Detection Rules permissions ↗
Configure Threat Intel Detection Rules.
You can limit permissions for Detection rules ( → ), which include the following:
IOC Rules: Indicator of Compromise rules that detect known malicious artifacts such as file hashes, IP addresses, domains, and URLs based on threat intelligence feeds.
BIOC rules: Behavioral Indicator of Compromise rules that detect suspicious activity patterns using XQL queries to identify threats based on behavior rather than static indicators.
Analytic rules: Machine learning and statistical analysis rules that detect anomalies and threats using the Analytics Engine for advanced behavioral detection.
Correlations: Correlation rules that combine multiple events or conditions to detect complex attack patterns spanning multiple data sources or time periods.
Indicator rules: Rules that automatically create IOC detection or prevention rules based on threat intelligence indicators matching specific criteria.
Caution
Users must have View/Edit access to the Query Center if they are expected to create or edit BIOC and Correlation rules.
Component | Description | Roles Example |
|---|---|---|
None | No access to Detection Rules. | |
View | Read-only access to IOC, BIOC, Correlations, and Exceptions pages. | SOC Tier-1 analysts: Understand what rules are triggering issues. |
View/Edit | Full access to Detection rules, including creating, editing, deleting, and enabling rules. When Rules is set to View/Edit, you can grant the following additional permissions:
|
|