Query Center permissions

Abstract

Configure access to the Query Center XQL query execution and management.

Controls access to the Query Center (under Investigation & ResponseSearch), which is the primary interface for writing, executing, and managing XQL queries in Cortex XSIAM. It is the core investigation tool that enables security analysts to search across all ingested data using a powerful query language. Key capabilities:

  • Write and execute XQL queries against any ingested dataset.

  • View query execution history and results.

  • Schedule recurring queries

  • Export query results

Caution

Access to the Query Center is strictly governed by Scope-Based Access Control (SBAC). Even if users have View/Edit permissions, they will only see data returned from the endpoint groups or log sources defined in their specific role scope.

For more information, see Overview of the Query Center.

Permission

Description

Roles Example

None

The entire Investigation section is hidden: Query Center, Query Builder, and Scheduled Queries are all inaccessible.

View

Read-only access to the Query Center. Users can view query history, view scheduled queries, view active queries, and view individual execution results, but cannot run new queries.

Most viewer-type roles.

View/Edit

Full read and write access, including scheduling, canceling, running queries, deleting execution data, and deleting executions.

Most roles require query execution, scheduling, and management.