Manage access to saved queries - Learn more about managing access to saved queries in Cortex XDR. - Administrator Guide - Cortex XSIAM - Cortex XDR - Cortex

Manage access to saved queries - Learn more about managing access to saved queries in Cortex XDR. - Administrator Guide - Cortex XSIAM - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Prerequisite

Configure tenant-level settings: An administrator must first establish the sharing framework under Settings → Configurations → Access Management → Objects.

The configuration of these settings defines the authorized sharing workflows for saved queries in the Query Library, including the options that appear to users when clicking the three dot, vertical ellipsis (⋮) for a query in the Query Library:

Enable "Owners can Share objects they created": Grants owners the ability to share saved queries with specific users, user groups, and API keys to the query's access list. In the Query Library, this enables the Share option.
Disable "Owners can Share objects they created": Restricts owners to managing only General access (Public vs. Restricted). In the Query Library, this replaces the Share option with the Manage Access option.

For more information on these tenant-level configurations, see Manage access to objects.

The permissions assigned to your role, combined with the ownership of specific objects, directly change the tools available to you while working in the Query Builder:

Restricted versus Public visibility: Your Query Library view is personalized. You will only see queries where you are the Owner, queries that have been explicitly shared with you (or your user group or API key), or queries marked as Public.
Context-sensitive functionality: The permissions assigned to your role, combined with the ownership of specific objects, directly change the tools available to you while working in the Query Builder and the Query Library. UI elements like the Save as menu or the Share action only appear if you have the required functional capabilities.

Setting up access involves a two-part process: enabling the user interface (UI) elements in the role settings, and then defining the audience for individual saved query objects.

Role-level permissions act as the "master switch" for Query Builder functionality and determine what actions a user can take.

Select Settings → Configurations → Access Management → Roles.
Right-click the relevant user role, and select Edit Role.
Under Components, expand Investigation & Response.
Ensure Query Library is set to Enabled.
Define functional capabilities to control the UI:
- Create Queries: Selecting this enables the Save as drop-down menu in the Query Builder. This allows users to select Save as → Query to Library or Save as → Widget to Library. The user who performs this action becomes the Owner of the object and is granted the inherent right to edit, delete, and manage sharing for that specific object..
- Edit Public Queries: This allows a user to modify queries marked as Public by others.
  Note
  If the role of a user is set to Edit Public Queries but not Create Queries, they can update existing public queries, but the Save as drop-down menu will be hidden, preventing them from creating new Query Library entries.
Keep in mind the following:
- If a custom query does not have an assigned Owner, an Administrator can use the Change Owner action to assign one.

Once a query exists in the Query Library, the Owner (or an authorized Editor) can define who has permission to view (and run) or edit it.

Select Investigation & Response → Search → Query Builder → XQL.
Under the Query Library tab, locate the query that you want to share in the table.
Click the three dot, vertical ellipsis (⋮) and select the available action:
- Share: This option appears when Owners can Share objects they created is enabled in tenant-level settings. It allows you to manage both General access and specific principals (users, user groups, and API keys).
- Manage Access: This option appears when Owners can Share objects they created is disabled. It only allows you to change the General access state.
(If sharing is enabled) To share with specific entities (for Restricted queries):
- Search for the User, User Group, or API Key.
- Assign the access level: Viewer (can run/view) or Editor (can modify and, if permitted by tenant-level settings, share).
Set the General access drop-down menu (if authorized by tenant-level settings):
- Restricted: The query is private. It is only visible to the Owner and the specific principals added to the list.
- Public: The query is visible to every user who has the Query Library enabled in their role.
Note
When the tenant-level setting Owners and editors can change the general access is unselected, the drop-down is disabled and only an administrator can configure this option.
Click Save.

Prerequisite

Note

Note