Threat Intelligence permissions

Abstract

Configure Threat Intelligence permissions.

Located under Threat ManagementThreat IntelligenceIndicators, these permissions govern how your organization interacts with indicators (IPs, URLs, Domains, Hashes) and intelligence feeds. It allows you to transform raw data from sources like Unit 42 or AlienVault into actionable security logic.

Notice

This feature requires the Threat Intelligence Management (TIM) license or the Cortex XSIAM Premium license.

For more information, see Threat Intel Management.

Component

Description

Roles Example

None

No access to the Indicators page.

View

Users can search the indicator database and view reputation scores.

SOC Tier-1 analysts: View threat intelligence context for investigations.

View/Edit

Full control to manage indicator rules, manually override reputation scores, and configure intelligence feeds.

  • SOC Tier-2 and 3 Analysts: Enables creating and editing indicators discovered during investigations, adding context to IOCs, and enriching case artifacts with threat intelligence data.

  • Threat Hunter: Enables researching threat actors and campaigns, creating indicators from hunting discoveries, enriching IOCs with contextual data, and documenting threat intelligence findings.

  • Security Engineer: Enables integrating threat intel into detection rules, testing indicator-based detections, managing IOC feeds for rule development, and validating threat intel data quality.