Forensics permissions

Abstract

Configure access for Forensics.

Controls access to Forensics (Investigation & ResponseForensics). Forensic investigations streamline your case response, data collection, threat hunting, and analysis of your endpoints.

Notice

You need the Forensics add-on to view Forensic investigations.

For more information, see Forensic investigations.

Permission

Description

Roles Example

None

Users cannot see forensic artifacts or trigger new collections.

View

Read-only access to forensics investigations

  • SOC Tier-1 Analyst: View forensics data for context, but cannot initiate collections.

  • SOC Tier-2 Analyst: View forensics data and escalate to Tier-3 for collections.

  • Security Engineer: View forensics for understanding data as not the primary function.

View/Edit

Full read and write access, including create, edit, and delete investigations, start, pause, and delete threat hunts.

  • SOC Tier-3 Analyst: Full forensics capabilities, including triage and hunt.

  • Threat Hunter: Full forensics for deep-dive investigations.