Respond Config: Step 2. Assign Respond View Permissions

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 14Show Document
  • View in full screen mode
 

Add users with the required permissions to investigate incidents and alerts in NetWitness Respond. Users with access to the Respond view need both Incidents and Respond-server permissions. Users with access to configure Respond notification settings need additional Integration-server permissions.

The following pre-configured roles have permissions in the Respond view:

  • Analysts: The Security Operations Center (SOC) Analysts have access to Alerting, NetWitness Respond, Investigate, and Reporting, but not system configurations.
  • Malware Analysts: Malware Analysts have access to investigations and malware events.
  • Operators: Operators have access to configurations, but not Investigate, ESA, Alerting, Reporting and NetWitness Respond.
  • SOC_Managers: The SOC Managers have the same access as Analysts plus additional permissions to handle incidents and configure NetWitness Respond.
  • Data_Privacy_Officers: Data Privacy Officers (DPOs) are like Administrators with additional focus on configuration options that manage obfuscation and viewing of sensitive data within the system. See the Data Privacy Management Guide for additional information.
  • Respond_Administrator: The Respond Administrator has full access to NetWitness Respond.
  • Administrators: The Administrator has full system access to NetWitness Platform and has all permissions by default.

The NetWitness Respond default permissions are shown in the following tables. You need to assign user permissions from both the Incidents and Respond-server tabs, which are the Permissions tab names in the ADMIN > Security view Add or Edit Roles dialogs. You may want to add additional user permissions for Alerting, Context Hub, Investigate, Investigate-server, and Reports.

Caution: It is very important that you assign equivalent user permissions from BOTH the Respond-server tab AND the Incidents tab.

Users who configure Respond notification settings also need permissions in the Integration-server tab.

Respond-server

                                                                                                                                                                                                                  

Permissions

Analysts

SOC
Mgrs

DPOs

Respond
Admin

Operators

 

MAs

 

respond-server.alert.delete

 

 

Yes*

Yes*

 

 

respond-server.alert.manageYesYesYes*Yes* Yes
respond-server.alert.readYesYesYes*Yes*

 

Yes

respond-server.alertrule.manage

 

Yes

Yes*

Yes*

  
respond-server.alertrule.read YesYes*Yes*

 

 

respond-server.configuration.manage

 

 

Yes*

Yes*

  
respond-server.health.read  Yes*Yes*

 

 

respond-server.incident.delete  Yes*Yes*  

respond-server.incident.manage

Yes

Yes

Yes*

Yes*

 

Yes

respond-server.incident.readYesYesYes*Yes* Yes

respond-server.journal.manage

Yes

Yes

Yes*

Yes*

 

Yes

respond-server.journal.readYesYesYes*Yes* Yes

respond-server.logs.manage

 

 

Yes*

Yes*

 

 

respond-server.metrics.read  Yes*Yes*  

respond-server.notification.manage
(Available in 11.1 and later)

 YesYes*Yes*  

respond-server.notification.read
(Available in 11.1 and later)

 YesYes*Yes*  
respond-server.process.manage  Yes*Yes*

 

 

respond-server.remediation.manageYesYesYes*Yes* Yes

respond-server.remediation.read

Yes

Yes

Yes*

Yes*

 

Yes

respond-server.security.manage  Yes*Yes*  

respond-server.security.read

 

 

Yes*

Yes*

 

 

* Data Privacy Officers and Respond Administrators have the respond-server.* permission, which gives them all of the Respond-server permissions.

Incidents

                                                                  

Permissions

Analysts

SOC
Mgrs

DPOs

Respond
Admin

Operators

 

MAs

 

Access Incident Module

YesYesYesYes

 

Yes

Configure Incident Management Integration

 

Yes

YesYes  

Delete Alerts and Incidents

  

Yes

Yes

 

 

Manage Alert Handling Rules

 

Yes

YesYes  

View and Manage Incidents

YesYes

Yes

Yes

 

Yes

The Respond Administrator has all of the Respond-server and Incidents permissions.

Integration-server

Note: The Integration-server permissions are available in NetWitness Platform version 11.1 and later.

Users who configure Respond Notifications also need Integration-server permissions. The following table lists the Respond Notification setting permissions in the Integration-server tab assigned to each role.

                                       

Permissions

Analysts

SOC
Mgrs

DPOs

Respond
Admin

Operators

 

MAs

 

integration-server.notification.read

 

Yes

Yes

Yes

 

 

integration-server.notification.manage YesYesYes  

Investigate-server

Users who view Event Analysis in Respond also need Investigate-server permissions. The following table lists the Respond Event Analysis permissions required in the Investigate-server tab and the permissions assigned to each role.

                                                

Permissions

Analysts

SOC
Mgrs

DPOs

Respond
Admin

Operators

 

MAs

 

investigate-server.event.read

Yes

Yes

Yes

Yes

 

Yes

investigate-server.content.reconstructYesYesYesYes Yes

investigate-server.content.export

Yes

Yes

Yes

Yes

 

Yes

Respond Notification Settings Permissions

Note: The Respond notification setting permissions are available in NetWitness Platform version 11.1 and later.
If you are updating from NetWitness Platform version 11.0 to 11.1 or later, you will need to add additional permissions to your existing built-in NetWitness Platform user roles. For all upgrades to 11.1 or later, you will need to add additional permissions to custom roles.

The following permissions are required for Respond Administrators, Data Privacy Officers, and SOC Managers to access Respond Notification Settings (CONFIGURE > Respond Notifications).

Incidents tab:

  • Configure Incident Management Integration

Respond-server tab:

  • respond-server.notification.manage
  • respond-server.notification.read

Integration-server tab:

  • integration-server.notification.read
  • integration-server.notification.manage

Respond Event Analysis Permissions

Note: The Event Analysis panel in the Respond view is available in NetWitness Platform version 11.2 and later.

The Event Analysis panel in the Respond view shows the Event Analysis view from Investigate for specific indicator events. The following Investigate Server permissions are required to view Event Analysis in the Respond view:

Investigate-server tab:

  • investigate-server.event.read
  • investigate-server.content.reconstruct
  • investigate-server.content.export

Note: Migrated incidents from NetWitness Platform versions before 11.2 will not show the Event Analysis panel in the Respond Incident Details view Indicators panel. Likewise, if you use alerts that were migrated from versions before 11.2 to create incidents in 11.2, you will also not be able to view the Event Analysis panel in the Respond view for those incidents.

Respond Role Permission Examples

The following figure shows Respond-server permissions for the default Respond Administrator role. The Respond Administrator role contains all of the NetWitness Respond permissions.

Edit Role dialog for Respond Administrator role

The following figure shows the Incidents permissions for the default Analysts role:

Edit Role dialog for the Analysts role

For more information, see "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management guide.

You are here
Table of Contents > Configuring NetWitness Respond > Step 2. Assign Respond View Permissions

Attachments

    Outcomes