You can assign users to the investigation for them to view and manage the investigation.
By default, investigation permissions utilize the role-based access control (RBAC) settings configured in the system. Users must have a role with the Forensic permissions set to View in order to view forensic investigations. In order to create investigations or collections, a user must have a role where the Forensics permissions is set to View/Edit. Without either role, a user cannot interact with the forensics interface.
If Scope-Based Access Control (SBAC) is enabled on your system, from the Permissions table, you can select the users from which to assign permissions to the investigation.
Users with account administrator or instance administrator roles have access to investigations and can't be cleared from the Permissions table. They can view and edit all Investigations, including adding/removing users, creating/deleting collections, closing the Investigation. This prevents investigation lockout in the event of a user leaving before the Investigation is complete.
Note
Even if a user does not have access to view an investigation via the Forensics Investigations page, they can still query the results of the collections using an XQL query.
The Permissions fields describe the following information:
Field | Description |
---|---|
User Name | Name of the user as logged in the → → . |
The user's email as logged in the → → . | |
User Type | Indicates whether the user was defined in Cortex XSIAM using the CSP (Customer Support Portal), SSO (single sign-on) using your organization’s IdP, or both CSP/SSO. |
Role | Name of the role assigned specifically to the user that is not inherited from somewhere else, such as a User Group. When the user does not have any Cortex XSIAM access permissions that are assigned specifically to them, the field displays No-Role. |
Permissions | Options are None, View, View/Edit |