You can assign users to the investigation for them to view and manage the investigation.
The Permissions table appears only when Scope-Based Access Control (SBAC) is enabled. Go to → to enable investigation permissions.
Users with account administrator or instance administrator roles have access to investigations and can't be cleared from the Permissions table. They can view and edit all Investigations, including adding/removing users, creating/deleting collections, closing the Investigation. This prevents investigation lockout in the event of a user leaving before the Investigation is complete.
When SBAC is enabled, you can limit access to selected users with other assigned roles, and assign them permissions to the investigation.
If SBAC is disabled, the permissions is limited to role-based access (RBAC), so anyone with forensic investigator or forensics viewer access will be able to see the investigations.
Note
Even if a user does not have access to view an investigation via the Forensics Investigations page, they can still query the results of the collections via an XQL event.
The Permissions fields describe the following information:
Field | Description |
---|---|
User Name | Name of the user as logged in the → → . |
The user's email as logged in the → → . | |
User Type | Indicates whether the user was defined in Cortex XDR using the CSP (Customer Support Portal), SSO (single sign-on) using your organization’s IdP, or both CSP/SSO. |
Role | Name of the role assigned specifically to the user that is not inherited from somewhere else, such as a User Group. When the user does not have any Cortex XDR access permissions that are assigned specifically to them, the field displays No-Role. |
Permissions | Options are None, View, View/Edit |