Role-based Permission Levels for Cortex XDR/XSIAM - Cortex Gateway Admin Guide - Cortex - Cortex - Security Operations

Cortex Gateway Administrator Guide

Product
Cortex
Creation date
2023-03-23
Last date published
2024-02-26
Category
Cortex Gateway Admin Guide
Abstract

RBAC permission levels for Cortex XDR/XSIAM components, including investigations, detection, response, endpoints and settings.

When editing or creating new roles, you can set permission levels (RBAC) for specific components such as incident response, assets, endpoints, detection and threat intel and more.

Note

You can only create, edit, copy, or delete a role if you have administration (Instance/Account) permissions. You cannot change the Instance Administrator role permission.

Component

Description

Dashboards & Reports

You can set the permission levels for the following:

  • Dashboards

  • Ingestion Monitoring

  • Reports

Incident Response

You can set the permission level according to the following:

  • Incidents & Alerts

    • Alerts & Incidents

      • Trigger Playbook: Is only enabled when Alerts & incidents is set to View/Edit.

        Enables the user with the defined role to edit a playbook trigger.

  • Investigation

    • Query Center

    • Personal Query Library

    • Forensics

    • Host Insights

  • Response

    • Action Center: When set to View/Edit, you have view and edit permissions to the following options in the Action Center:

      • Isolate

      • Terminate Process

      • Quarantine

      • File Retrieval

      • File Search

      • Destroy Files

      • Allow List/Block List

      • Disable Response Actions

      • Remediation

      • Delete Quarantined Files

    • EDL: When set to View/Edit, you can view and make changes to the IP addresses and domain name lists.

    • Agent Scripts Library: When set to View/Edit, you have view and edit permissions to the following options:

      • Run Standard Script

      • Run High-Risk Script

      • Script Configurations

    • Live Terminal: Enables you to initiate a remote connection to an endpoint where you can manage, investigate, and perform response actions on the endpoint.

    • Automation Rules: Enables you to add or edit automation rules.

  • Automations

    • Playbooks: When set to View/Edit, you have permissions to create, edit and delete playbooks.

    • Scripts: When set to View/Edit, you have permissions to create, edit and delete scripts. You have the option to select the following:

      • Create scripts that will run with super userCreate scripts that will run with super user

    • Playground:- When set to View/Edit, you have permissions for creating, editing and deleting scripts, APIs, commands and more.

Detections & Threat Intel

You can set the permission level according to the following:

  • Rules: When set to View/Edit, select any of the following options:

    • Prevention Rules

    • Request WildFire Verdict Change

  • Attack Surface Rules: When set to View/Edit, you have permissions to change the severity or disable the Attack Surface Rules.

  • Threat Intel

Assets

You can set the permission level for:

  • Assets

    • Network Configuration

    • Compliance

    • Asset Inventory

    • Asset Roles Configuration

Endpoints

You can set the permission level for each of the following:

  • Endpoint Administrations: When set to View/Edit, select any of the following options:

    • Endpoint Management

    • Retrieve Endpoint Data

    • Endpoint Scan

    • Change Managing Server

    • Pause Protection

    • Endpoint Token Management

  • Endpoint Groups

  • Endpoint Prevention Policies

  • Global Exceptions

  • Endpoint Profiles

  • Endpoint Extension Policies

  • Endpoint Installations

  • Host Firewall

  • Device Control: When set to View/Edit, select any of the following options:

    • Device Control Rules

    • Device Control Exceptions

Marketplace

Browse" When set to View/Edit, you have permissions to install, upgrade, downgrade, and delete content packs in the Marketplace.

Settings

You can set the permission level for each of the following:

  • General Setting

    • Auditing

    • Alert Notifications

    • General Configurations

  • Cortex-XDR - analytics

    • On-demand Analytics

  • Broker VMs

    • Broker Service

    • Pathfinder Data Collection

  • Data Collection

    • Log Collections

    • Data Sources

    • External Alerts Mapping

    • Integrations

  • Integrations

    • Public API

    • Threat Intelligence

    • EDL Configuration

    • Credentials

  • Object Setup

    • Exclusion List

    • Fields and Types

    • Layouts