Manage User Accounts

A user account consists of multiple pieces of information that are generated when you create the account:

• Account login email address: Identifies the user who accesses the console.

• Account password: Allows or prevents access to the analysis console.

• Assigned role: Determines which computers the account user can manage and the actions they can take.

• Client: Determines the analyst visibility of the workstations and servers managed by the MSSP/SOC.

Create the First User Account

The procedure to create the first user account is different from the steps to create subsequent accounts. The first user account always has the Full Control role assigned. This role enables the analyst to perform any action through the console. You cannot delete or modify this account.

Receive the Welcome Email

• After you purchase Cytomic Orion, you receive an email message from Cytomic.

• Click the Click here link in the message to access the website from which you can create the first user account.

Complete the Create Your Cytomic Account Form

• Enter your email address and click Create. You will receive a new email message at the email address you specified in the form to activate the account you created.

Activate the User Account

• Click the activation button in the message you received to verify the email address you provided when you created the user account. If the button does not work, copy and paste the link included in the message into your browser. The Cytomic Account page opens.

• Enter the password for the account. The password length must be at least 8 characters. The password must contain at least one number and at least one letter.

• Choose the country. Click Activate account. The One second and you are done page opens.

• Enter your first and last name, date of birth, phone number, and address. Click Save. You can skip this step by clicking Not now. The Cytomic Central end-user license agreement opens.

• Click Accept and continue. The Cytomic Central page opens, from which you can access all services purchased from Cytomic.

• To access the Cytomic Orion console, click the Cytomic Orion tile in My services. The first time you access the console, a wizard opens that prompts you to accept the license and data processing agreements.

  • On the License agreement page, click the Accept and continue button.

  • On the Data processing agreement page, click Go to data processing agreement.

  • On the Data processing agreement page, click Accept. The Cytomic Orion console opens.

Create Subsequent User Accounts

After you create the first user account, you can access the Cytomic Orion console, from which you can create all other user accounts you might need.

• Make sure you have the Manage users, permissions, and clients permission assigned. See Understanding Permissions.

• From the top menu, select Settings. From the side menu, select Users.

• Select the Users tab. A page opens that shows a list of all users created in the management console.

• Click Add user (1). The Add user page opens.

• In the Email field, enter the console user email address. Enter a description if needed.

• Choose a role for the user account. See Understanding Permissions.

• To specify the clients that are visible to the user account:

  • Under Clients the user has permission on, click the icon. The Choose client groups dialog box opens.

  • Select the checkboxes next to the client groups the analyst will have access to.

  • Click OK.

For more information about visibility for a user account, see Client Visibility Settings.

• Click Save. Cytomic Orion sends an email to the specified email address so that the user can create an access password and accept the terms of the license and data processing agreements.

For MSSPs/SOCs with multiple Cytomic products, if the email account already exists in the Cytomic systems, the activation email is not sent. The account can access Cytomic Orion with the credentials used for other products.

Edit the Personal Details for a User Account

• In the management console, click the icon in the upper-right corner of the page. A drop-down menu appears.

• Select Set up my profile.

Cytomic Central

• The Cytomic Account page opens.

• In the left menu, select Profile. Fill the form with the personal details for the account.

• Click Save. The changes are stored on the Cytomic server.

Edit the Email Address or Password for a User Account

• In the management console, click the icon in the upper-right corner of the page. A drop-down menu appears.

• Select Set up my profile.

Cytomic Central

• The Cytomic Account page opens.

• In the left menu, select Login. Click the Change email address or Change password links. A page opens that prompts you to validate the old data and enter the new one.

• Click Change.

Access the Users List

• From the top menu, select Settings. From the side menu, select Users.

• Select the Users tab. A list appears that shows all user accounts created in Cytomic Orion, along with this information:

Field	Description
Email	The email address associated with the user.
Role	Set of permissions associated with the user account.
Client groups	Client groups to which the account has visibility.
Fields in the Users list

Delete User Accounts

• Make sure you have the Manage users, permissions, and clients permission assigned. See Understanding Permissions.

• From the top menu, select Settings. From the side menu, select Users.

• Select the Users tab. A page opens that shows a list of all users created in the analysis console.

• Select the checkboxes (3) next to the users you want to delete.

• In the toolbar, click the icon. A confirmation dialog box opens.

• Click OK. Deleted users cannot access the web console or the threat hunting library, nor do they receive email notifications. However, investigations, notebooks, and audit information generated by deleted users remain on the system. You can continue using deleted users in investigation search filters provided they have created an investigation or have investigations assigned.

Reactivate Users

You can register a deleted user again by following the normal process for creating a new user. In that case, all the information previously generated by the user is reassigned to the account.

Export the Users List

To download the Users list as an Excel file, click the icon (4) in the upper-right corner of the page.

Search for Users

Type a search term in the text box (5) to search in any of the list fields. You can type only a partial string.

Enable Two-factor Authentication

Cytomic Orion supports the two-factor authentication (2FA) standard to add an additional layer of security beyond that provided by the ‘user-password’ basic pair. This way, when you try to access the web console, you are prompted to enter an additional authentication item: a code that only the account owner has. This is a random code that is generated on a specific device, typically the Cytomic Orion administrator personal smartphone or tablet.

Requirements for Enabling 2FA

• Access to a personal smartphone or tablet with a built-in camera.

• Download the WatchGuard AuthPoint free app (or similar) from:

  • iOS: https://apps.apple.com/app/watchguard-authpoint/id1335115425

  • Android: https://play.google.com/store/apps/details?id=com.watchguard.authpoint

Enable 2FA

• In the analysis console, click the icon in the upper-right corner of the page. A drop-down menu appears.

• Select Set up my profile.

Cytomic Central

• The Cytomic Account page opens.

• From the side menu, select Login. In section Two-step verification, click the Enable link The Synchronization using an authentication app dialog box opens.

• The first time that you use the WatchGuard AuthPoint app on your mobile device, tap Activate. If you have used it before, tap the QR code icon in the upper-right corner of the page. The mobile device camera opens.

  

  Scan the QR code with WatchGuard AuthPoint

• Point the camera at the QR code in the Cytomic Orion console. A new entry is added to WatchGuard AuthPoint and a token is generated every 30 seconds.

• Enter the code generated by WatchGuard AuthPoint in the Cytomic Orion console to link the device to the user account. Click Verify. A dialog box opens that shows the message Two-factor authentication is enabled.

• Click OK.

Access the Web Console from Cytomic Central Using an Account with 2FA Enabled

• Go to https://central.cytomic.ai/Login. Enter your user name and password. Click Log in.

• Enter the verification code generated by WatchGuard AuthPoint on your mobile device. Click Verify. The Cytomic Central page opens.

Force all Console Users to Use 2FA

The user account with which you enforce the use of 2FA must have the Manage users, permissions, and clients permission assigned and full visibility into the IT network. See Understanding Permissions.

• From the top menu, select Settings. From the side menu, select Users. Select the Security tab.

• Select the option Require users to have two-factor authentication enabled to access this account.

• If the user account with which you force all console users to use 2FA does not have two-factor authentication enabled, a warning message is shown prompting you to access your Cytomic Account and enable the feature. See Enable 2FA.