Required Roles Per Endpoint

Each API request requires a different role. Ensure that you assign those users the appropriate roles based on the tasks they need to perform.

For the File Search APIs, required roles differ:

• For Cybereason version prior to 21.1.182, you must contact Technical Support to enable the necessary permissions.

• For Cybereason versions 21.1.182 and later, you must purchase and enable the DFIR package and assign the Responder L1/L2 role to use the file search.

The Threat Intel API request do not require Cybereason user permissions, as you send the requests to the Cybereason Global Threat Intel server, not your individual Cybereason server.

We recommend that you do not use the API User role for anyone performing API requests as it has limited permissions. Instead, it is recommended to use the Super user role, as this role has permission to send all API requests.

Request	L1 Analyst	L2 Analyst	L3 Analyst	System Admin	Sensor Admin L1	Sensor Viewer	Executive	API User	Responder (L1/L2)	System Viewer
Abort a file download operation		✓	✓	✓			✓
Abort a remediation operation			✓				✓
Abort a sensor action				✓
Add a Malop comment	✓	✓	✓				✓
Add sensor tags				✓			✓	✓
Add a sensor to a group					✓
Archive a sensor				✓	✓
Check remediation progress	✓	✓	✓				✓
Create a custom detection rule			✓
Create an isolation exception rule			✓	✓
Create a sensor group				✓	✓
Delete a machine isolation rule			✓	✓
Delete sensors from the sensor list				✓
Delete an IR tool package									✓
Download a CSV list of sensors				✓	✓	✓
Download a file		✓	✓	✓			✓
Download sensor logs				✓	✓
Edit a sensor group				✓	✓
Export file search results to a CSV file									✓
Get a list of actions queued on Sensors				✓
Get a count of malware	✓	✓	✓				✓
Get a Download Batch Number		✓	✓	✓			✓
Get the list of custom reputations	✓	✓	✓	✓	✓
Get a list of all sensors				✓
Get Malop details for EPP Malops	✓	✓	✓
Get remediation status for a specific Malop	✓	✓	✓				✓
Get results from a specific file search operation									✓
Get sensor logs				✓	✓
Get sensors tags on a machine				✓	✓		✓	✓
Get a sensor list				✓
Isolate a machine in a Malop			✓
Monitor IR tool deployment on endpoints									✓
Monitor IR tool execution									✓
Perform a file search operation									✓
Query malware types	✓	✓	✓				✓
Remediate an item			✓				✓
Remove a machine in a Malop from isolation			✓				✓
Remove a sensor from a group					✓
Restart a Sensor				✓	✓
Retrieve a list of active custom rules			✓					✓
Retrieve a list of disabled custom rules			✓
Retrieve a list of Malop activity types for custom rules			✓
Retrieve a list of Malop detection types for custom rules			✓
Retrieve a list of root causes for custom rules			✓
Retrieve a list of uploaded IR tool packages									✓
Retrieve credentials for a GCP bucket with IR tool results									✓
Retrieve Malops	✓	✓	✓				✓	✓
Retrieve all machine isolation exception rules			✓	✓	✓
Retrieve the update history for a custom rule			✓
Retrieve results from an IR tool execution									✓
Return a list of previous file search operations									✓
Return a list of previous file search operations for all users									✓
Run investigative queries	✓	✓	✓				✓	✓
Run an IR tool on selected endpoint machines									✓
Set sensor Anti-Ransomware mode				✓
Set sensor Application Control mode				✓
Set sensor Anti-Malware mode				✓
Set sensor PowerShell protection mode				✓
Start a file download operation from the Element Details screen		✓	✓				✓
Start collection on a sensor				✓
Stop collection on a sensor				✓
Start or end a full or quick scan				✓
Unarchive a sensor				✓	✓
Update a custom detection rule			✓
Update a custom reputation			✓	✓
Update a machine isolation exception rule			✓	✓
Update Malop status	✓	✓	✓				✓
Upgrade a sensor				✓	✓
Upload an IR tool package									✓