This guide explains how Users and Clients work in the Qevlar Investigation Platform.
Overview
The platform organizes your security operations with two main concepts:
- Users - People who access the platform
- Clients - Workspaces for organizing investigations
Users
User is an individual person who can log into the Qevlar platform.
What is a User?
- A person with login credentials to access the Qevlar platform
- Someone who can view investigations, analyze alerts, and manage settings
User Roles
Role | Description |
| Admin | Full access to platform settings, user management, and all investigations |
| Analyst | Access to view and work on investigations, but limited administrative capabilities |
Authentication Methods
Users can authenticate using:
- Email & Password - Traditional login with credentials
- SSO (Single Sign-On) - Federated authentication through your identity provider (when configured)
Managing Users
Navigate to Settings > User Management to:
- View all users in your organization
- Create new users (Admin only)
- Modify user roles and permissions
- Remove users from the platform
Clients
Client is an investigation workspace that helps you organize your security operations.
What is a Client?
- Logical grouping for investigations and data sources
- Way to separate different security contexts (teams, projects)
- Each client has its own API tokens for SIEM/EDR integrations
Why Use Multiple Clients?
Clients help you organize investigations by:
| Use Case | Example |
| By Team | SOC Team A, SOC Team B |
| By Alert Source | "CrowdStrike Alerts", Microsoft Sentinel |
| By Business Unit | Finance, Engineering, HR |
| By Customer | For MSSPs managing multiple end-customers |
Client Features
Each client has:
- API Tokens - Unique tokens for integrating with your security tools (SIEM, EDR)
- Sources - Configure which threat intelligence and enrichment sources are enabled
- Investigations - All alerts and investigations are associated with a specific client
Managing Clients
Navigate to Settings > Client Management to:
- View all clients in your organization
- Create new clients
- Modify client names
- Delete clients
The Client Management table shows:
| Column | Description |
| Name | The client name |
| Added By | The user who created this client |
| Date Added | When the client was created |
How They Work Together
┌─────────────────────────────────────────────┐ │ YOUR ORGANIZATION │ │ │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ USER │ │ USER │ │ │ │ (Admin) │ │ (Analyst) │ │ │ └──────────────┘ └──────────────┘ │ │ │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ CLIENT │ │ CLIENT │ │ │ │ "SOC Team A" │ │ "SOC Team B" │ │ │ │ │ │ │ │ │ │ - API Token │ │ - API Token │ │ │ │ - Sources │ │ - Sources │ │ │ │ - Alerts │ │ - Alerts │ │ │ └──────────────┘ └──────────────┘ │ └─────────────────────────────────────────────┘
Practical Example
Scenario: ABC Corporation uses Qevlar for security investigations.
Users:
- Sarah (Admin) - Manages the platform and team
- John (Analyst) - Investigates security alerts
- Maria (Analyst) - Investigates security alerts
Clients:
- SOC Team A - Alerts handled by the first SOC team
- SOC Team B - Alerts handled by the second SOC team
Important:
- Each client can receives alerts from different sources
- All users can work on investigations across clients.
Common Questions
What happens when I delete a client?
The client and its associated data (investigations, alerts, tokens) will no longer be accessible. This action cannot be undone.
Who can create new users and clients?
Users with the Admin role can create and manage users and clients.
How do API tokens relate to clients?
Each client has its own API tokens. When you integrate Qevlar with your SIEM or EDR, you use a client's token to route alerts to that specific client.
Can I move an investigation to a different client?
No. Investigations are tied to the client they were created in.
Summary
| Entity | Purpose | Where to Manage |
| User | Individual platform access with role-based permissions | Settings > User Management |
| Client | Investigation workspace with API tokens and data sources | Settings > Client Management |