Application Security - Generic Collector permissions

The Generic Collector is a data source integration type within the Application Security module that allows ingestion of code scan data from external third-party security tools into Cortex XSIAM. Access the 3rd party AppSec Collector data source by going to SettingsData Sources & Integrations

Unlike built-in VCS integrations (GitHub, GitLab, etc.) and CI/CD integrations (Jenkins, CircleCI, etc.), the Generic Collector provides a flexible API endpoint for receiving scan results in supported formats (e.g., SARIF). Each collector instance is assigned a unique API URL and API key for external tool authentication.

Notice

Scan results ingested by the collector flow into Cortex XSIAM require a Cloud Posture Security, Cloud Runtime Security, or Cortex XSIAM Premium license plus the Application Security add-on.

Permission

Description

Roles Example

None

No access to the 3rd Party AppSec Collector on the Data Sources page.

SOC Tier-1, 2, and 3 Analysts, and Threat Hunters: They do not need to create/modify collectors. None is appropriate.

View/Edit

Full access to create, configure, view, enable/disable, and delete the 3rd Party AppSec Collector instances, provided users also have Data Sources View/Edit permission.

Note

If users have View permission for Data Sources, they can view the 3rd Party AppSec Collector, but cannot create or edit.

Security Engineers: Responsible for configuring and maintaining the security tooling pipeline. They need to create new collectors, configure detection methods, manage API keys, and troubleshoot ingestion issues.

Required and recommended permissions

The following permissions are needed alongside the Generic Collector permission for effective use. These apply generally regardless of role.

Permission

Permission Level

Reason

Data Sources

View or View/Edit

  • View: The Data Sources page is the only path to access collector management. Without this permission, the user cannot reach the collector management interface, even if they have Generic Collector View/Edit. Required.

  • View/Edit: Creating, editing, enabling/disabling, and deleting collectors requires the Data Sources action permission. Without it, the user can only view collectors in read-only mode. Required.

Asset Inventory

View or View/Edit

  • View: To view the AppSec issues generated from collector-ingested data. Without this, the user can manage collectors but cannot see the resulting security findings. Strongly recommended.

  • View/Edit: To manage and remediate issues that originate from collector-ingested data (e.g., change issue status, assign issues, create exclusions). Strongly recommended.

Integrations

View/Edit

  • View: View integration status and health for connected tools on the Data Sources & Integrations page. Recommended.

  • View/Edit: The Data Sources & Integrations page is shared between data sources and integrations. Having integration permissions provides a complete view of all connected tools. Strongly recommended

Query Center

View & View/Edit

  • View: Run XQL queries on data ingested through collectors for investigation purposes. Recommended.

  • View/Edit: Execute advanced queries on collector-ingested scan data. Recommended.

Cases & Issues

View/Edit

Correlate collector-sourced AppSec issues with cases and issues. Recommended.