Exclusion List permissions

Abstract

Configure Exclusion Lists permissions under Objects.

Controls access to the indicator exclusion list configuration under SettingsConfigurationsObject SetupIndicatorsExclusion List. This governs the permanent exclusion of indicators such as IP addresses, domains, URLs, file hashes, and email addresses. It is primarily used for:

  • Allowing known-good or trusted infrastructure.

  • Suppressing false-positive indicators identified during investigations.

  • Filtering noisy vendor feeds that generate high volumes of low-value alerts.

Note

When managing Indicators (located under Threat ManagementThreat IntelligenceIndicators), users who lack View/Edit permissions for the Exclusion List will find that exclusion-related features (such as the Exclusion reason field and Do not add to exclusion list checkbox) are automatically hidden by the system.

Access to the Indicators page itself requires a Threat Intelligence Management (TIM) add-on or a Cortex XSIAM Premium license.

Permission

Description

Roles Example

None

Users cannot view excluded indicators, add new ones, or perform imports/exports.

View

Read-only access to the full table of excluded indicators, including values, types, and comments. Users can search, filter, and export the list.

SOC Tier-1 and 2 Analysts: Should be able to see what is excluded to understand why certain indicators are not flagged, but should not modify the list without approval.

View/Edit

Full read/write access. Users can manually add or remove indicators, perform bulk CSV imports/exports, and execute bulk operations.

  • SOC Tier 3 Analyst: Can manage exclusions based on advanced threat analysis findings; trusted to add/remove indicators from the exclusion list.

  • Threat Hunter: Critical for managing false positive indicators and tuning detection; threat hunters frequently need to exclude known-good indicators.

  • Security Engineer: Manages exclusion lists as part of TI pipeline tuning and false positive reduction.