Configure System-Level Security Settings

Most global security settings, such as the maximum number of failed login attempts to allow, apply to all NetWitness users and sessions. Settings related to passwords in the Password Strength section, such as password expiration period and the default number of days before user passwords expire, apply to internal NetWitness users, but not external users.

Configure Security SettingsConfigure Security Settings

  1. Go to netwitness_adminicon_25x22.png (Admin) > Security.

    The Security view is displayed with the Users tab open.

  2. Click the Settings tab.

    122_SecSetTabv2_1122.png

  3. In the Security Settings section, specify values for the fields as described in the following table.

    Field Description
    Lockout Period Number of minutes to lock a user out of NetWitness after the configured number of failed logins is exceeded. The default value is 20 minutes.
    Max Login Failures The maximum number of unsuccessful login attempts before a user is locked out. The default value is 5.
    Session Timeout

    The maximum duration of a user session before timing out in minutes. The default value is 480. The session times out when the configured time has elapsed, after which the user must log in again. The maximum allowed value is 30,000.

    Note: If you migrated to NetWitness 11.x from version 10.6.x and previously used a value of 0 for an unlimited session timeout, the value was reset automatically to 30,000 minutes, as a value of 0 is no longer supported.
    Idle Period

    Number of minutes of inactivity before a session times out. The default value is 10. The maximum allowed value is 30,000.

    Note: If you migrated to NetWitness 11.x from version 10.6.x and previously used a value of 0 for an unlimited idle period, the value was reset automatically to the default value of 10, as a value of 0 is no longer supported.
    Usernames are case sensitive Select this option if you want the Username field on the NetWitness login to be case sensitive. For example, if usernames are case sensitive, you could use admin to log on to NetWitness, but you could not use Admin.
  4. Click Apply. The Security Settings take effect immediately. If a password expires, the user receives a prompt to change the password when they log on to NetWitness.

Restrict Access to Incidents

By default, analysts can view all of the incidents, alerts, and tasks in the Respond view. If you have sensitive or restricted information that should not be shared, you can restrict what analysts and other users can see in the Respond view.

If you restrict access to incidents:

  • Analysts can only see incidents assigned to them as well as the alerts and tasks associated with those incidents. Likewise, they can only change the status of and add journal entries (notes) to their own incidents.
  • Analysts cannot see the Alerts and Tasks tabs in the Respond view (Respond > Tasks and Respond > Alerts are hidden), so they cannot view all alerts and tasks.
  • Analysts cannot see the Assignee button or change the assignee of an incident.
  • Analysts cannot see the Related Indicators (alerts) panel (Incident Details view > Find Related tab in the left-side panel).
  • When adding events to incidents from the Investigate views, users can only add events to incidents to which they have access. The list of incidents to which users can add events only shows incidents that the user can access.
  • When creating incidents from the Investigate views, users must have access to those incidents to view them in the Respond view. For example, when creating incidents from the Investigate view, Analysts must assign the incidents to themselves to view them in the Respond view.

Caution: These restrictions apply to all NetWitness users, except users with the Administrators, Respond_Administrator, and SOC_Managers roles. However, you can adjust the list of user roles whose access to incidents should not be restricted.

To restrict access to incidents:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Security and click the Settings tab.
  2. In the Restrict Access to Incidents section, select Restrict access to incidents for all users, except for users with the roles listed below.
    122_RestrictAccessToInc_1122.png
  3. In the list, add the user roles whose access to incidents should not be restricted.
  4. Click Apply.
    Changes take effect on the next log in to NetWitness.