Agent Scripts Library permissions

Abstract

Configure Agent Script Library permissions.

The Agents Script Library in the Action Center (Investigation & ResponseResponseAction CenterAgent Script Library) enables security teams to create, manage, and execute Python scripts on endpoints for response actions, forensic collection, and custom automation.

Permission

Description

Roles Example

None

No access to the Agent Script Library. Users cannot run scripts on endpoints, access script execution history, create, edit, or delete scripts.

View

Users can access the Agent Script Library and view the script list, details, and code. Download the script code and definitions file and view the script history and results.

SOC Analyst Tier-1: Should have visibility into scripts and execution history, but no execution capabilities.

View/Edit

When set to View/Edit, the following action checkboxes become available:

  • Run Standard Script

  • Run High Risk Script

  • Script Configurations

For more information, see Run agent scripts on an endpoint

SOC Tier 2 and 3 Analysts, Threat Hunters, and Security Engineers should have full access with granular controls.

Agent Script Sub-permissions

Sub-permission

Description

Roles Example

Run Standard Scripts

Enables execution of standard scripts, which are lower-risk operations that don't make significant system changes, such as data collection, log retrieval, or read-only queries.

  • Checked: Full access to run standard scripts in the Action Center (where the Outcome column is set to Standard), when defining an action (select Run Endpoint Script), Agent Management, and can rerun standard script executions and use interactive script mode for standard scripts.

  • Unchecked: Can view standard scripts in the Agent Script Library, but cannot execute standard scripts.

SOC Tier 2 and 3 Analysts, Security Engineers, Threat Hunters.

Run High-Risk Scripts

Enables execution of scripts marked as High-Risk, which can make significant system changes, including file modifications, process termination, registry changes, or system configuration alterations. These scripts require elevated permissions due to their potential impact.

  • Checked: Full access to run high-risk scripts in the Action Center (where the Outcome column is set to High-Risk), when defining an action (select Run Endpoint Script), Agent Management, and can rerun High-Risk script executions and use interactive script mode for standard scripts.

  • Unchecked: Can view high-risk scripts in the Agent Script Library, but cannot execute standard scripts.

Tip

Consider adding Run Standard Scripts. High-risk scripts permission is typically granted alongside standard scripts.

SOC Tier-3 Analysts, Security Engineers, and Threat Hunters.

Script Configurations

Controls the ability to create, edit, clone, and delete scripts in the Agents Script Library. This is separate from the ability to run scripts.

  • Checked: Full script management capabilities, including creating, editing, deleting, and saving a script

    Note

    Only local scripts (created in the tenant) can be edited or deleted. Scripts from content packs can only be viewed or copied.

  • Unchecked: Can only view and download scripts.

Security Engineer