Learn more about the Cortex XDR predefined user role called Investigator.
The Investigator role is used to view and triage alerts and incidents.
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Dashboards | — | — | ✓ | — |
Ingestion Monitoring | ✓ | — | N/A | — |
Reports | — | — | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Alerts & incidents | — | — | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Query Center | — | — | ✓ | — |
Personal Query Library | — | — | ✓ | — |
Forensics | — | ✓ | — | — |
Host Insights | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Action Center | ✓ | — | — | ✓ |
Isolate — | ||||
Terminate Process — | ||||
Quarantine — | ||||
File Retrieval — | ||||
File Search — | ||||
Destroy Files — | ||||
Allow List/Block List — | ||||
Disable Response Actions — | ||||
Remediation — | ||||
Delete Quarantined files — | ||||
EDL | ✓ | N/A | — | — |
Agent Scripts Library | ✓ | — | — | ✓ |
Run Standard Script — | ||||
Run High-Risk Script — | ||||
Script Configurations — | ||||
Live Terminal | ✓ | N/A | — | — |
Automation Rules | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Rules | ✓ | — | — | ✓ |
Prevention Rules — | ||||
Request WildFire Verdict Change — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Network Configuration | — | ✓ | — | — |
Compliance | — | ✓ | N/A | — |
Asset Inventory | — | ✓ | — | — |
Asset Roles Configuration | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Endpoint Administrations | ✓ | — | — | ✓ |
Endpoint Management — | ||||
Retrieve Endpoint Data — | ||||
Endpoint Scan — | ||||
Change Managing Server — | ||||
Pause Protection — | ||||
Endpoint Token Management — | ||||
Endpoint Groups | ✓ | — | — | — |
Endpoint Prevention Policies | ✓ | — | — | — |
Global Exceptions | ✓ | — | — | — |
Endpoint Profiles | ✓ | — | — | — |
Endpoint Extension Policies | ✓ | — | — | — |
Endpoint Installations | ✓ | — | — | — |
Host Firewall | ✓ | — | — | — |
Device Control | ✓ | — | — | ✓ |
Device Control Rules — | ||||
Device Control Exceptions — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Auditing | ✓ | — | N/A | — |
Alert Notifications | ✓ | — | — | — |
General Configuration | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
On-demand Analytics | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Broker Services | ✓ | — | — | ✓ |
Pathfinder Applet — | ||||
Pathfinder Data Collection | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Data Management | ✓ | N/A | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Public API | ✓ | — | — | — |
Threat Intelligence | ✓ | — | — | — |
Long Running HTTP Integrations configuration | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Support | — | N/A | ✓ | — |