Script permissions - Configure Script permissions. - Administrator Guide - Cortex XSIAM - Cortex

Script permissions - Configure Script permissions. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-04

Caution

Scripts are a prerequisite for Playbooks. You cannot set Playbooks to Enabled unless Scripts is Enabled.

By enabling the Scripts component and selecting Create scripts that will run with super user, users gain unrestricted access to sensitive system resources. Because these scripts bypass standard security controls, this permission must be strictly limited to Security Engineers and Administrators.

Cortex XSIAM enforces least-privileged per-object access by allowing you to manage access for custom (user-defined) scripts. For more information, see Manage access to objects.

Component	Description	Roles Example
Enabled	Can access the Scripts page, view script code and configurations, script execution results, and export script definitions. Users can create, modify, and delete scripts depending on their per-object access and sub-permissions explained below. This can include the ability to import scripts from the Marketplace or upload custom Python code. This also allows a user to manually run a script from the CLI (War Room) or within a case. When set to Enabled, you can grant the following additional permissions: Create Scripts: Enables all methods for adding scripts to Cortex XSIAM. This includes the New Script button, as well as the ability to Attach, Duplicate, or Detach scripts. The user who performs these actions is automatically designated as the Owner. Edit Public Scripts: Allows the user to modify custom scripts set to Public, even if they are not the Owner. Create scripts that will run with super user: Create scripts that will run with super user, which enables users to create scripts with elevated privileges, and users can mark scripts as high risk. Scripts that run with superuser can access all system resources. If unchecked, users can only create standard scripts. Note Users can also view and edit Lists (under Settings → Configurations → Object Setup → Lists) provided they have Cases & Issues permissions.	SOC Tier 1, 2, and 3 Analysts and Threat Hunters: Should not do script editing, but need visibility into automation workflows. Security Engineer: Security Engineers need full script capabilities for advanced development.
Disabled	Cannot access the Scripts page, view any script configurations, see script execution results, or access any automation scripts in any context. Note Scripts can only be Disabled after first setting Playbooks to Disabled and Playground to None.

Component

Description

Roles Example

Enabled

Can access the Scripts page, view script code and configurations, script execution results, and export script definitions.

Users can create, modify, and delete scripts depending on their per-object access and sub-permissions explained below. This can include the ability to import scripts from the Marketplace or upload custom Python code. This also allows a user to manually run a script from the CLI (War Room) or within a case.

When set to Enabled, you can grant the following additional permissions:

Create Scripts: Enables all methods for adding scripts to Cortex XSIAM. This includes the New Script button, as well as the ability to Attach, Duplicate, or Detach scripts. The user who performs these actions is automatically designated as the Owner.
Edit Public Scripts: Allows the user to modify custom scripts set to Public, even if they are not the Owner.
Create scripts that will run with super user: Create scripts that will run with super user, which enables users to create scripts with elevated privileges, and users can mark scripts as high risk. Scripts that run with superuser can access all system resources. If unchecked, users can only create standard scripts.

Note

Users can also view and edit Lists (under Settings → Configurations → Object Setup → Lists) provided they have Cases & Issues permissions.

SOC Tier 1, 2, and 3 Analysts and Threat Hunters: Should not do script editing, but need visibility into automation workflows.
Security Engineer: Security Engineers need full script capabilities for advanced development.

Disabled

Cannot access the Scripts page, view any script configurations, see script execution results, or access any automation scripts in any context.

Note

Scripts can only be Disabled after first setting Playbooks to Disabled and Playground to None.

Consider adding the following permissions:

Permission	Permission Level	Reason
Playbooks	Enabled	Strongly recommended, as scripts are almost always the building blocks inside a playbook. To build an automated workflow, you need both.
Cases and Issues	View	Strongly recommended, as script execution results are tied to cases.
Action Center	View or View/Edit	View: Strongly recommended to view script execution history in the Action Center. View/Edit: Strongly recommended, as many scripts trigger response actions (like Isolate); the Action Center tracks these executions.
Playground	View/Edit	View/Edit: Recommended to test scripts before deploying (especially Super User scripts).
Credentials	View	View: Recommended for scripts that require API keys or tokens to talk to external 3rd-party integrations (e.g., VirusTotal, ServiceNow).
Query Center	View	Recommended for scripts designed to pull and parse XQL data for custom reporting.