Query Center permissions ↗
Configure access to the Query Center XQL query execution and management.
Controls access to the Query Center (under → ), which is the primary interface for writing, executing, and managing XQL queries in Cortex XSIAM. It is the core investigation tool that enables security analysts to search across all ingested data using a powerful query language. Key capabilities:
Write and execute XQL queries against any ingested dataset.
View query execution history and results.
Schedule recurring queries
Export query results
Caution
Access to the Query Center is strictly governed by Scope-Based Access Control (SBAC). Even if users have View/Edit permissions, they will only see data returned from the endpoint groups or log sources defined in their specific role scope.
For more information, see Overview of the Query Center.
Permission | Description | Roles Example |
|---|---|---|
None | The entire Investigation section is hidden: Query Center, Query Builder, and Scheduled Queries are all inaccessible. | |
View | Read-only access to the Query Center. Users can view query history, view scheduled queries, view active queries, and view individual execution results, but cannot run new queries. | Most viewer-type roles. |
View/Edit | Full read and write access, including scheduling, canceling, running queries, deleting execution data, and deleting executions. | Most roles require query execution, scheduling, and management. |