Auditing permissions

Abstract

Configure auditing permissions (under Configurations)

Provides access to view audit logs that track all administrative and operational activities within Cortex XSIAM:

  • Management Audit Logs: Track user actions, role modifications, and administrative operations. Go to SettingsManagement Audit Logs.

  • Agent Audit Logs: Track endpoint agent activities and related activities. Go to SettingsAgent Audit Logs.

  • XDR Collector Audit Logs: Track XDR collector activities and data collection events. Go to Settings XDR Collector Audit Logs.

Caution

The Auditing module is intentionally restricted to View-only access. Audit logs are immutable records designed to maintain compliance and forensic integrity. They cannot be modified or deleted by any user.

Permission

Description

Roles Example

None

No access to any audit logs.

SOC Tier-1 Analyst: No Need for visibility into system activities, unless context is required.

View

Read-only access to all audit log data.

Auditing is intentionally view-only. Audit logs are immutable records that cannot be modified or deleted to maintain compliance and forensic integrity.

  • SOC Tier-2 and 3 Analysts, and Threat Hunters: Required for case investigation and understanding event timelines.

  • Security Engineer: Required for troubleshooting and validating configuration changes.