Detection Rules permissions

Abstract

Configure Threat Intel Detection Rules.

You can limit permissions for Detection rules (Threat ManagementDetection Rules), which include the following:

  • IOC Rules: Indicator of Compromise rules that detect known malicious artifacts such as file hashes, IP addresses, domains, and URLs based on threat intelligence feeds.

  • BIOC rules: Behavioral Indicator of Compromise rules that detect suspicious activity patterns using XQL queries to identify threats based on behavior rather than static indicators.

  • Analytic rules: Machine learning and statistical analysis rules that detect anomalies and threats using the Analytics Engine for advanced behavioral detection.

  • Correlations: Correlation rules that combine multiple events or conditions to detect complex attack patterns spanning multiple data sources or time periods.

  • Indicator rules: Rules that automatically create IOC detection or prevention rules based on threat intelligence indicators matching specific criteria.

Caution

Users must have View/Edit access to the Query Center if they are expected to create or edit BIOC and Correlation rules.

Component

Description

Roles Example

None

No access to Detection Rules.

View

Read-only access to IOC, BIOC, Correlations, and Exceptions pages.

SOC Tier-1 analysts: Understand what rules are triggering issues.

View/Edit

Full access to Detection rules, including creating, editing, deleting, and enabling rules.

When Rules is set to View/Edit, you can grant the following additional permissions:

  • Prevention Rules: Blocks or stops suspicious or malicious processes on an endpoint.

  • Request WildFire Verdict Change: Report a file’s WildFire verdict as incorrect and suggest a corrected classification.

  • SOC Tier 2 Analyst: Investigate cases and may need to create or modify detection rules based on findings. Should not manage prevention rules or request WildFire Verdict Change.

  • SOC Tier-3 Analyst: Handles complex incidents and has the authority to manage prevention rules and request WildFire Verdict Change.

  • Threat Hunter: Proactive threat detection specialists who search for hidden threats and create detection rules based on hunting findings. Should not manage prevention rules, but can Request WildFire Verdict Change.

  • Security Engineer: Full access to build and optimize detection/prevention capabilities, including WildFire verdict change requests.