Step 2. Assign Respond View PermissionsStep 2. Assign Respond View Permissions
Add users with the required permissions to investigate incidents and alerts in NetWitness Respond. Users with access to the Respond view need both Incidents and Respond-server permissions. Users with access to configure incident email notification settings need additional Integration-server permissions.
The following pre-configured roles have permissions in the Respond view:
- Analysts: The Security Operations Center (SOC) Analysts have access to Alerting, NetWitness Respond, Investigate, and Reporting, but not system configurations.
- Malware Analysts: Malware Analysts have access to investigations and malware events.
- Operators: Operators have access to configurations, but not Investigate, ESA, Alerting, Reporting and NetWitness Respond.
- SOC_Managers: The SOC Managers have the same access as Analysts plus additional permissions to handle incidents and configure NetWitness Respond.
- Data_Privacy_Officers: Data Privacy Officers (DPOs) are like Administrators with additional focus on configuration options that manage obfuscation and viewing of sensitive data within the system. See the Data Privacy Management Guide for additional information. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
- Respond_Administrator: The Respond Administrator has full access to NetWitness Respond.
- Administrators: The Administrator has full system access to NetWitness and has all permissions by default.
The NetWitness Respond default permissions are shown in the following tables. You need to assign user permissions from both the Incidents and Respond-server tabs, which are the Permissions tab names in the 
Caution: It is very important that you assign equivalent user permissions from BOTH the Respond-server tab AND the Incidents tab.
Users who configure incident email notification settings also need permissions in the Integration-server tab.
Respond-serverRespond-server
|
Permissions |
Analysts |
SOC |
DPOs |
Respond Admin |
Operators
|
MAs
|
|---|---|---|---|---|---|---|
| respond-server.alert.delete |
|
|
Yes* |
Yes* |
|
|
| respond-server.alert.manage | Yes | Yes | Yes* | Yes* | Yes | |
| respond-server.alert.read | Yes | Yes | Yes* | Yes* |
|
Yes |
| respond-server.alertrule.manage |
|
Yes |
Yes* |
Yes* |
||
| respond-server.alertrule.read | Yes | Yes* | Yes* |
|
|
|
| respond-server.configuration.manage |
|
|
Yes* |
Yes* |
||
| respond-server.health.read | Yes* | Yes* |
|
|
||
| respond-server.incident.delete | Yes* | Yes* | ||||
|
respond-server.incident.manage |
Yes |
Yes |
Yes* |
Yes* |
|
Yes |
| respond-server.incident.read | Yes | Yes | Yes* | Yes* | Yes | |
| respond-server.journal.manage |
Yes |
Yes |
Yes* |
Yes* |
|
Yes |
| respond-server.journal.read | Yes | Yes | Yes* | Yes* | Yes | |
|
respond-server.logs.manage |
|
Yes* |
Yes* |
|
|
|
| respond-server.metrics.read | Yes* | Yes* | ||||
| respond-server.notification.manage (Available in 11.1 and later) |
Yes | Yes* | Yes* | |||
| respond-server.notification.read (Available in 11.1 and later) |
Yes | Yes* | Yes* | |||
| respond-server.process.manage | Yes* | Yes* |
|
|
||
| respond-server.remediation.manage | Yes | Yes | Yes* | Yes* | Yes | |
| respond-server.remediation.read |
Yes |
Yes |
Yes* |
Yes* |
|
Yes |
| respond-server.risk.manage | Yes | Yes* | Yes* | |||
| respond-server.risk.read | Yes | Yes* | Yes* | |||
| respond-server.security.manage | Yes* | Yes* | ||||
|
respond-server.security.read |
|
|
Yes* |
Yes* |
|
|
* Data Privacy Officers and Respond Administrators have the respond-server.* permission, which gives them all of the Respond-server permissions.
IncidentsIncidents
|
Permissions |
Analysts |
SOC |
DPOs |
Respond Admin |
Operators
|
MAs
|
|---|---|---|---|---|---|---|
|
Access Incident Module |
Yes | Yes | Yes | Yes |
|
Yes |
| Configure Incident Management Integration |
|
Yes |
Yes | Yes | ||
|
Delete Alerts and Incidents |
Yes |
Yes |
|
|
||
| Manage Alert Handling Rules |
|
Yes |
Yes | Yes | ||
|
View and Manage Incidents |
Yes | Yes |
Yes |
Yes |
|
Yes |
The Respond Administrator has all of the Respond-server and Incidents permissions.
Integration-serverIntegration-server
Note: The Integration-server permissions are available in NetWitness version 11.1 and later.
Users who configure incident email notification settings also need Integration-server permissions. The following table lists the incident notification permissions in the Integration-server tab assigned to each role.
|
Permissions |
Analysts |
SOC |
DPOs |
Respond Admin |
Operators
|
MAs
|
|---|---|---|---|---|---|---|
| integration-server.notification.read |
|
Yes |
Yes |
Yes |
|
|
| integration-server.notification.manage | Yes | Yes | Yes |
Investigate-serverInvestigate-server
Users who view Event Analysis in Respond also need Investigate-server permissions. The following table lists the Respond Event Analysis permissions required in the Investigate-server tab and the permissions assigned to each role.
|
Permissions |
Analysts |
SOC |
DPOs |
Respond Admin |
Operators
|
MAs
|
|---|---|---|---|---|---|---|
| investigate-server.event.read |
Yes |
Yes |
Yes |
Yes |
|
Yes |
| investigate-server.content.reconstruct | Yes | Yes | Yes | Yes | Yes | |
| investigate-server.content.export |
Yes |
Yes |
Yes |
Yes |
|
Yes |
Incident Email Notification Settings PermissionsIncident Email Notification Settings Permissions
Note: Incident email notification setting permissions are available in NetWitness version 11.1 and later.
If you are updating from NetWitness version 11.0 to 11.1 or later, you will need to add additional permissions to your existing built-in NetWitness user roles. For all upgrades to 11.1 or later, you will need to add additional permissions to custom roles.
The following permissions are required for Respond Administrators, Data Privacy Officers, and SOC Managers to access incident email notification settings [ 
Incidents tab:
- Configure Incident Management Integration
Respond-server tab:
- respond-server.notification.manage
- respond-server.notification.read
Integration-server tab:
- integration-server.notification.read
- integration-server.notification.manage
Respond Event Analysis PermissionsRespond Event Analysis Permissions
Note: The Event Analysis panel in the Respond view is available in NetWitness version 11.2 and later.
The Events panel in the Respond view, formerly known as the Event Analysis panel, shows the Events view from Investigate for specific indicator events. The following permissions are required to view the Events panel in the Respond view. These permissions are provided by default for users with the Analysts role.
Investigate-server tab:
- investigate-server.event.read
- investigate-server.content.reconstruct
- investigate-server.content.export
Administration tab:
- Access Administration Module
Note: Migrated incidents from NetWitness versions before 11.2 will not show the Events panel in the Respond Incident Details view Indicators panel. Likewise, if you use alerts that were migrated from versions before 11.2 to create incidents in 11.2, you will also not be able to view the Events panel in the Respond view for those incidents.
Respond Saved Filter PermissionsRespond Saved Filter Permissions
Note: Saved filters for the incidents and alerts lists in Respond are available in NetWitness version 11.5 and later.
The following permissions are required for the incidents and alerts filters (Respond > Incidents and Respond > Alerts). The Analysts role has the required Respond filter permissions by default.
Respond-server tab:
-
respond-server.incident.manage
-
respond-server.incident.read
-
respond-server.alert.manage
-
respond-server.alert.read
Respond Role Permission ExamplesRespond Role Permission Examples
The following figure shows Respond-server permissions for the default Respond Administrator role. The Respond Administrator role contains all of the NetWitness Respond permissions.
The following figure shows the Incidents permissions for the default Analysts role:
For more information, see "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
Restrict Access to IncidentsRestrict Access to Incidents
By default, analysts can view all of the incidents, alerts, and tasks in the Respond view. If you have sensitive or restricted information that should not be shared, you can restrict what analysts and other users can see in the Respond view.
If you restrict access to incidents:
- Analysts can only see incidents assigned to them as well as the alerts and tasks associated with those incidents. Likewise, they can only change the status of and add journal entries (notes) to their own incidents.
- Analysts cannot see the Alerts and Tasks tabs in the Respond view (Respond > Tasks and Respond > Alerts are hidden), so they cannot view all alerts and tasks.
- Analysts cannot see the Assignee button or change the assignee of an incident.
- Analysts cannot see the Related Indicators (alerts) panel (Incident Details view > Find Related tab in the left-side panel).
- When adding events to incidents from the Investigate views, users can only add events to incidents to which they have access. The list of incidents to which users can add events only shows incidents that the user can access.
- When creating incidents from the Investigate views, users must have access to those incidents to view them in the Respond view. For example, when creating incidents from the Investigate view, Analysts must assign the incidents to themselves to view them in the Respond view.
Caution: These restrictions apply to all NetWitness users, except users with the Administrators, Respond_Administrator, and SOC_Managers roles. However, you can adjust the list of user roles whose access to incidents should not be restricted.
To restrict access to incidents:
- Go to
- In the Restrict Access to Incidents section, select Restrict access to incidents for all users, except for users with the roles listed below.
- In the list, add the user roles whose access to incidents should not be restricted.
- Click Apply.
Changes take effect on the next log in to NetWitness.
