Learn more about the Cortex XSIAM predefined user role called Privileged Responder.
Can view and triage incidents and alerts, and combines full response (including Live Terminal), rule editing, endpoint policy management, and playbook/script editing. No access management, alert notifications, broker management, or data sources management.
A Privileged Responder is primarily about advanced remediation and administrative control.
Tip
Assign to SOC Tier-3 analysts or senior case responders who handle complex incidents end-to-end, from deep investigation through containment, remediation, and rule tuning. They need Live Terminal for hands-on endpoint investigation, script execution for custom response actions, and the ability to update detection rules based on findings.
To quickly see exactly which pages and actions a role allows, click on the role name, which opens a read-only view of all checked permissions. For more information about the permissions, see Role permissions by components.