Default User Groups and Permissions
Respond provides you with four default user groups such as CFTR Admin, SOC Manager, Soc Analyst, and Read-only. You can also create custom user groups and assign permissions for various features. To view the default user groups and permission, go to Admin > User Group Management.
Every Module/Functionality has the following permissions:
View: User groups with this permission can view the module/functionality. If view permission is not enabled, the whole feature is hidden in the application user interface and won't be visible to the user group.
Create/Update: User groups with this permission can view, create or update the details of a module/functionality.
Modules/Functionalities
Respond includes the following modules/functionalities:
Action Library: Allows users to access the Action Library module in the Admin panel. In this module, users can create and manage action templates that are used to map actions with various phases of incident workflows. For more information, see Manage Action Templates for Incidents.
Actions: Allows users to access the Actions module from the Menu. In this module, users can view, create, and manage actions. For more information, see Actions.
Activity Logs: Allows users to view the activity logs of modules in Admin > Audit Logs > Activity Logs. To view the activity of a module, go to Menu, select a module, and click Activity Logs. For more information, see Manage Activity Logs.
API Request Logs: Allows users to view the activity logs of API request logs of all users in Admin > Audit Logs > API Request Logs. For more information, see View Audit Logs.
Applications: Allows users to access the Applications module from the Menu. In this module, users can view, create, and manage applications. For more information, see Applications.
ATT&CK Navigator: Allows users to access the ATT&CK Navigator from the Menu. In this module, users can view tactics, techniques, and sub-techniques. They can also create custom layers with a tailored list of tactics and techniques based on the organization's requirements. For more information, see ATT&CK Navigator.
Business Units: Allows users to access Business Units in Admin > Settings. In this module, users can view, create, and manage business units. For more information, see Manage Business Units.
Campaigns: Allows users to access the Campaigns module from the Menu. In this module, users can view, create, and manage campaigns. For more information, see Campaigns.
Configurations: Allows users to access the Configurations module in the Admin panel. In this module, users can view and update the configurations for Incidents, Authentication methods, Actions, Integrations, and more. For more information, see Configure General Settings.
Cost Tracking: Allows users to view the cost tracking details of incidents in Menu > Incidents. Users with this permission can view the total cost incurred by the organization due to the incident. For more information, see Cost Tracking.
Dashboards: Allows users to access the Dashboards module from the Menu. In this module, users can view, create, edit, and manage dashboards. Users can also create custom dashboards and widgets. For more information, see Dashboards.
Note
While filtering dashboards by selecting locations and business units, users can only view and select from the locations or business units assigned to them.
Delete Untriaged Incidents: Allows users to delete incidents that are in the untriaged status in Menu > Incidents. For more information, see Delete Untriaged Incident.
Devices: Allows users to access the Devices module from Menu. In this module, users can view, create, and manage devices. For more information, see Devices.
Email Customization: Allows users to access the Email Customization module in the Admin panel. In this module, users can enable or disable email notifications and customize the email templates. For more information, see Customize Emails.
Enhancements: Allows users to access the Enhancements module from Menu. In this module, users can view, create, and manage enhancements. For more information, see Enhancements.
Fang-Defang: Allows users to access the Fang-Defang module from Menu. In this module, users can modify IP addresses, URLs, and domain names to make them non-functional. For more information, see Fang-Defang.
Form Management: Allows users to access the Form Management module in the Admin panel. In this module, users can view and configure forms for Incidents, Action, PIR, Malware, and more. For more information, see Configure Forms.
Incidents: Allows users to access the Incidents module from Menu. In this module, users can view, create, and manage incidents. For more information, see Incidents.
Note
Users can only view and update incidents associated with business units and locations assigned to them.
Knowledge Base: Allows users to access the Knowledge Base module from Menu. In this module, users can view, create, and manage Knowledge Base articles. For more information, see Knowledge Base.
Labels: Allows users to access Labels in Admin > Settings. In this module, users can view, create, and manage labels. For more information, see Manage Labels.
Locations: Allows users to access locations in Admin > Settings. In this module, users can view, create, and manage locations. For more information, see Manage Locations.
Malware: Allows users to access the Malware module from Menu. In this module, users can view, create, and manage malware. For more information, see Malware.
Manufacturers: Allows users to access manufacturers in Admin > Settings. In this module, users can view, create, and manage manufacturers. For more information, see Manage Manufacturers.
Merge Incidents: Allows users to merge incidents in Menu > Incidents. Users can merge incidents with similar details and require the same response. For more information, see Mission Control.
MSSP Dashboard: Allows users to access the MSSP Dashboard in Menu > Dashboards. Users with this permission can view and export the MSSP dashboard. For more information, see Dashboards.
Network Utility: Allows users to access the Network Utility module from the Admin panel. In this module, users can retrieve network-related data of IP addresses and domains from the threat intel applications that are integrated with Respond. For more information, see Network Utility.
Open API: Allows users to access the Open API module in the Admin panel. In this module, users can view and create open API credentials. For more information, see Configure Open API.
OS Types: Allows users to access OS Types in Admin > Settings. In this module, users can view, create, and manage OS types. For more information, see Manage OS Types.
Pause Incident: Allows users to pause incidents while responding to incidents in Menu > Incidents. For more information, see Pause Incident.
PIRs: Allows users to access the PIRs module from the Menu. In this module, users can view, create, and manage PIRs. For more information, see PIRs.
Playbooks: Allows users to access Playbooks from Orchestrate while responding to incidents in Menu > Incidents. For more information, see Run Playbooks.
Protected Incidents: Allows users to view and edit protected incidents in Menu > Incidents. For more information, see Protect Incidents.
Reports: Allows users to access the Reports module from Menu > Governance. In this module, users can view, add, and manage reports. For more information, see Reports.
Roster Management: Allows users to access the Roster Management module of the Admin panel. In this module, users can create and manage rosters and shifts. For more information, see Configure Rosters.
Rule Engine: Allows users to access the Rule Engine module of the Admin panel. In this module, users can configure rules to execute specific actions, such as pause incidents, enable Slack notifications, and run a playbook automatically for incident response. For more information, see Configure Automation Rules.
SLA: Allows users to access the SLA module in the Admin panel. In this module, users can configure assignment SLA and resolution SLA for incidents, actions, and incident notifications. For more information, see Configure SLA for Incidents, Configure SLA for Actions, and Configure Incident Notification Process.
Software: Allows users to access the Software module from Menu. In this module, users can view, add, and manage software. For more information, see Software.
Sources: Allows users to access Sources in Admin > Settings. In this module, users can view, add, and manage sources. For more information, see Manage Sources.
Template Management: Allows users to access the Template Management module in the Admin panel. In this module, users can configure export and merge templates for incidents, actions, devices, and users. For more information, see Configure Templates for Incidents, Configure Templates for Actions, and Create Export Template for Devices.
Terminal: Allows users to access the Terminal tab of all the modules. Go to Menu, select a module, and select a record. Users can use the terminal to interact with the integrated applications and Orchestrate Playbooks to perform specific tasks. For more information, see Mission Control.
Threat Actors: Allows users to access the Threat Actors module from Menu. In this module, users can view, create, and manage threat actors. For more information, see Threat Actors.
Threat Briefings: Allows users to access the Threat Briefings module from Menu. In this module, users can view, create, and manage threat briefings. For more information, see Threat Briefings.
Threat Intel: Allows users to access the Threat Intel module from Menu. In this module, users can view the threat intel added to Respond. For more information, see Threat Intel.
User Group Management: Allows users to access the User Group Management module in the Admin panel. In this module, users can view and create user groups and assign permissions to user groups. For more information, see Create User Group.
User Management: Allows users to access the User Management module in the Admin panel. In this module, users can view, add, and manage user accounts. For more information, see Create User.
Users: Allows users to access the Users module from Menu. In this module, users can view, add, and manage users. For more information, see Users.
Version and License: Allows users to access the License Management module in the Admin panel. In this module, users can view the license details, expiration date, application version, and more. For more information, see Manage License.
Vulnerabilities: Allows users to access the Vulnerabilities module from Menu. In this module, users can view, create, and manage vulnerabilities. For more information, see Vulnerabilities.
CFTR Admin Group Permissions
The following table shows the permissions mapped to features of Respond:
Module/Functionality | View Permission | Create/Update Permission |
|---|---|---|
Action Library | Yes | Yes |
Actions | Yes | Yes |
Activity Logs | Yes | Yes |
API Request Logs | Yes | Yes |
Applications | Yes | Yes |
ATT&CK Navigator | Yes | No |
Business Units | Yes | Yes |
Campaigns | Yes | Yes |
Configurations | Yes | Yes |
Cost Tracking | Yes | Yes |
Dashboards | Yes | Yes |
Delete Untriaged Incidents | Yes | Yes |
Devices | Yes | Yes |
Email Customization | Yes | Yes |
Enhancements | Yes | Yes |
Fang-Defang | Yes | No |
Form Management | Yes | Yes |
Incidents | Yes | Yes |
Knowledge Base | Yes | Yes |
Labels | Yes | Yes |
Locations | Yes | Yes |
Malware | Yes | Yes |
Manufacturers | Yes | Yes |
Merge Incidents | Yes | Yes |
MSSP Dashboard | No | No |
Network Utility | Yes | No |
Open API | Yes | Yes |
OS Types | Yes | Yes |
Pause Incident | Yes | Yes |
PIRs | Yes | Yes |
Playbooks | Yes | Yes |
Protected Incidents | Yes | No |
Reports | Yes | Yes |
Roster Management | Yes | Yes |
Rule Engine | Yes | Yes |
SLA | Yes | Yes |
Software | Yes | Yes |
Source | Yes | Yes |
Template Management | Yes | Yes |
Terminal | Yes | Yes |
Threat Actors | Yes | Yes |
Threat Briefings | Yes | Yes |
Threat Intel | Yes | Yes |
User Group Management | Yes | Yes |
User Management | Yes | Yes |
Users | Yes | Yes |
Version and License | Yes | Yes |
Vulnerabilities | Yes | Yes |
SOC Manager Group Permissions
Module/Functionality | View Permission | Create/Update Permission |
|---|---|---|
Action Library | No | No |
Actions | Yes | Yes |
Activity Logs | No | No |
API Request Logs | No | No |
Applications | Yes | Yes |
ATT&CK Navigator | No | No |
Business Units | Yes | Yes |
Campaigns | Yes | Yes |
Configurations | No | No |
Cost Tracking | No | No |
Dashboards | Yes | Yes |
Delete Untriaged Incidents | Yes | No |
Devices | Yes | Yes |
Email Customization | No | No |
Enhancements | Yes | Yes |
Fang-Defang | Yes | No |
Form Management | No | No |
Incidents | Yes | Yes |
Knowledge Base | Yes | Yes |
Labels | Yes | No |
Locations | Yes | Yes |
Malware | Yes | Yes |
Manufacturers | Yes | No |
Merge Incidents | Yes | No |
MSSP Dashboard | No | No |
Network Utility | Yes | No |
Open API | No | No |
OS Types | Yes | No |
Pause Incident | Yes | No |
PIRs | Yes | Yes |
Playbooks | Yes | Yes |
Protected Incidents | No | No |
Reports | Yes | Yes |
Roster Management | No | No |
Rule Engine | No | No |
SLA | Yes | Yes |
Software | Yes | Yes |
Sources | Yes | No |
Template Management | No | No |
Terminal | Yes | Yes |
Threat Actors | Yes | Yes |
Threat Briefings | Yes | Yes |
Threat Intel | Yes | Yes |
User Group Management | Yes | No |
User Management | Yes | No |
Users | Yes | Yes |
Version and License | No | No |
Vulnerabilities | Yes | Yes |
SOC Analyst Group Permissions
The following table shows the module/functionality permissions mapped to the user group :
Module/Functionality | View Permission | Create/Update Permission |
|---|---|---|
Action Library | No | No |
Actions | Yes | Yes |
Activity Logs | No | No |
API Request Logs | No | No |
Applications | Yes | Yes |
ATT&CK Navigator | No | No |
Business Units | Yes | No |
Campaigns | Yes | Yes |
Configurations | No | No |
Cost Tracking | No | No |
Dashboards | Yes | No |
Delete Untriaged Incidents | Yes | No |
Devices | Yes | Yes |
Email Customization | No | No |
Enhancements | Yes | No |
Fang-Defang | Yes | No |
Form Management | No | No |
Incidents | Yes | Yes |
Knowledge Base | Yes | No |
Labels | Yes | No |
Locations | Yes | No |
Malware | Yes | Yes |
Manufacturers | Yes | No |
Merge Incidents | Yes | No |
MSSP Dashboard | No | No |
Network Utility | Yes | No |
Open API | No | No |
OS Types | Yes | No |
Pause Incident | Yes | Yes |
PIRs | Yes | Yes |
Playbooks | No | No |
Protected Incidents | No | No |
Reports | Yes | Yes |
Roster Management | No | No |
Rule Engine | No | No |
SLA | No | No |
Software | Yes | Yes |
Sources | Yes | No |
Template Management | No | No |
Terminal | No | No |
Threat Actors | Yes | Yes |
Threat Briefings | Yes | Yes |
Threat Intel | Yes | Yes |
User Group Management | Yes | No |
User Management | Yes | No |
Users | Yes | Yes |
Version and License | No | No |
Vulnerabilities | Yes | Yes |
Read-Only Group Permissions
Module/Functionality | View Permission | Create/Update Permission |
|---|---|---|
Action Library | Yes | No |
Actions | Yes | No |
Activity Logs | Yes | No |
API Request Logs | Yes | No |
Applications | Yes | No |
ATT&CK Navigator | Yes | No |
Business Units | Yes | No |
Campaigns | Yes | No |
Configurations | Yes | No |
Cost Tracking | Yes | No |
Custom Mode | No | No |
Dashboards | Yes | No |
Delete Untriaged Incidents | Yes | No |
Devices | Yes | No |
Email Customization | Yes | No |
Enhancements | Yes | No |
Fang-Defang | Yes | No |
Form Management | Yes | No |
Incidents | Yes | No |
Knowledge Base | Yes | No |
Labels | Yes | No |
Locations | Yes | No |
Malware | Yes | No |
Manufacturers | Yes | No |
Merge Incidents | Yes | No |
MSSP Dashboard | No | No |
Network Utility | Yes | No |
Open API | Yes | No |
OS Types | Yes | No |
Pause Incident | Yes | No |
PIRs | Yes | No |
Playbooks | Yes | No |
Protected Incidents | Yes | No |
Reports | Yes | Yes |
Roster Management | Yes | No |
Rule Engine | Yes | No |
SLA | Yes | No |
Software | Yes | No |
Source | Yes | No |
Template Management | Yes | No |
Terminal | Yes | No |
Threat Actors | Yes | No |
Threat Briefings | Yes | No |
Threat Intel | Yes | Yes |
User Group Management | Yes | No |
User Management | Yes | No |
Users | Yes | No |
Version and License | Yes | No |
Vulnerabilities | Yes | No |