Onboard Users
You can onboard users to Respond (CFTR) and assign them to the relevant user groups to define their permissions to various features in CFTR. User Group Management enables administrators to configure Role-Based Access Control (RBAC) for CFTR. Based on various roles in the organization, you can create multiple user groups and configure the permissions for each feature in Respond. You can also add users to the user groups and in turn, define the permissions for each user.
For example, you can create an Admin user group and provide the required administrator permissions to the user group. Now, the users added to the Admin group are automatically assigned the permissions defined for the user group. For more information, see Configure Role-Based Access Control (RBAC) in CFTR.
User groups also help security analysts to assign the Threat Response modules, such as Incidents, Actions, Enhancements, PIRs, and Campaigns, to a specific user group who are responsible for responding to a specific type of threat. A user from the assigned user group can then assign the module to a user from the same user group. This ensures that a Threat Response module is assigned to the right user who has permission to respond to a threat.
User Group Management also enables administrators to define:
The rate of the users to calculate the cost of an incident and action.
Allowed Orchestrate tags to restrict access to certain Orchestrate Playbooks.
In a user group, you can configure the following types of permissions for the features:
No Access: The users of a user group do not have permission to view or modify a module/functionality.
View: The users of a user group have view-only access to a module/functionality.
Create/Update: The users of a user group have access to modify the data of a module/functionality.
By default, Respond provides the following default user groups:
SOC Manager
Sr. Management
Threat Intel Analyst
IR Manager
Forensic Investigator
Incident Responder
SOC Analyst
CFTR Admin
Read Only User
Note
You cannot deactivate the default user groups.
Read-Only User Group
Notice
This feature is available in Respond (CFTR) version 3.3 and later.
Read-Only is a default user group that includes view-only access to specific features. Administrators can add read-only users over and above the assigned license quota to add users. Providing read-only access to users improves collaboration among the security teams and ensures that every team member has access to the same information.
Note
By default, the Read-Only user group is disabled.
The Read-Only user group has the following characteristics:
You can enable or disable view permission to the features, but cannot enable the create/update permission of the features except for reports. For example, read-only users can view incidents, knowledge-base articles, enhancements, and ATT&CK Navigator, but cannot modify them.
Incidents, actions, enhancements, or PIRs cannot be assigned to the Read-Only user group.
Read-only users cannot be added to other user groups.
Note
If you add a user to the Read-Only user group, the user will be removed from all other groups.
To add read-only users to another group, you must remove the users from the Read-Only user group and then add them to another user group.