Endpoint Detection and Response User Roles and Permissions
The Endpoint Detection and Response has 3 OOTB (Out-of-the-box) roles for users:
- EDR Manager: The manager role has all the default permissions of the EDR except to create and delete any exception rule, and can grant permissions to other users.
- EDR Analyst: The analyst role has all the permissions except to delete EDR any malware profile, EDR rule, EDR blockhash, EDR Quarantine application, and alerting permission. The analyst also cannot quarantine the host.
- EDR User: The reader role has view-only permissions for the Endpoint Detection and Response application.
The Endpoint Detection and Response module has several permission groups related to specific permission categories. The following are the categories of permissions with each of the related permissions groups for this module:
| Permission Categories | Description | Default Roles | ||
|---|---|---|---|---|
| EDR Manager | EDR Analyst | EDR User | ||
|
EDR Sandbox-RFC Permissions |
Sandbox View |  |
|
|
| Sandbox Submit File | |
|
N | |
| RFC View | |
|
|
|
| RFC Collect File | |
|
N | |
| Asset Exclusions View | |
|
|
|
| Response Action Permissions | Recover File | |
|
N |
| UnQuarantine Host | |
N | N | |
| Quarantine Host | |
N | N | |
| Kill Process | |
|
N | |
| Quarantine File | |
|
N | |
| UnQuarantine File | |
|
N | |
| Delete File | |
|
N | |
|
Exception Permissions |
Create, Delete any Exception rule | |
|
N |
| EDR exception rule view access | |
|
|
|
| EDR Antimalware Profile Permissions | EDR Antimalware Profile Create | |
|
N |
| EDR Antimalware Profile Delete | |
N | N | |
| EDR Antimalware Profile View | |
|
|
|
| EDR Antimalware Set up | |
|
N | |
| EDR Antimalware Custom Scan | |
|
N | |
| EDR Rule Permissions | EDR Rule View | |
|
|
| EDR Rule Create | |
|
N | |
| EDR Rule Delete | |
N | N | |
| EDR Blockhash Permissions | EDR Blockhash View | |
|
|
| EDR Blockhash Create | |
|
N | |
| EDR Blockhash Delete | |
N | N | |
| Remediated asset configuration, Forensics Permissions | EDR quarantine View | |
|
|
| EDR Quarantine Add Update Application | |
|
N | |
| EDR Quarantine Delete Application | |
N | N | |
| EDR Forensics View | |
|
|
|
| EDR Permissions | EDR UI Access | |
|
|
| Saved Searches View | |
|
|
|
| EDR Incident Permissions | EDR Incident Update | |
N | N |
| EDR Incident View | |
|
|
|
| Alerting Permissions | Alerting Access | |
|
|
| Create, Edit, Delete your own Action | |
|
N | |
| Edit any Action | |
|
N | |
| Delete any Action | |
N | N | |
| Create, Edit, Delete your own Rule | |
|
N | |
| Edit any Rule | |
|
N | |
| Delete any Rule | |
N | N | |
| Actions View | |
|
|
|
| Advanced Hunting Permissions | Advanced Hunting View | |
|
|
| Advanced Update | |
|
N | |
| Advanced Delete | |
N | N | |
| Remediation Permissions | Remediation View | |
|
|
| Notification Permissions | Notifications View | |
|
|
| Notifications Edit | |
|
N | |