Issue Exclusions permissions

Issue Exclusions controls access to the All Issue Exclusions and Exceptions page under SettingsIssue Exception & Exclusion, which includes the following:

  • Exclusion Rules: Defines conditions (based on issue attributes, such as severity, source, category, etc.) that automatically suppress the creation or surfacing of matching issues. This is the primary mechanism for tuning out false positives and reducing issue noise.

  • Exception Rules: Defines conditions under which issues are flagged as exceptions that may require approval before being acted upon, rather than being silently suppressed.

Note

This permission controls access to the All Issue Exclusions and Exceptions page. If users require access to Exception Rules, they also need Exception Approver Admin View or View/Edit permission.

Permission

Description

Roles Example

None

No access to the All Issue Exception & Exclusion Rules page.

SOC Tier-1 Analyst: Should escalate false positives rather than create exclusions.

View

Read-only access to the All Issue Exception & Exclusion Rules page. Users can browse both Exclusion Rules and Exception Rules tabs, view rule details (name, description, indicator conditions, BIOC indicators, status, modification time), search and filter rules, and export data, but cannot create new rules, edit existing rules, delete rules, or enable/disable rules on either tab.

SOC Tier-2 Analyst and Threat Hunter: Should reference existing exclusions during investigations or understand filtered activity.

View/Edit

Read and write access to theAll Issue Exception & Exclusion Rules page, including creating, editing, deleting, enabling, importing, and duplicating Exclusion Rules and Exception Rules.

  • SOC Tier-3 Analyst: Create exclusions for validated false positives.

  • Security Engineer: Manage exclusion rules as part of tuning.

Required and recommended permissions

Consider adding the following permissions:

Permission

Permission Level

Reason

Cases & Issues

View or View/Edit

  • View: Exclusion rules are based on issue attributes. Without issue visibility, users cannot understand the context of what is being excluded.

  • View/Edit: Users manage issues and create exclusions directly from issue context menus. Analysts typically create issue exclusions directly when investigating an issue. To right-click and exclude an issue, the user must have View/Edit permissions. Strongly recommended.

Exception Management Admin

View/Edit

Users who manage exclusion rules typically also need to manage exception rules to complete the exception management workflow. Strongly recommended.

Detection Rules

View

Recommended to view related IOC/BIOC detection rules to understand what triggers the issues being excluded.

Agent Profiles

View

Recommended to view endpoint profiles for scoping exclusions to specific endpoint groups.

Global Exceptions

View

Strongly recommended to view global exception policies to understand the full exclusion landscape and avoid conflicts.

Query Center

View

Recommended to run XQL queries to validate exclusion impact and verify suppressed issues.