Exclusion List permissions ↗
Configure Exclusion Lists permissions under Objects.
Controls access to the indicator exclusion list configuration under → → → → . This governs the permanent exclusion of indicators such as IP addresses, domains, URLs, file hashes, and email addresses. It is primarily used for:
Allowing known-good or trusted infrastructure.
Suppressing false-positive indicators identified during investigations.
Filtering noisy vendor feeds that generate high volumes of low-value alerts.
Note
When managing Indicators (located under → → ), users who lack View/Edit permissions for the Exclusion List will find that exclusion-related features (such as the Exclusion reason field and Do not add to exclusion list checkbox) are automatically hidden by the system.
Access to the Indicators page itself requires a Threat Intelligence Management (TIM) add-on or a Cortex XSIAM Premium license.
Permission | Description | Roles Example |
|---|---|---|
None | Users cannot view excluded indicators, add new ones, or perform imports/exports. | |
View | Read-only access to the full table of excluded indicators, including values, types, and comments. Users can search, filter, and export the list. | SOC Tier-1 and 2 Analysts: Should be able to see what is excluded to understand why certain indicators are not flagged, but should not modify the list without approval. |
View/Edit | Full read/write access. Users can manually add or remove indicators, perform bulk CSV imports/exports, and execute bulk operations. |
|