizations to create their own roles in the UI, under Users and Roles. Selecting Roles tab and right click Create Role brings up the menu. When deciding permissions, the following definitions will help organizations to determine what their users will need:
- Agent Maintenance – Update or uninstall agents
- This permission grants the user the ability to update the deployed endpoint agents to a newer version or remove the deployed agent from the endpoint.
- ReadOnly - Give general read access inside the UI
- Notable for requiring MFT Viewer access to users wishing to use the MFT Viewer
- Analyse – Analyse with Security Analytics / NetWitness, Analyse a module
- Allows the analyst access to the Analyze Module detail window for a selected module.If NetWitness/Security Analytics integrations are configured, the user will be permitted to access the Analysis functionality with those tools.
- Basic Scan – Request or cancel a scan
- Allow the user to request a scan of a single endpoint or group of endpoints.Any of the available scan types (Full, Basic, or Quick) will be allowed.This user may also cancel a previously requested scan of an endpoint.
- Certificates – Flag a certificate vendor as trusted, remove trusted flags, edit trusted status, edit trusted domains
- This permission will allow the user to modify the trusted state of module certificates and domains.
- Configure – Configure connection, timezones, internet search engines, monitoring & external components, global parameters, administrative status, machine groups, update certificates
- Grant the user the ability to configure various global settings applicable to the Console Server.This is traditionally a permission reserved for the NetWitness Endpoint administrator.
- Edit Module Status – Edit Blacklist/Whitelist status, edit trusted domains, modify status, modify comments, modify modules to block
- With this permission users will be able to access the Edit Blacklist/Whitelist status dialog found when right-clicking on a module.From here, users may modify its whitelist & blacklist status, attach comments to a module, or adjust blocking settings for that module.
- Forensics – Request files, request MFT, request full memory dump, reboot endpoint
- This permission allows a user to perform more invasive tasks upon an endpoint.The user will be able to request arbitrary files & directories by path or request a Master File Table (MFT) from the endpoint which would contain the layout of the entire filesystem and a list of its contents.This user will also be able to request a snapshot of the current state of the endpoint’s RAM and reboot the endpoint.
- IIOC – Modify IIOCs: Clone, delete, edit, create new
- This permission allows for the maintenance and management of the IIOCs defined.The user may clone an IIOC to use it as the basis for a new one, delete or edit an existing IIOC, or create a new IIOC.This management setting is typically reserved for an administrator, high-level analyst, or threat intelligence specialist.
- Import/Export – Export to Excel, standalone scan - export scan configuration, standalone scan – import scan data, import/export blacklist/whitelist file, RSA Live
- This permission grants the user the ability to import or export various configuration and data via the UI.RSA Live information can also be obtained and imported through the offline Console Server Sync tool.
- Module Related Tools – Module Analyser, MFT Viewer, Search with File Advisor, Google & Virus Total, Open in new module view, View certificates
- This permission allows a user to gain additional visibility into various modules.With this permission, the module analyzer may be opened, the MFT viewer may be used to request files from an endpoint, various external searches may be performed against the modules (eg: Google & Virus Total), and certificates associated with the module may be viewed.
- Modules Actions – Add to trusted domains, download to server, save a local copy, assign module
- This permission allows the user to request a module be downloaded to the console server or, for a module already downloaded, save a copy of the module to the local system.With this permission floating code can be assigned to a particular module within the scan data tab.
- Remediation – Reboot, remediate, show diagnostics, remove selection from database, module blocking
- This permission provides access to the endpoint management and diagnostic tasks found in the Advanced menu after right-clicking on an endpoint
The MFT Viewer will not be accessible to users who enter the Module Related Tools as an available tool here without also having ECAT_ROLE_READONLY. They will need additionally to have the ReadOnly field assigned which is hidden within the database options set. The user in the database should have ECAT_ROLE_READONLY enabled, otherwise the user will either fail to login, or be unable to use the MFT Viewer which has the error " Read Only Permissions are required". In the UI this user is enforced onto all users, but can be manually changed in the database itself.