User and Role Management

As a security tool, the Arista NDR platform manages a tremendous amount of potentially sensitive data. Ensuring that data is accessed appropriately is critical and the platform provides tools to manage the available users and each user's permissions.

Awake manages permissions by means of Roles. Each role has a defined set of capabilities, and each user belongs to a single role. This chapter will show you how to manage users and roles.

Log in to Awake Console

The Awake Security Platform is accessed by means of a web-based application, the Awake Console. You can obtain the URL of the Console application and the login credentials from your network administrator.

Log in to the Nucleus Cluster Directly

  1. Open this URL with the Chrome browser.
    Figure 1. Awake Log in

    Note:
    • In this release, the Console requires that you use one of the most recent versions of Chrome. We support the last two major versions of Google Chrome including versions 104.x and 105.x.
    • If you have Global Identity enabled, see Global Identity. If not, you will see the Awake Security Platform sign-in dialog box.
  2. Enter your username and password.
    Note: Ask your system administrator for the login credentials.
  3. Click on the Sign In button.
    The browser logs you in and places you in the Awake Console’s Platform Dashboard. For an overview and instructions for Dashboard use and customizations, see the section, Managing Platform Dashboards.
    Note: You can open multiple browser tabs, each with an instance of the Awake Console. If you are already logged in, new tabs will be logged in already. Logging out on one tab ends your authenticated session and logs you out of the others.

    Allow for a 24-Hour Baseline Data Accumulation Period After the Initial System Installation.

    After the Awake Security Platform is installed, it begins collecting and analyzing packet data from your network. Good analytics require sufficient data, so Arista recommends waiting at least 24 hours before trying your first query. You can use the Awake Security Platform right away, but bear in mind that the results may not be optimal until enough data has been collected to build a baseline profile of your traffic. With a good baseline, the network analysis ensures that entities are correctly profiled, so that a given entity is recognized consistently even if it uses multiple IP addresses. See Understanding the Device Entity and the Entity Tracker for details.

Log in through the Analyst Portal

 

  1. Login to https://app.awake.cloud to access the Analyst Portal console and use your corporate login credentials to log in, or log in with username and password.
    Figure 2. Awake Log in
  2. After a successful login, select the deployment that you wish to view from the list or search for a specific one using the search bar.

  3. By selecting a deployment from the previous step you will be taken to a deployment dashboard screen where you can access the metrics and other information. In case you wish to switch to other deployments, you can use the dropdown on the top left of the screen and choose from the list.

Global Identity

Global Identity is a single sign-on solution that is hosted in the cloud. This provides your SOC staff with Single Sign-On (SSO), so there is no need to sign in repeatedly on multiple Nucleus nodes.

This feature is available to users who allow their Arista NDR Platform installation to connect to the associated Amazon Web Services (AWS) account, but is disabled by default. To enable it, please contact Arista support.

Global Identity also works with any identity provider that supports the OpenID Connect version 1.0 or SAML version 2.0 protocols. Multifactor or two-factor authentication (MFA or 2FA) is supported by Arista’s managed SSO solution. If the user has configured their own third party identity provider, MFA/2FA is handled by that provider. The Arista NDR Platform also supports on-premises identity providers, as long as they use SAML.

Without Global Identity

If Global Identity is not enabled, there is the standard Awake Platform Security sign-in dialog asking for username and password.

Figure 3. Arista NDR Platform Sign-in Page (No Global Identity)

With Global Identity

When Global Identity is enabled, your user administrator(s) must ensure that every user who needs access to the Arista NDR Platform has a local NDR user account configured in the System Management, Users page for the deployment with an email address that matches that user’s Global Identity credentials in either Arista’s SSO provider or the customer’s connected identity provider.

In this case, you will simply see a button reading Sign In. Click this button to be directed to Arista’s SSO solution.

Figure 4. Arista NDR Platform Sign-in Page (Global Identity)

If you are not already logged in with Global Identity, you will see a dialog box with two options: on the left, sign in with your corporate ID, and on the right, sign on with your Arista NDR Platform login credentials.
Figure 5. Arista NDR Platform Login

If you wish to use a third-party identity provider such as Okta, OneLogin, etc., click the button on the left side of the page. This example illustrates sign-on with the OneLogin.
Figure 6. OneLogin Corporate-ID Account Sign In

For more information or assistance, contact the Arista support team by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. or visit arista.com/en/support/customer-support.

Role-Based Access Control

Role-Based Access Control is the Arista NDR Platform system for managing users and the actions they are permitted. Each user is assigned a Role.

Each Role has levels of access to a set of ten Capabilities. An administrator can create, edit, or delete any Role, and reassign any user to a different Role. There are four Roles predefined:
  • Admin
  • Tier 3 Analyst
  • Tier 1 Analyst
  • Integrations

To manage users and roles, click on the System Management icon.

Figure 7. System Management Screen

  • To manage user accounts and their roles:
    1. Click the Users icon.
    2. Proceed to Managing User Accounts.
  • To manage roles and specify permissions:
    1. Click the Roles icon.
    2. Proceed to Managing Roles.
  • To manage action rules which produce email notifications:
    1. Click the Action Rules icon.
    2. Proceed to Managing Action Rules.

Roles and Responsibilities of Users

Each user of the Arista NDR Platform is assigned a role.

Four roles are predefined:

  • Admin

  • Tier 1 Analyst

  • Integrations

  • Tier 3 Analyst

You can create and edit additional roles, as well as edit or delete these default ones. Each role can use up to ten capabilities:
Dashboards
Overview and summary statistics about threats, internal environment, and the Awake deployment.
Situations
The main tool for investigating, tracking and acting on suspicious activity.
AML Query
Search for and process any data in the system using the Adversarial Modeling Language (AML).
EntityIQ Override
Provides corrections to inferred entity attributes such as names and device types.
Full Packet Data
Retrieve, display, and download contents of the forensic packet log associated with activity captured by the system.
AML Management
Manages the skill definitions available to the system, create new skills, and enable or disable adversarial models.
IOC Management
Manages the available Indicators of Compromise (IOCs).
Action Rules Management
Manages rules for generating email notifications of adversarial model matches and periodic PDF snapshots of dashboard visualizations.
User Management
Manages the users present in the system and their access.
Role Management
Manages the roles and capabilities a user can be assigned.
Note: Statistics for all capabilities except Dashboards can be downloaded as PDF reports.
For each role, you can define the capabilities as either NONE, VIEW ONLY, or FULL ACCESS:
  • The NONE level denies all functions for the selected capability.

  • The VIEW ONLY level allows data for the capability to be viewed but not modified.

    Note: In some cases, configuration options that expose data for the user to view, such as notifications to the user themselves, can be configured when the user has a View only capability level.
  • The FULL ACCESS level allows complete access to the selected capability.

The following table shows the four default roles and which permissions each role has:

Table 1. Default Roles
  Admin Tier 3 Analyst Integrations Tier 1 Analyst
Dashboards FULL ACCESS FULL ACCESS FULL ACCESS FULL ACCESS
Situations FULL ACCESS FULL ACCESS FULL ACCESS FULL ACCESS
AML Query FULL ACCESS FULL ACCESS VIEW ONLY VIEW ONLY
EntityIQ Override FULL ACCESS FULL ACCESS VIEW ONLY VIEW ONLY
Full Packet Data FULL ACCESS VIEW ONLY VIEW ONLY VIEW ONLY
AML Mgmt FULL ACCESS FULL ACCESS VIEW ONLY VIEW ONLY
IOC Mgmt FULL ACCESS FULL ACCESS VIEW ONLY VIEW ONLY
Action Rules Mgmt FULL ACCESS FULL ACCESS VIEW ONLY VIEW ONLY
User Mgmt FULL ACCESS NONE NONE NONE
Role Mgmt FULL ACCESS NONE NONE NONE

Configuring Awake Using System Management Tools

System Management tools provide you with access to a variety of system-wide tools.

To open the System Management tools:
  1. Click the System Management icon in the left column of the screen.
From here, you can add, edit, delete users, configure their roles and privileges, and set action rules. Start by adding a new user.
  1. Click the System Management icon.
  2. Then click the Users icon.
  3. Finally, click Add New User, as shown in the following screenshot.
    Figure 8. System Management

    The New User dialog box appears:
    Figure 9. New User

  4. Here, define general information about the user (Username, Display Name, Email, and Initial Password).

    Note that editing existing users is done in the same fashion, except that you can Enable/Disable an individual user, and change that user's password.

Next, define the user's Roles & Capabilities. There are several default roles, each with predefined capabilities ranging from complete and full access to all aspects of the system, to view-only access, to no access. Awake has predefined the default role capabilities and privileges, but the person with the Admin role can create and define additional roles.

Roles and Capabilities of Users

Default roles:

  • Admin

  • Tier 1 Analyst

  • Tier 3 Analyst

  • Integrations

  • Dashboard Master

Remember that all roles can be redefined, renamed, removed and replaced.

Predefined Capabilities:

In every case, the capabilities can be defined as NONE, VIEW ONLY, or FULL ACCESS.
Dashboards
Summary statistics about threats, the internal environment, and the Awake deployment, downloadable as PDF reports.
Situations
The primary method of organizing the explanation of malicious or unauthorized activity in your environment and the resulting response.
AML Query
Search for and process any data in the system using our advanced Adversarial Modeling Language (AML) and sophisticated skills definitions.
EntityIQ Override
Provides corrections to the system-inferred entity attributes such as names, device types, and so on.
Full Packet Data
Retrieve, display, and download contents of the forensic packet log associated with activity captured by the system.
AML Management
Manages the skill definitions available to the system, create new skills, and enable or disable adversarial models.
IOC Management
Manages the Indicators of Compromise (IOCs) imported and active in the system.
Action Rules Management
Manages rules for generating email notifications of adversarial model matches and periodic PDF snapshots of dashboard visualizations.
User Management
Manages the users present in the system and the access they are granted.
Role Management
Manages the Role-Based Access Control (RBAC) roles governing the capabilities a user can be assigned in the system.
See the Roles and Responsibilities of Users, which follows, for more details. Enter any changes you wish to make, including changing your own password.
Note: Changing a password for yourself or for an existing user requires that you supply the existing password first. Changing/updating a password is subject to a 12-character minimum password length.

When you are done, either click Save to save your settings, or click Cancel to discard your changes.

Managing User Accounts

To create, manage, and delete user accounts, click on the Users icon. This opens the Users screen, which is a table of Arista NDR Platform users and their details.

Figure 10. Users Screen

Creating a User Account

  1. Click the + Add New User button to open the New User dialog box.
  2. In the General Information tab, type the required details in the corresponding fields. All four fields are required:
    • Username
    • Display name
    • Email address
    • Password
    Note:
    • The password must be at least 12 characters long.
    • If using global identity or 3rd party identity provider, the email address configured for the user must match the email address configured in the identity provider's system.
    Figure 11. New User Dialog Box - General Information Tab

  3. Click Next to open the Roles and Capabilities tab.
    Figure 12. New User Dialog Box - Roles and Capabilities Tab

  4. On the left you will see the available Roles. Select the Role you wish to assign to the new user.
  5. On the right, the list of capabilities now shows this Role's default permissions for each capability. To change the permission for any capability, click on the appropriate button: NONE, VIEW ONLY, or FULL ACCESS. This will add a new Role with an annotation saying "(Modified)" appended to the name of the Role. For example, if you chose Tier 1 Analyst and then changed a capability, the new role will be called Tier 1 Analyst (Modified). You can edit this name in the Roles screen as shown in Managing Roles.
  6. Save the New User by clicking Save.

Editing a User Account

  1. Click the Pencil icon to open the Edit User dialog box.
  2. Update the basic details in the General Information tab.
  3. To change the password, click the Password field. The password must be at least 12 characters long.
  4. If you are changing your own password, type your old password in the Current Password field.
  5. To change another user's password, you must have full access permissions for the User Management capabilities group and enter your own password in the Current Password field.
  6. Enter the new password.
  7. Click Save to return to the Edit User dialog.
  8. Click the Next button to update role and capabilities.
    Figure 13. Edit User Dialog Box - General Information Tab

    Figure 14. Change Password Dialog Box

  9. In the Roles and Capabilities tab, make desired changes to the permission level of each capability.
  10. Then click Save to save your changes.
    Figure 15. Edit User Dialog Box - Roles and Capabilities Tab

Deleting a User Account

  1. Click the Delete icon to open the Delete User dialog box.
  2. Click Delete to confirm the deletion.
    Note: Usernames are disabled but not fully deleted. A username that has been disabled cannot be used again.
    Figure 16. Delete User Dialog Box

Sorting Order and Filtering Columns

  1. Click a column title or Filter icon to open a dialog box to sort and filter the list of user accounts.
  2. Click the Reset Column Filters link to reset the column filter settings to their defaults. This picture shows an example for the Email column:
    Figure 17. Sorting and Filtering (Email)

  3. Click on the column title again to close the dialog box.

Configuring the Table View

  1. Click the Table Settings icon to open a dialog box to select the columns to display, reset or save filters, or reset to system default.
  2. Click the Table Settings icon again to close the dialog box.
    Figure 18. Configuring Table View

Managing Roles

The Roles screen is a table showing the Arista NDR Platform roles and their permissions. This allows you to create, manage, and delete roles.

Figure 19. Roles Screen

Adding New Roles

  1. Click the + Add New Role button to open the New Role dialog box.
  2. Enter the name and description, and click Next.
    Figure 20. New Role Dialog Box

  3. Next, configure the required permission levels for each capability and click Save.
    Figure 21. New Role Dialog Box - Configuring Capabilities

Sorting and Filtering Columns

  1. Click the column title or the Filter icon filter of a column to open a dialog box to sort and filter that column.
  2. Click Reset Column Filters to revert to the default settings.
    Figure 22. Role Name Filter

  3. Clicking the column filter of other elements opens the dialog box to sort the table and filter it by permission levels.
    Figure 23. Filter for Other Role Elements

Managing the Table View

  1. Click the Table View icon to open the Table View dialog box.
  2. Select the columns to display.
  3. To undo your changes, click Reset Filters.
  4. To save your changes, click Save Filters.
  5. To return to the default settings, click Reset to System Default.
    Figure 24. Managing the Table View

Editing a Role

  1. Click the Pencil icon to open the Edit Role dialog box.
  2. Update the name and description.
  3. Click Next.
    Figure 25. Edit Role Dialog Box

  4. Update the permission levels of the listed capabilities.
  5. Click Save.
    Figure 26. Edit Role Dialog Box - Verify Capabilities

Deleting a Role

  1. Click the Delete icon to open the Delete Role: Role Name dialog box. If there are no users with this role, you will be asked to confirm deletion.
  2. Click Delete to confirm and delete.
  3. If there are users with this role, you will be shown the number of users and asked to select a replacement role.
  4. If you want to assign users to different new roles, you must:
    1. Cancel the Delete Role task.
    2. Open the Users screen.
    3. Edit the users individually.
    Then you can safely delete this role.
  5. To reassign all users to a single new role, click Next.
    Figure 27. Delete Role Dialog Box - General Information Tab

  6. In the Replacement Role tab, select a new role assignment.
  7. Verify permission levels on the right-hand side.
    Figure 28. Delete Role Dialog Box - Replacement Role Tab

  8. Click Delete.