Required Roles Per Endpoint

Each API request requires a different role. Ensure that you assign those users the appropriate roles based on the tasks they need to perform.

For the File Search APIs, required roles differ:

  • For Cybereason version prior to 21.1.182, you must contact Technical Support to enable the necessary permissions.

  • For Cybereason versions 21.1.182 and later, you must purchase and enable the DFIR package and assign the Responder L1/L2 role to use the file search.

The Threat Intel API request do not require Cybereason user permissions, as you send the requests to the Cybereason Global Threat Intel server, not your individual Cybereason server.

We recommend that you do not use the API User role for anyone performing API requests as it has limited permissions. Instead, it is recommended to use the Super user role, as this role has permission to send all API requests.


L1 Analyst

L2 Analyst

L3 Analyst

System Admin

Sensor Admin L1

Sensor Viewer


API User

Responder (L1/L2)

System Viewer

Abort a file download operation

Abort a remediation operation

Abort a sensor action

Add a Malop comment

Add sensor tags

Add a sensor to a group

Archive a sensor

Check remediation progress

Create a custom detection rule

Create an isolation exception rule

Create a sensor group

Delete a machine isolation rule

Delete sensors from the sensor list

Delete an IR tool package

Download a CSV list of sensors

Download a file

Download sensor logs

Edit a sensor group

Export file search results to a CSV file

Get a list of actions queued on Sensors

Get a count of malware

Get a Download Batch Number

Get the list of custom reputations

Get a list of all sensors

Get Malop details for EPP Malops

Get remediation status for a specific Malop

Get results from a specific file search operation

Get sensor logs

Get sensors tags on a machine

Get a sensor list

Isolate a machine in a Malop

Monitor IR tool deployment on endpoints

Monitor IR tool execution

Perform a file search operation

Query malware types

Remediate an item

Remove a machine in a Malop from isolation

Remove a sensor from a group

Restart a Sensor

Retrieve a list of active custom rules

Retrieve a list of disabled custom rules

Retrieve a list of Malop activity types for custom rules

Retrieve a list of Malop detection types for custom rules

Retrieve a list of root causes for custom rules

Retrieve a list of uploaded IR tool packages

Retrieve credentials for a GCP bucket with IR tool results

Retrieve Malops

Retrieve all machine isolation exception rules

Retrieve the update history for a custom rule

Retrieve results from an IR tool execution

Return a list of previous file search operations

Return a list of previous file search operations for all users

Run investigative queries

Run an IR tool on selected endpoint machines

Set sensor Anti-Ransomware mode

Set sensor Application Control mode

Set sensor Anti-Malware mode

Set sensor PowerShell protection mode

Start a file download operation from the Element Details screen

Start collection on a sensor

Stop collection on a sensor

Start or end a full or quick scan

Unarchive a sensor

Update a custom detection rule

Update a custom reputation

Update a machine isolation exception rule

Update Malop status

Upgrade a sensor

Upload an IR tool package