Learn how to manage role permissions in Cortex XSIAM.
You can manage role permissions in Cortex XSIAM, which are listed by the various components according to the sidebar navigation in Cortex XSIAM. Dataset permissions are also included for custom roles. Some components include additional action permissions, such as pivot (right-click) options, to which you can also assign access to, but only when you’ve given the user View/Edit permissions to the applicable component. Whenever you create a new role or edit an existing role, these role permissions are configurable for all Cortex XSIAM apps and services in the Components tab of the Create Role window on the Roles page. For more information, see Manage user roles.
Note
Cortex XSIAM provides predefined Palo Alto Networks roles, which have set role permissions. For more information, see Default PANW roles.
The following table explains for each Cortex XSIAM component and additional action permissions, which are listed according to the sidebar navigation headings, the pages that can be accessed with this role permission with the detailed edit permissions available on each page, and any additional information you should know about the role permissions for this component.
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Dashboards | — |
| Dashboards & Reports → Customize → Widget Library is displayed when the user role permissions is set to at least one of the following:
|
Command Center Dashboards | — | Dashboards & Reports → Dashboard → Data Ingestion Dashboard → XSIAM Command Center
| Dashboards & Reports → Dashboard → Data Ingestion Dashboard → XSIAM Command Center is displayed when the user role permissions are set to the following:
|
Ingestion Monitoring | — | Dashboards & Reports → Dashboard → Data Ingestion Dashboard
| |
Reports | — |
| Customize → Widget Library is displayed when the user role permissions is set to at least one of the following:
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Alerts & Incidents | ✓ |
| |
Add Trigger Playbook ✓ | Incident Response → Incidents → Alerts Table → Alerts
| When SBAC is set to Restrictive mode, users who don't have all the tags shouldn't be able to read or edit the parent incident (fields or context). For more information on setting restrictive mode, see Configure server settings. Yet, if users are assigned with all the tags on the child alert and have View/Edit permissions on Alerts & Incidents, users can trigger a playbook that could potentially change the parent incident (even though users should not be able to do so according to SBAC). In this case, you can grant Add Trigger Playbook permissions, so users can bypass SBAC on the parent incident fields and context data. For more information about updating fields in a playbook, see Update incident fields. | |
Create Incident ✓ | Incident Response → Incidents → New Incident | To create an incident manually, this permission is required. In addition, to add a playbook to the manually created incident, you must have the Add Trigger Playbook permission selected (see above). |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Query Center | — |
| Editing BIOC and Correlation Rules requires View/Edit permissions for both the Incident Response → Investigation → Query Center and Detections & Threat Intel → Detections → Rules (see below) |
Personal Query Library | — | Incident Response → Investigation → Query Builder → XQL to access your personal queries in the Query Library tab.
| |
Forensics | — | Incident Response → Investigation → Forensics, where all pages related to Forensics are accessible and all actions can be performed. | |
Host Insights | — |
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Action Center | ✓ | Incident Response → Response → Action Center | |
Isolate ✓ |
| ||
Terminate Process ✓ | Causality chain view is available from the Alerts table (Incident Response → Incidents → Alerts Table), or from the Query Results after running a query on the related data. From both of these places, you can pivot (right-click) to the causality chain view from any row in the table and select:
| ||
Quarantine ✓ | Causality chain view is available from the Alerts table (Incident Response → Incidents → Alerts Table), or from the Query Results after running a query on the related data. From both of these places, you can pivot (right-click) to the causality chain view from any row in the table and select:
| ||
File Retrieval ✓ |
| ||
File Search ✓ | Incident Response → Incidents → Key Assets & Artifacts tab, and search for a file. | ||
Destroy Files ✓ | Incident Response → Response → Action Center → All Actions → New Action and from the Define an Action page, select Destroy file.
| ||
Allow List/Block List ✓ |
| ||
Disable Response Actions ✓ | Endpoints → All Endpoints, and pivot (right-click) an endpoint that isn't an iOS endpoint, and select Endpoint Control → Disable Capabilities. | ||
Remediation ✓ | |||
Delete Quarantined Files | Incident Response → Response → Action Center → Currently Applied Actions → File Quarantine
| ||
EDL | — | Incident Response → Response → EDL
| |
Agent Scripts Library | ✓ | Incident Response → Response → Action Center → Agent Script Library | |
Run Standard Script ✓ |
| ||
Run High-Risk Script ✓ | Incident Response → Response → Action Center → Agent Script Library, and any script from the Scripts Library table, where the Outcome column is set to High Risk, you can select:
| ||
Script Configurations ✓ | Incident Response → Response → Action Center → Agent Script Library
| ||
Live Terminal | — |
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Playbooks | — |
| User role permissions are by default set up to View playbooks. It's not possible to set up a role without any access to playbooks. |
Scripts | ✓ | Incident Response → Automation → Scripts | User role permissions are by default set up to View scripts. It's not possible to set up a role without any access to scripts. |
Create scripts that will run with super user ✓ |
| ||
Playground | — | Incident Response → Automation → Playground |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Vulnerability Testing | — | Detection & Threat Intel → Attack Surface → Attack Surface Testing
| This feature requires a Cortex XSIAM Attack Surface Management (ASM) Add-on; otherwise, the feature isn't displayed in Cortex XSIAM. |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Rules | ✓ |
| Editing BIOC and Correlation Rules requires View/Edit permissions for both the Incident Response → Investigation → Query Center (see above) and Detections & Threat Intel → Detections → Rules |
Prevention Rules ✓ |
| ||
Request WildFire Verdict Change ✓ | From a WildFire report, you can click Report Verdict as Incorrect, and under Suggested Verdict, suggest a new verdict. Open a WildFire report from:
| ||
Attack Surface Rules | — |
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Threat Intel | — |
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Jupyter | — | Settings → Configurations → Integrations → Apps → Jupyter Notebooks Instance
| |
Observability | — |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Network Configuration | — |
| |
Compliance | — |
| |
Asset Inventory | — |
| |
Asset Roles Configuration | — | Assets → Asset Roles Configuration |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Endpoint Administrations | ✓ | Endpoints → All Endpoints
| |
Endpoint Management ✓ | Endpoints → All Endpoints Locate one or more endpoints, right-click and select:
| ||
Retrieve Endpoint Data ✓ |
| ||
Endpoint Scan ✓ | Endpoints → All Endpoints Locate one or more endpoints, right-click and select:
| ||
Change Managing Server ✓ | Endpoints → All Endpoints
| ||
Pause Protection ✓ | Endpoints → All Endpoints
| ||
Endpoint Token Management ✓ | Endpoints → All Endpoints On the top right corner of the screen, the Tokens and Passwords icon is displayed, which you can left-click and select:
| ||
Endpoint Groups | — | Endpoints → Endpoint Groups
| |
Endpoint Prevention Policies | — | Endpoints → Policy Management → Prevention → Policy Rules
| |
Global Exceptions | — | Endpoints → Policy Management → Prevention → Global Exceptions
| |
Endpoint Profiles | — | Endpoints → Policy Management → Extensions → Profiles
| |
Endpoint Extension Policies | — | Endpoints → Policy Management → Extensions
| |
Endpoint Installations | — | Endpoints → Agent Installations
| |
Host Firewall | — |
| Users can still view Extensions profiles when the type is set to host firewall. |
Device Control | ✓ | ||
Device Control Rules ✓ | Endpoints → Device Control Violations
| ||
Device Control Exceptions ✓ | Endpoints → Disk Encryption Visibility |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Browse | — | Marketplace → Browse tab
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Auditing | — |
| |
Alert Notification | — | Notifications | |
General Configuration | — | Settings → Configurations → General → Server Settings
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
On-demand Analytics | — | Settings → Configurations → Cortex XSIAM - Analytics
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Broker Service | ✓ | Settings → Configurations → Data Broker → Broker VMs
| |
Pathfinder Applet ✓ | Settings → Configurations → Data Broker → Broker VMs, and in the APPS column of the Broker VMs page, the Pathfinder applet is displayed.
| ||
Pathfinder Data Collection | — | Settings → Configurations → Data Collection → Pathfinder Collection Center
| To use the Pathfinder Collection Center page, you need to have View/Edit permission for the Broker Service and the Pathfinder Applet (see permissions above). |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Log Collections | — |
| |
Data Sources | — | Settings → Data Sources or Settings → Configurations → Data Collection → Data Sources
| |
External Alerts Mapping | — | Settings → Configurations → Data Collection → External Alert Mapping
| |
Integrations | — | Settings → Configurations → Data Broker → Engines |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Data Management | — |
| To set permissions for Compute Unit Usage, use Integrations → Public API (see table below). |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Public API | — |
| |
Threat Intelligence | — | Settings → Configurations → Integrations → Threat intelligence
| |
Long Running HTTP Integrations configuration | — | ||
Credentials | — | Settings → Configurations → Integrations → Credentials
| |
Apps | — | Settings → Configurations → Integrations → Apps
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Incident Properties | — | Settings → Configurations → Object Setup → Incidents | |
Exclusion List | — | Settings → Configurations → Object Setup → Indicators → Exclusion List tab | |
Fields and Types | — |
| For Alert and Indicator Fields, and for Indicator Types. |
Layouts | — |
| You need Alerts & Incidents View permissions to edit Layout Rules. |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Support | — | Help → Submit a Support Caser |