Issue Exclusions permissions ↗
Issue Exclusions controls access to the All Issue Exclusions and Exceptions page under → , which includes the following:
Exclusion Rules: Defines conditions (based on issue attributes, such as severity, source, category, etc.) that automatically suppress the creation or surfacing of matching issues. This is the primary mechanism for tuning out false positives and reducing issue noise.
Exception Rules: Defines conditions under which issues are flagged as exceptions that may require approval before being acted upon, rather than being silently suppressed.
Note
This permission controls access to the All Issue Exclusions and Exceptions page. If users require access to Exception Rules, they also need Exception Approver Admin View or View/Edit permission.
Permission | Description | Roles Example |
|---|---|---|
None | No access to the All Issue Exception & Exclusion Rules page. | SOC Tier-1 Analyst: Should escalate false positives rather than create exclusions. |
View | Read-only access to the All Issue Exception & Exclusion Rules page. Users can browse both Exclusion Rules and Exception Rules tabs, view rule details (name, description, indicator conditions, BIOC indicators, status, modification time), search and filter rules, and export data, but cannot create new rules, edit existing rules, delete rules, or enable/disable rules on either tab. | SOC Tier-2 Analyst and Threat Hunter: Should reference existing exclusions during investigations or understand filtered activity. |
View/Edit | Read and write access to theAll Issue Exception & Exclusion Rules page, including creating, editing, deleting, enabling, importing, and duplicating Exclusion Rules and Exception Rules. |
|
Required and recommended permissions
Consider adding the following permissions:
Permission | Permission Level | Reason |
|---|---|---|
Cases & Issues | View or View/Edit |
|
Exception Management Admin | View/Edit | Users who manage exclusion rules typically also need to manage exception rules to complete the exception management workflow. Strongly recommended. |
Detection Rules | View | Recommended to view related IOC/BIOC detection rules to understand what triggers the issues being excluded. |
Agent Profiles | View | Recommended to view endpoint profiles for scoping exclusions to specific endpoint groups. |
Global Exceptions | View | Strongly recommended to view global exception policies to understand the full exclusion landscape and avoid conflicts. |
Query Center | View | Recommended to run XQL queries to validate exclusion impact and verify suppressed issues. |