This topic identifies the user roles and permissions required for a user to conduct malware analysis in Security Analytics. If you cannot perform an analysis task or see a view, the administrator may need to adjust the roles and permissions configured for you.
Required Roles and Permissions
RSA Security Analytics manages security by providing access to views and functions using both system permissions and permissions on individual services.
On the system level, the user needs to be assigned a system role, in the Administration > System view, that provides access to specific views and functions. The default Malware_Analysts role in Security Analytics 10.5 is assigned all of the permissions listed below. If necessary, an Administrator can create a custom role with some combination of the following permissions:
Access Investigation Module (required)
Investigation - Navigate Events
Investigation - Navigate Values
Access Incident Module
View and Manage Incidents
View Malware Events (to view events)
File Download (to download files from the Malware Analysis service)
Initiate Malware Scan (to initiate a one-time service scan or one-time file upload)
Dashlet permissions for convenience: Dashlet - Investigate Top Values Dashlet, Dashlet - Investigate Service List Dashlet, Dashlet - Investigate Jobs Dashlet, Dashlet - Investage Shortcuts Dashlet.
Note: When upgrading from Security Analytics 10.4 to Security Analytics 10.5, the Security Analytics 10.4 default MalwareAnalysts role is renamed to Malware_Analysts with no changes to the assigned permissions. When upgrading from Security Analytics 10.3 and earlier, the Malware Analyst role includes a subset of these permissions. The default Malware Analyst role is renamed to MalwareAnalysts if it exists and the new permissions are added. If the Malware Analyst role did not exist, the new MalwareAnalysts role is created.
A use case for creating a custom role would be a Junior Malware Analyst role, with limited permissions that do not include the File Download permission.
On specific services, a malware analyst needs to be a member of the Analysts group, or to a group that has the two default permissions assigned to the Analyst group: sdk.meta and sdk.content. Users who have these permissions can use specific applications, run queries, and view content for purposes of analysis on the service.