Security Incident Response - Task view for non security groups

Ravish Shetty · ‎09-10-2019

hi all,

We have some security incident tasks assigned to some other teams who might need read-only access to the incident ticket and also the assigned task.

I tried assigning sn_si.external and sn_si.special_access but ithe users are still unable to see the task.

Ravish

andy_ojha · ‎09-10-2019

Hey Ravish,

To confirm -> it sounds like you want to have a user that is not a Security Analyst (or a traditional SIR user), to have limited access to certain SIR records? Are you potentially re-assigning these SIR records to these "external" folks", or creating Security Response Tasks (SITs)?

I don't believe using <sn_si.external> will solve that for you, however <sn_si.special_access> might partially get you there.

sn_si.external

Using <sn_si.external>, you would need to assign this <role> to SN Groups that you anticipate creating / assigning Security Incident Response Tasks to. So if you have an SIR, you can create multiple SITs (Response Tasks) to External Teams (e.g. Task to block an IP addr, or disable an account, etc).

You would not be assigning an SIR record to these Groups; you would be creating Response Tasks from the SIR, and assigning those to these Teams.

The baseline SIR functionality, is that you must assign the SIT to an actual Assignment group AND Assigned to {user}. Also, these users would not be able to navigate to the SIR record, that the SIT (Response Task) was created for.

There is an ACL entry on Response Tasks for users with <sn_si.external> -> which only allows them to see Response Tasks that are assigned to them at the {user} layer.

They will nav to "My work"... to see their relevant SITs (Response Tasks).

sn_si.special_access

Using <sn_si.special_access>, there is no need to explicitly assign this <role> to a Group or User.

When you navigate to an SIR record, and look at the "special permissions" fields such as `Read access` and `Privileged access` -> by putting a user into these fields, the system will automatically grant them this role. Then, when that user logs into SN, they have a limited view into the SIR app (even without having any sn_si.* <roles>).

These users will only be able either 'read' or 'edit' explicit SIR records, where they have been granted access to -> i.e. `Read access` and `Privileged access`.

They will nav to "Security Incident" -> "Incidents" -> "Visible to me"... to see their relevant SIRs.

Reference - sn_si.special_access

Reference - sn_si.external

View solution in original post

barshaNow · ‎09-10-2019

Did you add those users to the tickets as well? There is a field Read Access and Privileged access where you may need to add them

andy_ojha · ‎09-10-2019

Hey Ravish,

To confirm -> it sounds like you want to have a user that is not a Security Analyst (or a traditional SIR user), to have limited access to certain SIR records? Are you potentially re-assigning these SIR records to these "external" folks", or creating Security Response Tasks (SITs)?

I don't believe using <sn_si.external> will solve that for you, however <sn_si.special_access> might partially get you there.

sn_si.external

Using <sn_si.external>, you would need to assign this <role> to SN Groups that you anticipate creating / assigning Security Incident Response Tasks to. So if you have an SIR, you can create multiple SITs (Response Tasks) to External Teams (e.g. Task to block an IP addr, or disable an account, etc).

You would not be assigning an SIR record to these Groups; you would be creating Response Tasks from the SIR, and assigning those to these Teams.

The baseline SIR functionality, is that you must assign the SIT to an actual Assignment group AND Assigned to {user}. Also, these users would not be able to navigate to the SIR record, that the SIT (Response Task) was created for.

There is an ACL entry on Response Tasks for users with <sn_si.external> -> which only allows them to see Response Tasks that are assigned to them at the {user} layer.

They will nav to "My work"... to see their relevant SITs (Response Tasks).

sn_si.special_access

Using <sn_si.special_access>, there is no need to explicitly assign this <role> to a Group or User.

When you navigate to an SIR record, and look at the "special permissions" fields such as `Read access` and `Privileged access` -> by putting a user into these fields, the system will automatically grant them this role. Then, when that user logs into SN, they have a limited view into the SIR app (even without having any sn_si.* <roles>).

These users will only be able either 'read' or 'edit' explicit SIR records, where they have been granted access to -> i.e. `Read access` and `Privileged access`.

They will nav to "Security Incident" -> "Incidents" -> "Visible to me"... to see their relevant SIRs.

Reference - sn_si.special_access

Reference - sn_si.external

rcarmack1 · ‎09-23-2019

Is it not true that the "response_task" Type is required in order to be able to assign a group a Response Task of a SIR?

Ravish Shetty · ‎09-23-2019

hi Andy, thanks for the detailed response. it's very helpful.

the use case that I have is to reset mobile device information when the mobile is lost. we have a response task generated via the workflow to the mobile device admin team (non-security team) who need to do the wipe.

correct me if i am wrong, i think granting both sn_si.external and sn_si.special_access to the mobile device admin group would be ideal. this way they see the response task information and if they need to, the security analyst can add them in privileged or read access list in the parent ticket.

or should we just grant them sn_si.external if they just need to work on response tasks?

Ravish