Attack Surface permissions

Abstract

Set permissions for Attack Surface Management rules and Vulnerability permissions.

Attack Surface Management (ASM) identifies exposed assets, misconfigurations, and vulnerabilities on your organization's external-facing attack surface. This permission covers the following:

  • Attack Surface Rules: Detection rules that generate issues when specific external exposures are found (e.g., exposed RDP, insecure SSH).

  • Vulnerability Testing: An active scanning module that performs non-intrusive and intrusive tests against discovered services to validate CVEs and exposures, generating CVSS/EPSS scores.

Attack Surface Rules

Attack Surface Rules permission controls access to:

  • ModulesAttack SurfacePoliciesAttack Surface Rules.

  • ModulesAttack SurfaceGlobal Lookup

  • Posture ManagementRules & PoliciesPoliciesAttack Surface Rules

Note

Requires an ASM, Exposure Management, or Cortex XSIAM Premium license.

If your organization does not have a Cortex XSIAM Premium license, users can only access Attack Surface features through the Modules menu. The Posture Management menu paths are not available.

For more information, see Attack Surface Rules.

Permission

Description

Roles Example

None

No access to the Attack Surface Rules and Global Lookup pages.

View

Read-only access to view all attack surface rules, their status, priority, and details.

The Global Lookup page is read-only.

  • SOC Tier 1 and 2 Analysts: Needs visibility into exposures and vulnerabilities for initial triage; should not modify rules or policies.

  • Threat Hunter: Needs read access for threat research and correlation; typically does not modify rules or policies.

View/Edit

Full edit access to all view permissions, including enable/disable rules, update priority, and bulk-update policies.

  • SOC Tier 3 Analyst: Senior analysts who can tune attack surface rules.

  • Security Engineer: Configures and tunes attack surface rules.

Vulnerability Testing

Vulnerability Testing permission controls access to:

  • ModulesAttack SurfacePoliciesAttack Surface Tests

  • SettingsConfigurationsAttack SurfaceAttack Surface TestingAttack Surface Testing Configuration.

Note

Requires the Attack Surface Management or Cortex XSIAM Premium license.

For more information, see Attack surface tests.

Permission

Description

Roles Example

None

No access to the Attack Surface Tests and Attack Surface Testing Configuration pages.

View

The test results table is visible and read-only. Can view CVE details, CVSS scores, EPSS scores, and affected software.

Can see the Attack Surface Testing Configuration page from SettingsConfigurationsAttack SurfaceAttack Surface Testing.

  • SOC Tier 1 and 2 Analysts: Needs visibility into exposures and vulnerabilities for initial triage; should not modify rules or policies.

  • Threat Hunter: Needs read access for threat research and correlation; typically does not modify rules or policies.

View/Edit

Full access to the Attack Surface Tests page, including enable/disable tests, trigger manual scans.

Users have full access to the Attack Surface Testing Configuration page.

  • SOC Tier 3 Analyst: Senior analysts who can tune attack surface testing.

  • Security Engineer: Configures and tunes attack surface testing.

Required and recommended permissions

To effectively configure attack surface rules and active tests, administrators and analysts require deep visibility into the underlying asset inventory and the resulting security issues. Consider adding the following permissions:

Permission

Permission Level

Reason

Asset Management

View

Required for Attack Surface Rules and Vulnerability Management to access the asset inventory where tested services and rules reside.

Cases & Issues

View or View/Edit

  • View: Strongly recommended for Attack Surface Rules and Vulnerability Testing to view cases/issues generated from attack surface rules and vulnerability test findings.

  • View/Edit: Recommended for Attack Surface Rules and Vulnerability Testing if required to triage/respond to issues from attack surface rules/vulnerability test findings.

Attack Surface Rules

View

Strongly recommended for Vulnerability Testing. Provides visibility into the attack surface rules that define what is being tested. Helps users understand the context of vulnerability test results.

Vulnerability Testing

View

Strongly recommended for Attack Surface Rules. Provides visibility into vulnerability test results that are related to attack surface findings. Useful for understanding the full context of an exposure.

Vulnerability Management

View

Recommended for Vulnerability Management. Provides access to the broader vulnerability management dashboards where test findings are aggregated into vulnerability issues. Useful for understanding the full lifecycle of a finding.