Learn more about the Cortex XSIAM predefined user role called Investigation Admin.
The Investigation Admin role is used to view and triage alerts and incidents, configure rules, view endpoint profiles and policies, and Analytics management screens.
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Dashboards | — | — | ✓ | — |
Command Center Dashboards | — | ✓ | N/A | — |
Ingestion Monitoring | ✓ | — | N/A | — |
Reports | — | — | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Alerts & incidents | — | — | ✓ | ✓ |
Add Trigger Playbook — | ||||
Create Incident — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Query Center | — | — | ✓ | — |
Personal Query Library | — | — | ✓ | — |
Forensics | — | — | ✓ | — |
Host Insights | — | — | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Action Center | — | — | ✓ | ✓ |
Isolate — | ||||
Terminate Process — | ||||
Quarantine — | ||||
File Retrieval — | ||||
File Search — | ||||
Destroy Files — | ||||
Allow List/Block List — | ||||
Disable Response Actions — | ||||
Remediation — | ||||
Delete Quarantined files — | ||||
EDL | — | N/A | ✓ | — |
Agent Scripts Library | ✓ | — | — | ✓ |
Run Standard Script — | ||||
Run High-Risk Script — | ||||
Script Configurations — | ||||
Live Terminal | ✓ | N/A | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Playbooks | N/A | — | ✓ | — |
Scripts | N/A | — | ✓ | ✓ |
Create scripts that will run with super user ✓ | ||||
Playground | — | N/A | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Vulnerability Testing | — | ✓ | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Rules | — | — | ✓ | ✓ |
Prevention Rules — | ||||
Request WildFire Verdict Change — | ||||
Attack Surface Rules | — | — | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Threat Intel | — | — | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Jupyter | ✓ | N/A | — | — |
Observability | ✓ | N/A | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Network Configuration | ✓ | — | — | — |
Compliance | ✓ | — | N/A | — |
Asset Inventory | ✓ | — | — | — |
Asset Roles Configuration | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Endpoint Administrations | ✓ | — | — | ✓ |
Endpoint Management — | ||||
Retrieve Endpoint Data — | ||||
Endpoint Scan — | ||||
Change Managing Server — | ||||
Pause Protection — | ||||
Endpoint Token Management — | ||||
Endpoint Groups | ✓ | — | — | — |
Endpoint Prevention Policies | — | ✓ | — | — |
Global Exceptions | ✓ | — | — | — |
Endpoint Profiles | — | ✓ | — | — |
Endpoint Extension Policies | — | ✓ | — | — |
Endpoint Installations | ✓ | — | — | — |
Host Firewall | — | — | ✓ | — |
Device Control | — | — | ✓ | ✓ |
Device Control Rules ✓ | ||||
Device Control Exceptions ✓ |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Browse | — | ✓ | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Auditing | ✓ | — | N/A | — |
Alert Notifications | ✓ | — | — | — |
General Configuration | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
On-demand Analytics | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Broker Services | ✓ | — | — | ✓ |
Pathfinder Applet — | ||||
Pathfinder Data Collection | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Log Collections | ✓ | — | — | — |
Data Sources | ✓ | — | — | — |
External Alerts Mapping | ✓ | — | — | — |
Integrations | — | ✓ | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Data Management | ✓ | N/A | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Public API | ✓ | — | — | — |
Threat Intelligence | ✓ | — | — | — |
Long Running HTTP Integrations configuration | — | — | ✓ | — |
Credentials | N/A | ✓ | — | — |
Apps | ✓ | — | — | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Incident Properties | ✓ | — | — | — |
Exclusion List | — | — | ✓ | — |
Fields and Types | — | — | ✓ | — |
Layouts | — | — | ✓ | — |
Components | Permissions | Additional Action Permissions | ||
---|---|---|---|---|
None | View | View/Edit | Edit/None | |
Support | — | N/A | ✓ | — |