Action Center permissions - Configure Action Center permissions, such as Isolate, quarantine, and terminate process. - Administrator Guide - Cortex XSIAM - Cortex

Action Center permissions - Configure Action Center permissions, such as Isolate, quarantine, and terminate process. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-04

Permission	Description	Roles Example
None	No access to the Action Center, and response action buttons are hidden.	SOC Tier-1 Analysts: View action history, isolation status, and quarantine lists, but cannot execute any actions.
View	Read-only access. You can see the action history and results, but cannot initiate any actions. All action buttons are hidden.	IT Admin: Response actions (isolate, terminate process, quarantine, file retrieval, file search, destroy files) are security response functions. Granting IT Admins access to these actions creates significant risk — they could isolate endpoints or destroy files.
View/Edit	Full control to initiate, retry, or cancel actions. This is a high-privilege permission that enables the Response in Endpoint Detection and Response (EDR). Unchecked actions remain view only. When Action Center is set to View/Edit, the following action checkboxes become available. Each checkbox controls whether the user can execute that specific action type.	SOC Tier 2 and 3 Analysts, Threat Hunters, and Security Engineers have full access with granular controls.

Warning

High-risk/destructive actions: The Destroy Files and Delete Quarantine Files actions are irreversible and permanently delete data from endpoints. Disable Response Actions temporarily pauses endpoint protection, leaving the system vulnerable. Live Terminal allows arbitrary command execution and file manipulation. These features should be strictly restricted to Security Engineers and Admins.
Checkbox dependencies: Certain actions rely on others to function. To grant File Retrieval or Destroy Files, you must also enable the File Search checkbox. To grant Delete Quarantine Files, you must also enable the Quarantine checkbox.
Master switch: Setting the primary Action Center permission to View/Edit acts as a master switch that reveals granular execution checkboxes (such as Isolate or Run Standard Scripts). Leaving these checkboxes unchecked allows the user to view the action history without the ability to execute the action.

Action Center sub-permissions

Sub-permission	Description	Roles Example
Isolate	Isolates an endpoint from the network while maintaining communication with the Cortex XSIAM tenant. Checked: Full access to Isolate in all menus, such as Isolate when defining an action in the Action Center and isolating endpoints on the Vulnerability Assessment page. Initiate, cancel, and edit isolation with comments. Unchecked: Users can view isolation history and status in the Action Center, but cannot initiate or cancel isolation.	All Responders/Admins. The SOC Tier-1 Analyst should escalate isolation decisions to Tier 2, but can monitor isolation status.
Terminate Process	Terminates running processes on endpoints. Can terminate individual processes by process ID or entire causality chains (all processes from a malicious parent). This stops active malicious activity without requiring full endpoint isolation. The Causality view is available from the Cases or Issues pages, or from the Query Results (Investigation & Response) → Query Builder → Build an XQL Query)after running a query on the related data. From both of these places, you can pivot (right-click) to the causality chain view. Checked: Full access to the Terminate Process option in the Causality View. Users can initiate termination from remediation suggestions. Unchecked: Users can view process termination history in Action Center, but can't initiate termination. Tip Consider adding the Remedation permission. Terminate Process appears in the Remediation Suggestions panel. Enabling both provides a complete response workflow.	All Responders/Admins. The SOC Tier-1 Analyst should escalate process termination to Tier 2, but can view termination history.
Quarantine	Moves malicious or suspicious files to a secure quarantine folder on the endpoint, preventing execution while preserving the file for analysis. Quarantined files can be restored if determined to be false positives. Checked: Full access to quarantine files in the Action Center and in the Causality View. Users can restore quarantined files, can add a hash to the allow list during restore, and can view quarantine details per endpoint. Unchecked: User can view the File Quarantine tab in the Action Center and view quarantine files in the Causality View, but can't quarantine or restore files.	All Responders/Admins. SOC Tier-1 Analysts and Threat Hunters need to hand off to SOC Tier 2 and 3 Analysts for containment.
File Retrieval	Retrieves files from endpoints for forensic analysis. Files are uploaded to Cortex XSIAM where they can be downloaded for examination, malware analysis, or evidence preservation. Checked: Users can retrieve files from an endpoint in Action Center, from file search results, and view/download files from Action Center and from Cases. Unchecked: Users can view retrieval history in Action Center, but can't download retrieved files. Tip Consider adding the following permissions: File Search. File Retrieval is typically initiated from File Search results. Without File Search, retrieval options are limited.	All Responders/Admins. SOC Tier-1 and 2 Analysts and Threat Hunters need to hand off to SOC Tier 3 Analysts or the Forensics Team for containment.
File Search	Searches for files across all managed endpoints by hash (SHA256, MD5), file path, or file name patterns. Used to determine file prevalence, locate IOCs, and identify affected endpoints. Notice Requires the Host Insights add-on, which is included in Cortex XSIAM Enterprise and Premium licenses. Checked: Full access to File Search when defining an action in the Action Center. Users can search files by hash, path, or pattern. Unchecked: Users can view search history in Action Center, but can't rerun file searches. Tip Consider adding File Retrieval. After finding files, users often need to retrieve them for analysis.	All Responders/Admins. The SOC Tier-1 Analyst should escalate to the SOC Tier 2 Analyst.
Destroy Files	High risk. Permanently and irreversibly deletes files from endpoints. This is a destructive action that cannot be undone. Used to remove persistent malware or malicious files that cannot be quarantined. Checked: Full access to take action to destroy files in the Action Center. Users can destroy files from file search results and permanently delete files from endpoints. Unchecked: Users can view the destroyed file history in the Action Center, but can't permanently delete files.	SOC Tier-3 Analysts and Security Admins. This is a high-risk action that permanently deletes files and cannot be reversed.
Allow List/Block List	Exempt or block files matching specified hashes across the environment. Checked: Full access to take action on the Allow List or Block List, such as adding hashes to the allow/block list when defining an action in the Action Center, editing list entries, and moving hashes between lists. Unchecked: Users can view the Allow List and Block List tabs in Action Center, see hash entries and status, but can't add, edit, or delete allow/block lists.	SOC Tier-3 Analysts, Threat Hunters, Security Engineers, and Security Admins who manage hash-based prevention policies.
Disable Response Actions	High risk. Temporarily disables or pauses endpoint protection and response capabilities. This weakens endpoint security and should be used only for troubleshooting or specific operational requirements. You can view disabled response actions by going to Inventory → Endpoints → All Endpoints. If you have View/Edit permissions, pivot (right-click) an endpoint that isn't an iOS endpoint, and select Endpoint Control → Disable Capabilities. Checked: Users can disable specific response actions on endpoints, pause endpoint protection temporarily, and can re-enable disabled actions. Unchecked: Users can view current response action status, see which actions are disabled, but can't modify response action settings or pause endpoint protection.	Security Admins only. Disabling response actions reduces security posture and should require proper change management approval.
Remediation	Execute automated actions to reverse malicious system changes (registry, files, processes). Checked: Full access to Remediation Suggestions from Case View. Users can initiate remediation from Causality View and can execute file restore, registry restore, and process termination. Unchecked: Users can view remediation history in Action Center, see remediation results and status, but can't initiate remediation actions.	All Responders/Admins. The SOC Tier 1 Analyst should escalate to Tier 2 Analysts.
Delete Quarantine Files	High risk. Permanently deletes files from the quarantine folder on endpoints. Unlike restoring quarantined files, this action removes the files entirely and cannot be undone. Checked: Full access to delete files from the File Quarantine page, enabling a user to permanently remove quarantined files from endpoints. The delete option only appears in the Aggregated by SHA256 tab in File Quarantine. Unchecked: Users can view the quarantined files list in the Action Center, including file details and status, but can't permanently delete quarantined files. Tip Consider adding Quarantine. Delete Quarantine Files operates on the quarantine list. Without the Quarantine checkbox, users can still see the list, but the Delete option requires the quarantine view to be meaningful.	SOC Tier-3 Analyst: May need to permanently remove confirmed malware after thorough analysis. Has experience for informed deletion decisions. Security Engineer: Manages quarantine storage, cleans up confirmed malware, and maintains endpoint health. Understands implications of permanent deletion.

Permission	Permission Level	Reason
Cases & Issues	View or View/Edit	View: Action Center actions link to cases/issues. Allow/Block List shows case IDs. Remediation is triggered from Case View. Without this, users can't see the context of their actions. View/Edit: Needed to link actions to cases, update case status after remediation, and use Add to Block List from issue context menus. The Allow/Block List component checks cases and issues for creating cases from hash entries. Strongly recommended.
Agent Administrations	View	Isolate, Terminate, File Search, File Retrieval, and Quarantine all target endpoints. Without this, users can't select target endpoints for actions.
Query Center	View	XQL Investigation results have been Add to EDL and Add to Block List context menus. File Search results are viewed through query results. Needed for investigating action outcomes.
Query Library	Enabled with checkboxes selected	Allows saving and reusing XQL queries related to file search results and investigation.
Forensics	View	Forensic Timeline and Event Log Search are related investigation tools.
Host Insights	View	File Search and Destroy Files depend on Host Insights. Provides endpoint context for action decisions.
Scripts	Enabled	Action Center's Scripts tab requires scripts. Script execution actions check script view permissions. Without this, the Scripts tab and script-related actions are hidden.
EDL	View/Edit	Add EDLs from the Action Center.

Warning

Tip

Tip

Notice

Tip

Tip