External Issues Mapping permissions

Abstract

Configure External Issues Mapping permissions (under Data Collection).

Configure how alerts from third-party systems are translated into Cases through SettingsConfigurationsData CollectionExternal Issues Mapping.

For more information, see External alerts using External Issue Mapping.

Permission

Description

Roles Example

None

Users cannot access the External Issue Mapping page.

SOC Tier-1 Analyst: External mapping configuration is not within Tier-1 scope.

View

Users can access the External Issue Mapping page and view all configured issue mappings and parsers. They can review how external alerts from third-party systems (such as Splunk, QRadar, or other SIEMs) are being mapped to issue fields. They can examine parser configurations, field mappings, and transformation rules.

  • SOC Tier 2 and 3 Analysts: Can review mappings for investigation purposes.

  • Threat Hunter: Understanding issue sources is valuable for threat hunting.

View/Edit

Users have full control over external issue mapping configurations. They can create new parsers and mapping rules, modify existing field mappings and transformation logic, enable or disable specific mappings, configure how external issue fields map to issue properties, and delete mapping configurations.

Security Engineer: Responsible for configuring alert mappings and parsers.