Learn more about the Cortex XSIAM predefined user role called Investigation Admin.
View and triage issues and cases, configure rules, view endpoint profiles and policies, and manage analytics. A senior investigation role focused on rule configuration, full investigation, response actions (action center, device control, host firewall), but no Live Terminal and no agent management.
Tip
Assign to detection engineers, SOC leads, or threat intelligence managers who focus on tuning detection rules, managing playbooks, and overseeing investigation workflows, but who delegate hands-on response actions to Responder roles. This role is about building and maintaining the detection and investigation infrastructure rather than performing incident response.
To quickly see exactly which pages and actions a role allows, click on the role name, which opens a read-only view of all checked permissions. For more information about the permissions, see Role permissions by components.