Understanding Permissions

Access to advanced queries

  • Enabled: The account user has access to the Investigations area and can select the Advanced SQL query tab to create SQL statements and search the data lake collected by Cytomic Orion for suspicious operations.

  • Disabled: The account user has access to the Investigations area but cannot select the Advanced SQL query tab

Access to OSQuery

  • Enabled: The account user has access to the Investigations area and can select the OSQuery query tab to create a notebook used in the analysis of the SOC clients' IT infrastructure.

  • Disabled: The account user has access to the Investigations area but cannot select the OSQuery query tab.

Access to the query wizard

  • Enabled: The account user has access to the Investigations area and can select the Wizard-guided queries tab to create simple searches to explore the data lake collected by Cytomic Orion for suspicious operations.

  • Disabled: The account user has access to the Investigations area but cannot select the Wizard-guided queries tab.

Isolate/deisolate computers

  • Enabled: The account user can restrict communications from SOC clients’ computers to isolate them if they are compromised or to contain the effects of an attack.

  • Disabled: The account user cannot restrict communications from SOC clients’ computers to isolate them if they are compromised or to contain the effects of an attack.

Delete IOCs for all clients

  • Enabled: The account user can execute calls to the Cytomic Orion API to delete IOCs previously loaded on the platform.

  • Disabled: The account user cannot execute calls to the Cytomic Orion API to delete IOCs previously loaded on the platform.

Search for IOCs

  • Enabled: The account user can execute calls to the Cytomic Orion API to search clients’ computers for IOCs previously loaded on the platform.

  • Disabled: The account user cannot execute calls to the Cytomic Orion API to search clients’ computers for IOCs previously loaded on the platform.

Create hunting rules and notification rules for all clients

  • Enabled: The account user can create hunting rules and notification rules that affect all clients regardless of the client visibility settings associated with the account.

  • Disabled: The account user cannot create hunting rules or notification rules that affect all clients.

Create notebooks for manual investigation

  • Enabled: The account user can create, edit, and delete notebooks to automate investigations.

  • Disabled: The account user cannot create, edit or delete notebooks.

Create notebooks from automated investigation templates

  • Enabled: The account user has access to the Automated investigation option in the tab bar of an investigation to create a notebook using a template previously created in Cytomic Orion.

  • Disabled: The account user does not have access to the Automated investigation option and cannot create notebooks using templates.

Create quick answers

  • Enabled: The account user can create and delete small code snippets (quick answers) to speed up investigations.

  • Disabled: The account user cannot create or delete small code snippets (quick answers) to speed up investigations.

Create indicator notification rules

  • Enabled: The account user can create, edit, and delete notification rules for indicators generated by hunting rules for all clients the account user has visibility to.

  • Disabled: The account user cannot create, edit, or delete notification rules for indicators generated by hunting rules.

Delete indicators and manage automatic indicator deletion rules

  • Enabled: The account user can delete indicators and create, edit, and delete rules for deleting indicators.

  • Disabled: The account user cannot delete indicators nor create, edit, or delete rules for deleting indicators, although they can see the existing rules and the indicators deleted by each rule.

Manage investigation notebook templates

  • Enabled: The account user can access the Automated investigations side panel in the Settings section to create, edit, publish, and delete notebook templates.

  • Disabled: The account user cannot access the Automated investigations side panel in the Settings section.

Managing hunting rules

  • Enabled: The account user can create, delete, edit, enable, and disable hunting rules.

  • Disabled: The account user cannot create, edit, delete, enable, or disable hunting rules although they can see the existing rules and their definitions if they were created by a SOC account.

Manage automatic indicator assignment rules

  • Enabled: The account user can create, delete, edit, and see new rules to automatically assign indicators to investigations.

  • Disabled: The account user cannot access the Assignment rules side panel in the Settings section.

Manage users, permissions, and clients

  • Enabled: The account user can create new users and roles, assign permissions based on the analyst profile and the service level assigned to them within the SOC, and configure client visibility. This permission is commonly assigned to SOC managers.

  • Disabled: The account user cannot access the Users or Clients side panels in the Settings section.

Import IOCs for all clients

  • Enabled: The account user can execute calls to the Cytomic Orion API to load new IOCs on the platform.

  • Disabled: The account user cannot execute calls to the Cytomic Orion API to load new IOCs on the platform.

Restart computers

  • Disabled: The account user can invoke the reboot sequence on the SOC clients’ computers.

  • Disabled: The account user cannot invoke the reboot sequence on the SOC clients’ computers.

Remote shell and view executed commands

  • Enabled: The account user can remotely open a command line on the SOC clients’ computers.

  • Disabled: The account user cannot remotely open a command line on the SOC clients’ computers.

View the data usage dashboard

  • Enabled: The account user can open the data usage dashboard by selecting Data usage in the side panel.

  • Disabled: The account user cannot open the data usage dashboard.

View client names

  • Enabled: The console shows the names of clients that computers belong to, and not just ID numbers.

  • Disabled: The console does not show the names of clients, just ID numbers. This way, analysts cannot link the data shown in Cytomic Orion to specific clients, thereby respecting any confidentiality agreements signed and data protection regulations (GDPR and other laws).

View computer names

  • Enabled: The console shows the names of computers, not just ID numbers.

  • Disabled: The console does not show the names of computers, just ID numbers. This way, analysts cannot link the data shown in Cytomic Orion to specific computers, thereby respecting any confidentiality agreements signed and data protection regulations (GDPR and other laws).

View the organization activity log

  • Enabled: The account user can access the Activity log section from the top menu Settings to view a list of the actions performed by user accounts outside the context of an investigation.

  • Disabled: The account user cannot access the Activity log section.

View graphs

  • Enabled: The account user can access the Graphs option, accessible from an investigation or from an event shown in the investigation console, to view graph-type notebooks.

  • Disabled: The account user cannot access the Graphs option.