Users and user groups
Users can access the ExtraHop system in three ways: through a set of pre-configured user accounts, through local user accounts configured on the appliance, or through remote user accounts configured on existing authentication servers, such as LDAP, SAML, Radius, and TACACS+.
Video: | See the related trainings: |
Local users
This topic is about default and local accounts. See Remote Authentication to learn how to configure remote accounts.
- setup
- This account provides full system read and write privileges to the browser-based user interface and to the ExtraHop command-line interface (CLI). On physical sensors, the default password for this account is the service tag number on the front of the appliance. On virtual sensors, the default password is default.
- shell
- The shell account, by default, has access to non-administrative shell commands in the ExtraHop CLI. On physical sensors, the default password for this account is the service tag number on the front of the appliance. On virtual sensors, the default password is default.
Note: | The default ExtraHop password for either account when deployed in Amazon Web Services (AWS) and Google Cloud Platform (GCP) is the instance ID of the virtual machine. |
Next steps
Remote Authentication
The ExtraHop system supports remote authentication for user access. Remote authentication enables organizations that have authentication systems such as LDAP (OpenLDAP or Active Directory, for example) to enable all or a subset of their users to log in to the system with their existing credentials.
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on user groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
Remote users
If your ExtraHop system is configured for SAML or LDAP remote authentication, you can create an account for those remote users. Preconfiguring accounts on the ExtraHop system for remote users enables you to share system customizations with those users before they log in.
If you choose to auto-provision users when you configure SAML authentication, then the user is automatically added to the list of local users when they log in for the first time. However, you can create a remote SAML user account on the ExtraHop system when you want to provision a remote user before that user has logged in to the system. Privileges are assigned to the user by the provider. After the user is created, you can add them to local user groups.
Next steps
User groups
User groups enable you to manage access to shared content by group instead of by individual user. Customized objects such as activity maps can be shared with a user group, and any user who is added to the group automatically has access. You can create a local user group—which can include remote and local users. Alternatively, if your ExtraHop system is configured for remote authentication through LDAP, you can configure settings to import your LDAP user groups.
- Click Create User Group to create a local group. The user group appears in the list. Then, select the checkbox next to the user group name and select users from the Filter users... drop-down list. Click Add Users to Group.
- (LDAP only) Click Refresh All User Groups or select multiple LDAP user groups and click Refresh Users in Groups.
- Click Reset User Group to remove all shared content from a selected user group. If the group no longer exists on the remote LDAP server, the group is removed from the user group list.
- Click Enable User Group or Disable User Group to control whether any group member can access shared content for the selected user group.
- Click Delete User Group to remove the selected user group from the system.
- View the following properties for listed user groups:
- Group Name
- Displays the name of the group. To view the members in the group, click the group name.
- Type
- Displays Local or Remote as the type of user group.
- Members
- Displays the number of users in the group.
- Shared Content
- Displays the number of user-created objects that are shared with the group.
- Status
- Displays whether the group is enabled or disabled on the system. When the status is Disabled, the user group is considered empty when performing membership checks; however, the user group can still be specified when sharing content.
- Members Refreshed (LDAP only)
- Displays the amount of time elapsed since the group membership was refreshed. User
groups are refreshed under the following conditions:
- Once per hour, by default. The refresh interval setting can be modified on the page.
- An administrator refreshes a group by clicking Refresh All User Groups or Refresh Users in Group, or programmatically through the REST API. You can refresh a group from the User Group page or from within the Member List page.
- A remote user logs in to the ExtraHop system for the first time.
- A user attempts to load a shared dashboard that they do not have access to.
User privileges
Administrators determine the module access level for users in the ExtraHop system.
For information about user privileges for the REST API, see the REST API Guide.
For information about remote user privileges, see the configuration guides for LDAP, RADIUS, SAML, and TACACS+.
Privilege Levels
Set the privilege level for your user to determine which areas of the ExtraHop system they can access.
Module Access privileges
- NDR Module Access
- Allows the user to access security features such as attack detections, investigations, and threat briefings.
- NPM Module Access
- Allows the user to access performance features such as operations detections and the ability to create custom dashboards.
- Packet and Session Key Access
- Allows the user to view and download packets and session keys, packets only, or packet slices only. Also allows the user to extract files associated with packets.
System Access privileges
These privileges determine the level of functionality users have within the modules where they have been granted access.
For RevealX Enterprise, users with system access and administration privileges can access all features, packets, and session keys for their licensed modules.
For RevealX 360, system access and administration privileges, access to licensed modules, packets, and session keys must be assigned separately. RevealX 360 also offers an additional System Administration account that grants full system privileges except for the ability to manage users and API access.
The following table contains ExtraHop features and their required privileges. If no module requirement is noted, the feature is available in both the NDR and NDM modules.
System and Access Administration | System Administration (RevealX 360 only) | Full Write | Limited Write | Personal Write | Full Read-Only | Restricted Read-Only | |
---|---|---|---|---|---|---|---|
Activity Maps | |||||||
Create, view, and load shared activity maps | Y | Y | Y | Y | Y | Y | N |
Save activity maps | Y | Y | Y | Y | Y | N | N |
Share activity maps | Y | Y | Y | Y | N | N | N |
Alerts | NPM module license and access required. | ||||||
View alerts | Y | Y | Y | Y | Y | Y | Y |
Create and modify alerts | Y | Y | Y | N | N | N | N |
Analysis Priorities | |||||||
View Analysis Priorities page | Y | Y | Y | Y | Y | Y | N |
Add and modify analysis levels for groups | Y | Y | Y | N | N | N | N |
Add devices to a watchlist | Y | Y | Y | N | N | N | N |
Transfer priorities management | Y | Y | Y | N | N | N | N |
Bundles | |||||||
Create a bundle | Y | Y | Y | N | N | N | N |
Upload and apply a bundle | Y | Y | Y | N | N | N | N |
Download a bundle | Y | Y | Y | Y | Y | N | N |
View list of bundles | Y | Y | Y | Y | Y | Y | N |
Dashboards | NPM module license and access required to create and modify dashboards. | ||||||
View and organize dashboards | Y | Y | Y | Y | Y | Y | Y |
Create and modify dashboards | Y | Y | Y | Y | Y | N | N |
Share dashboards | Y | Y | Y | Y | N | N | N |
Detections | NDR module license and access required
to view and tune security detections and create
investigations. NPM module license and access required to view and tune performance detections. |
||||||
View detections | Y | Y | Y | Y | Y | Y | Y |
Acknowledge Detections | Y | Y | Y | Y | Y | N | N |
Modify detection status and notes | Y | Y | Y | Y | N | N | N |
Create and modify investigations | Y | Y | Y | Y | N | N | N |
Create and modify tuning rules | Y | Y | Y | N | N | N | N |
Device Groups | Administrators can configure the Device Group Edit Control global policy to specify whether users with limited write privileges can create and edit device groups. | ||||||
Create and modify device groups | Y | Y | Y | Y (If the global privilege policy is enabled) | N | N | N |
Metrics | |||||||
View metrics | Y | Y | Y | Y | Y | Y | N |
Notification Rules | NDR module license and access required
to create and modify notifications for security detections and
threat briefings. NPM module license and access required to create and modify notifications for performance detections. |
||||||
Create and modify detection notification rules | Y | Y | Y | N | N | N | N |
Create and modify threat briefing notification rules | Y | Y | Y | N | N | N | N |
Create and modify system notification rules (RevealX only) | Y | Y | N | N | N | N | N |
Records | Recordstore required. | ||||||
View record queries | Y | Y | Y | Y | Y | Y | N |
View record formats | Y | Y | Y | Y | Y | Y | N |
Create, modify, and save record queries | Y | Y | Y | N | N | N | N |
Create, modify, and save record formats | Y | Y | Y | N | N | N | N |
Scheduled Reports | Console required. | ||||||
Create, view, and manage scheduled reports | Y | Y | Y | Y | N | N | N |
Threat Intelligence | NDR module license and access required. | ||||||
Configure file hashing filters | Y | Y | N | N | N | N | N |
Manage threat collections | Y | Y | N | N | N | N | N |
Manage TAXII feeds | Y | Y | N | N | N | N | N |
View threat intelligence information | Y | Y | Y | Y | Y | Y | N |
Triggers | |||||||
Create and modify triggers | Y | Y | Y | N | N | N | N |
Administrative Privileges | |||||||
Access the ExtraHop Administration settings | Y | Y | N | N | N | N | N |
Connect to other appliances | Y | Y | N | N | N | N | N |
Manage other appliances (Console) | Y | Y | N | N | N | N | N |
Manage users and API access | Y | N | N | N | N | N | N |
Thank you for your feedback. Can we contact you to ask follow up questions?