Alert Notifications permissions - Configure Alert Notifications (under Configurations). - Administrator Guide - Cortex XSIAM - Cortex

Alert Notifications permissions - Configure Alert Notifications (under Configurations). - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Caution

Configuring alert notifications requires underlying infrastructure. If forwarding notifications via Syslog, users need access to the Broker Service. For Slack or Email, users need access to the Integrations permissions.

Permission	Description	Roles Example
None	No access to notification configuration.	SOC Tier-1 or SOC Tier-2 Analyst: Typically don't need to configure notifications or check notification forwarding destinations. Threat Hunter: Notification configuration is not typically part of threat hunting.
View	Read-only access to notification settings.	SOC Tier-3 Analyst: May review notification forwarding.
View/Edit	Full access to create, modify, and delete notification forwarding.	Security Engineer: Often responsible for configuring notification integrations.

Consider adding the following permissions:

Permission	Permission Level	Reason
Cases & Issues	View	Notifications can be configured for case-related events; understanding case workflow is essential. Strongly recommended.
Broker Service	View or View/Edit	View: Required if using Broker VM for Syslog forwarding of notifications. View/Edit: Configure Broker-based Syslog notification channels.
Integrations	View	Provides visibility into integration health. Consider View/Edit to configure new integration instances used by notification channels. Strongly recommended.
Query Center	View	Query notification-related data and troubleshoot notification delivery. Recommended.
Auditing	View	Track changes to notification configurations for compliance. Recommended.
Dashboards	Enabled	View notification-related dashboards and delivery metrics. Recommended.