This article contains 3 sections:
Create & Manage Console Users
SentinelOne Console User Management can be found under Security Controls > Endpoint Security > SentinelOne > Console Access
Console Access empowers Guardz admins with control over who has direct access to their SentinelOne console. This includes the ability to:
Add new console users
Remove existing users
Reset user passwords
Regenerate passwords for new accounts (onboarding emails)
Console Users are created from the MSP (All Customers) view in the Security Controls and let's the admin choose the access scope to:
Account Scope = access to All Customers
Site Scope = access to one or more Sites/Customers.
Console Users may require direct access to the SentinelOne console for various functions that are not available in the Guardz platform as of April 2025:
Investigate a threat with process details and storyline visualization
Manually create and manage hashes in the blocklist
Manage S1 predefined exclusions
Remove a file from Quarantine (after issue is closed in Guardz)
Create & manage SMTP, Syslog and SSO
Generate S1 reports and schedules
Vulnerability Management (apps with known CVEs and outdated software)
Network Discovery
Modify firewall control settings
Configure email notifications
Important:
Once access is granted, the user will receive an email invitation to log in and set their password.
The invitation link is valid for 72 hours.
Create & Manage Service Users
SentinelOne Service User Management can be found under Security Controls > Endpoint Security > SentinelOne > Service Users
Use SentinelOne Service Users to create API tokens NOT tied to specific Console Users or email addresses. They can be managed like Console Users but cannot log into the Console and are for API use only.
Guardz functionality includes the ability to:
Add new Service Users (with unique API Tokens)
Set an expiration date
Remove existing service access
Service Users are created from the MSP (All Customers) view in the Security Controls and let's the admin choose the access scope to:
Account Scope = access to All Customers
Site Scope = access to one or more Sites/Customers.
When a Service User is created, an API token will be displayed one-time and must be stored securely before closing the window.
Important:
The API Token will only be visible one time and cannot be reopened.
There is no way to refresh an API token, it must be deleted and recreated.
Console & Service User Role Permissions
The following permissions are defined by default for all console & service users created from the Guardz platform for SentinelOne access.
Page | Permission | Description | Included |
Endpoints Permissions | View | See endpoints in the Sentinels window | Yes |
Endpoints Permissions | View Threats | See all threats on selected endpoints | Yes |
Endpoints Permissions | Update Software | Upgrade Agents to a newer version | Yes |
Endpoints Permissions | Unprotect | Remove Anti-Tampering protection from Agents | Yes |
Endpoints Permissions | Uninstall | Uninstall the Agent from endpoints | Yes |
Endpoints Permissions | Shut Down | Shut down endpoints | Yes |
Endpoints Permissions | Show Passphrase | See the passphrase of an Agent required to run some Agent features from the CLI | Yes |
Endpoints Permissions | Show Applications | See all applications installed on endpoints | Yes |
Endpoints Permissions | Set Customer Identifier | Add a Customer Identifier string to identify endpoints | Yes |
Endpoints Permissions | Send Message | Send messages to users through the Management Console | Yes |
Endpoints Permissions | Search On Deep Visibility | Pivot on an endpoint to search for it in Event Search | Yes |
Endpoints Permissions | Revoke Token | Revoke the token that an Agent uses to communicate with the Management | No |
Endpoints Permissions | Restart Services | Restart Agent services on endpoints | Yes |
Endpoints Permissions | Reset Local Configuration | Revert the local configuration of an endpoint to its defaults | Yes |
Endpoints Permissions | Remote Shell | Run Remote Shell on endpoints | Yes |
Endpoints Permissions | Remote Profiling | Collect Agent operational data for advanced diagnostics | Yes |
Endpoints Permissions | Reload | Reload the Agent | Yes |
Endpoints Permissions | Reject Uninstall | Reject requests to uninstall an Agent | No |
Endpoints Permissions | Reconnect To Network | Undo the Disconnect from Network action | Yes |
Endpoints Permissions | Reboot | Reboot the endpoint | Yes |
Endpoints Permissions | Randomize Uuid | Reset the Agent UUID to handle duplicates | No |
Endpoints Permissions | Purge Research Data | Clean logs from your Management after Research experts resolve an issue | No |
Endpoints Permissions | Purge Db | Delete SST files from C\ProgramData\Sentinel\data\prdb\ to free disk space | No |
Endpoints Permissions | Purge Crash Dumps | Clean logs from your Management after Support resolves an issue that required a crash dump | No |
Endpoints Permissions | Protect | Turn on Anti-Tampering | Yes |
Endpoints Permissions | Move To Another Site | Move Agents from one Site to a different Site | Yes |
Endpoints Permissions | Migrate Agent | Move the Agent to a different Management Console | Yes |
Endpoints Permissions | Mark As Up To Date | Mark this endpoint Up To Date if the Agent version is the latest but the endpoint is shown as Out of date | Yes |
Endpoints Permissions | Manage Endpoint Tags | Add remove edit and override endpoint tags on endpoints | Yes |
Endpoints Permissions | Initiate Scan | Run Full Disk Scan | Yes |
Endpoints Permissions | Flush Events Queue | Delete all notifications waiting to be sent | No |
Endpoints Permissions | File Fetch | Download threat files and Agent logs | Yes |
Endpoints Permissions | Events Throttling | Stop Agents from sending events to the Management for a specific time | No |
Endpoints Permissions | Enable Ranger | Enable an Agent to be selected as an active scanner for Ranger | Yes |
Endpoints Permissions | Enable Agent Content Update | Accept automatic live security updates to SentinelOne Agents | Yes |
Endpoints Permissions | Enable Agent | Enable a Disabled Agent | Yes |
Endpoints Permissions | Edit | Run Agent actions that change the configuration of an endpoint or Agent | Yes |
Endpoints Permissions | Disconnect From Network | Break communication between the endpoint and other network components | Yes |
Endpoints Permissions | Disable Ranger | Stop an Agent from being an active scanner for Ranger | Yes |
Endpoints Permissions | Disable Agent | Identify interoperability issues related to the Agent | Yes |
Endpoints Permissions | Decommission | Remove the endpoint from the Console | Yes |
Endpoints Permissions | Control Research Data | Control if Agents upload verbose detection data to your instance in the Cloud | Yes |
Endpoints Permissions | Control Crash Dumps | Control if Agents upload verbose detection data to your instance in the Cloud | Yes |
Endpoints Permissions | Configure Firewall Logging | Set if Firewall blocked traffic events are logged | Yes |
Endpoints Permissions | Configuration | Edit the JSON configuration of an Agent | No |
Endpoints Permissions | Clear Remote Shell Session | Manually force a Remote Shell session to close | Yes |
Endpoints Permissions | Cancel Upgrade | Stop an upgrade action | No |
Endpoints Permissions | Cancel Agent Content Updates | Stop automatic live security updates to SentinelOne Agents | No |
Endpoints Permissions | Approve Uninstall | Approve a request to uninstall an Agent from an endpoint | Yes |
Endpoints Permissions | Abort Scan | Stop a Full Disk Scan | Yes |
Endpoints Permissions | Fetch Logs | Download logs of Agent operations to send to Support | Yes |
Endpoints Permissions | Download Remote Shell Transcript | Download Remote Shell transcript results from the Activity Log | Yes |
Endpoints Permissions | Enable Live Update | Accept automatic live security updates to SentinelOne Agents | Yes |
Endpoints Permissions | Account Uninstall Password View Uninstall Password | See the password to bulk uninstall all Windows and Linux Agents of an Account | Yes |
Endpoints Permissions | Account Uninstall Password Modify Uninstall Password | Change the password to bulk uninstall all Windows Agents of an Account | Yes |
Endpoint Threats Permissions | View | See all threats and their details | Yes |
Endpoint Threats Permissions | Xdr Actions | Run XDR actions from Marketplace Apps | No |
Endpoint Threats Permissions | Update Incident Status | Change the Incident Status of threats | Yes |
Endpoint Threats Permissions | Update External Ticket Id | Change the External Ticket Id of a threat | Yes |
Endpoint Threats Permissions | Update Analyst Verdict | Change the Analyst Verdict of threats | Yes |
Endpoint Threats Permissions | Unquarantine | Run the Unquarantine action on threats | Yes |
Endpoint Threats Permissions | Mark Threat | Mark benign activity as a threat from Deep Visibility or Skylight | Yes |
Endpoint Threats Permissions | Mark Suspicious | Mark benign activity as suspicious from Deep Visibility or Skylight | Yes |
Endpoint Threats Permissions | Fetch Threat File | Download the file or files that are the root of a threat | Yes |
Endpoint Threats Permissions | Create Slim Threat | Create a threat alert from minimal data of a file or process that was not detected as malicious | Yes |
Endpoint Threats Permissions | Threat Actions Rollback | Run the Rollback mitigation action on threats | Yes |
Endpoint Threats Permissions | Threat Actions Restore Macro | Restore removed macros to Office files | Yes |
Endpoint Threats Permissions | Threat Actions Remove Macro | Remove malicious macros from Office files without quarantining the files | Yes |
Endpoint Threats Permissions | Threat Actions Remediate | Run the Remediate mitigation action on threats | Yes |
Endpoint Threats Permissions | Threat Actions Quarantine | Run the Quarantine mitigation action on threats | Yes |
Endpoint Threats Permissions | Threat Actions Kill | Run the Kill mitigation action on threats | Yes |
Access Settings Permissions | View | See configuration settings in Settings Configuration | Yes |
Access Settings Permissions | Edit | Edit configuration settings in Settings Configuration | No |
Accounts Permissions | View | See Account information | Yes |
Accounts Permissions | Edit | Edit Account information | No |
Accounts Permissions | Delete | Delete an Account | No |
Accounts Permissions | Create | Create an Account | No |
Activity Permissions | View | See all activities that occurred in your environment | Yes |
Agent Artifacts Permissions | View | See Integrations Token Management to create and manage public repo tokens for CWS Agents | Yes |
Agent Artifacts Permissions | Delete | Delete tokens for CWS Agents | Yes |
Agent Artifacts Permissions | Create | Create tokens for CWS Agents | Yes |
Agent Artifacts Permissions | List Access Tokens | See all tokens generated for CWS Agents | Yes |
Agent Packages Permissions | View | See the Packages page | Yes |
Agent Packages Permissions | Edit | Change the build number scope and other properties of a package | No |
Agent Packages Permissions | Delete | Remove a package from the Packages page | No |
Agent Packages Permissions | Create | Upload a package | No |
Applications Permissions | View | See all applications on your endpoints | Yes |
Applications Permissions | View Risks | See all applications by threat assessment and endpoint installation | Yes |
Applications Permissions | Scan Vulnerabilities | Scan applications for vulnerabilities also needed to run the Extensive Vulnerability Scan | Yes |
Applications Permissions | Application Fp Fn Actions | Report a detected CVE as a false positive or a false negative | Yes |
Applications Permissions | Set Statuses | Give a status to endpoints that have applications with detected CVEs to reflect their state during the remediation flow | Yes |
Applications Permissions | Create External Ticket | Create a Jira ticket for applications and endpoints that require patching | Yes |
Applications Permissions | Change Vulnerabilities Scan Policy | Change the Scan Policy or Extensive Scan configuration settings | No |
Auto-Upgrade Policy Permissions | View | View the details of an Auto Upgrade policy | Yes |
Auto-Upgrade Policy Permissions | Policy Action | Change Auto-Upgrade Policy order activate deactivate or delete | No |
Auto-Upgrade Policy Permissions | Edit | Edit an Auto Upgrade policy | Yes |
Auto-Upgrade Policy Permissions | Disable All Policies | Disable all Auto Upgrade policies in this scope and all lower scopes | No |
Auto-Upgrade Policy Permissions | Create | Add a new Auto Upgrade Policy | Yes |
Benchmarks Permissions | View | See Benchmark results and export results | Yes |
Benchmarks Permissions | Run Benchmarks | Run Benchmark templates | Yes |
Benchmarks Permissions | Manage Skip Control | Allows Users to Skip a Control | Yes |
Benchmarks Permissions | Modify Settings | Edit CIS Benchmark configuration | Yes |
Blocklist Permissions | View | See the hashes in the blacklist | Yes |
Blocklist Permissions | Edit | Change the hash of a blacklist item | Yes |
Blocklist Permissions | Delete | Delete a hash from the list | Yes |
Blocklist Permissions | Create | Add a hash to the blacklist | Yes |
Cloud Permissions | View | See the Cloud page | Yes |
Cloud Account Permissions | View | See Cloud Account | Yes |
Cloud Account Permissions | Enable Cloud Account | Enable Cloud Account | Yes |
Cloud Account Permissions | Edit | Edit Cloud Account configuration | Yes |
Cloud Account Permissions | Disable Cloud Account | Disable Cloud Account | Yes |
Cloud Account Permissions | Delete | Delete Cloud Account | Yes |
Cloud Account Permissions | Create | Create Cloud Account | Yes |
Cloud Funnel Permissions | View | See the Cloud Funnel page | Yes |
Cloud Funnel Permissions | Edit | Edit Cloud Funnel configuration | Yes |
Cloud Funnel Permissions | Delete | Delete Cloud Funnel configuration | Yes |
Cloud Funnel Permissions | Create | Create Cloud Funnel configuration | Yes |
Cloud Policies Permissions | View | See Cloud policies | Yes |
Cloud Policies Permissions | Manage | Add new delete existing and edit Cloud policies | Yes |
Cloud Rogues Permissions | View | See Cloud Rogues | Yes |
Cloud Rogues Permissions | Edit | Change Cloud Rogues configuration | Yes |
Cloud Scanners Configuration Permissions | View | Read-only access to cloud scanner configuration | Yes |
Cloud Scanners Configuration Permissions | Manage | Full access to deploy edit and delete cloud scanners | Yes |
Compromised Credentials Protection Permissions | View | See how Compromised Credentials Protection is set up | Yes |
Compromised Credentials Protection Permissions | Edit | Enable or disable options and change the settings for Compromised Credentials Protection | Yes |
Console Integrations Permissions | View | See Settings Integrations | Yes |
Console Integrations Permissions | Edit | Edit settings for SMTP Syslog and SSO | Yes |
Console Integrations Permissions | Delete | Delete integration for SMTP Syslog and SSO | Yes |
Console Integrations Permissions | Create | Set up integration for SMTP Syslog and SSO | Yes |
Cloud Native Security Permissions | View | Read-only access to Cloud Native Security | Yes |
Cloud Native Security Permissions | Triage | Limited actions permitted in Cloud Native Security | Yes |
Cloud Native Security Permissions | Manage | Full access to complete actions in Cloud Native Security | Yes |
Cloud Native Security Permissions | Publish CNS CLI Findings | Publish findings from the Cloud Native Security CLI tool to the Management console | Yes |
Cloud Native Security Permissions | Get CNS CLI Scan Rules | Retrieve scan rules used by the Cloud Native Security CLI tool | Yes |
Console Users Permissions | View | See the Users page | Yes |
Console Users Permissions | Edit | Edit the properties and requirements of a user account delete or reset 2FA for other users | No |
Console Users Permissions | Delete | Delete a user account | Yes |
Console Users Permissions | Create | Add a user | No |
Console Users Permissions | Can Revoke API Tokens for Others | Revoke API Tokens for other users | Yes |
Console Users Permissions | Can Enable Generate API Token Setting for Self and Others | Enable Allow API Token Generation for other users | No |
Console Users Permissions | Can Enable 2FA Configuration for Other Users | Reset delete and enroll 2FA for other users | No |
Device Control Permissions | View | See the current list of devices in the controlled list | Yes |
Device Control Permissions | Edit | Edit a rule for a device in the list name action class and vendor ID and select events to send to Activity | Yes |
Device Control Permissions | Delete | Delete a rule from the list | Yes |
Device Control Permissions | Create | Create a new rule | Yes |
Endpoint Policy Permissions | View | See the Policy page | Yes |
Endpoint Policy Permissions | Edit | Edit the policy settings and inheritance | No |
Unified Tags Permissions | View | View the Tags page | Yes |
Unified Tags Permissions | Edit | Edit tags | Yes |
Unified Tags Permissions | Delete | Delete tags | Yes |
Unified Tags Permissions | Create | Create tags | Yes |
Exclusions Permissions | View | See the Exclusions page | Yes |
Exclusions Permissions | Edit | Edit an exclusion | Yes |
Exclusions Permissions | Delete | Delete an exclusion | Yes |
Exclusions Permissions | Create | Create a new exclusion by Hash Path Signer Identity File Type or Browser | Yes |
Extended Security Posture Management Permissions | View | View discovered vulnerabilities and misconfigurations | Yes |
Extended Security Posture Management Permissions | Vulnerabilities View | View discovered vulnerabilities | Yes |
Extended Security Posture Management Permissions | Misconfigurations View | View discovered misconfigurations | Yes |
Extended Security Posture Management Permissions | Vulnerabilities Manage | Perform actions on vulnerabilities change the vulnerability status assign it to a Console user for investigation and set a verdict | Yes |
Extended Security Posture Management Permissions | Misconfigurations Manage | Perform actions on misconfigurations change the misconfiguration status assign it to a Console user for investigation and set a verdict | Yes |
Extended Security Posture Management Permissions | Vulnerabilities View Singularity Vulnerability Management Vulnerabilities | View vulnerabilities discovered by Vulnerability Management | Yes |
Extended Security Posture Management Permissions | Misconfigurations View Identity Security Posture Management Misconfigurations | View misconfigurations discovered by ISPM | Yes |
Extended Security Posture Management Permissions | Vulnerabilities View Generic Vulnerabilities | View vulnerabilities discovered by third party tools | Yes |
Extended Security Posture Management Permissions | Misconfigurations View Generic Misconfigurations | View misconfigurations discovered by third party tools | Yes |
Extended Security Posture Management Permissions | Vulnerabilities Manage Singularity Vulnerability Management Vulnerabilities | Perform actions on vulnerabilities discovered by Vulnerability Management | Yes |
Extended Security Posture Management Permissions | Misconfigurations Manage Identity Security Posture Management Misconfigurations | Perform actions on misconfigurations discovered by ISPM | Yes |
Extended Security Posture Management Permissions | Vulnerabilities Manage Generic Vulnerabilities | Perform actions on vulnerabilities discovered by third party tools | Yes |
Extended Security Posture Management Permissions | Misconfigurations Manage Generic Misconfigurations | Perform actions on misconfigurations discovered by third party tools | Yes |
Extended Security Posture Management Permissions | Vulnerabilities View CNS Vulnerabilities | View vulnerabilities discovered by CNS | Yes |
Extended Security Posture Management Permissions | Misconfigurations View CNS Misconfigurations | View misconfigurations discovered by CNS | Yes |
Extended Security Posture Management Permissions | Vulnerabilities Manage CNS Vulnerabilities | Perform actions on vulnerabilities discovered by CNS | Yes |
Extended Security Posture Management Permissions | Misconfigurations Manage CNS Misconfigurations | Perform actions on misconfigurations discovered by CNS | Yes |
Firewall Permissions | View | See Firewall Control Rules and Settings | Yes |
Firewall Permissions | Manage Rules And Tags | Change Firewall Control Rules and Tags | Yes |
Firewall Permissions | Modify Settings | Change Firewall Control Settings | Yes |
Groups Permissions | View | See the group names and number of groups listed for a specific site | Yes |
Groups Permissions | Edit | Edit the Group policy change Dynamic Group filters or Group Ranking and get a new Group token | Yes |
Groups Permissions | Delete | Delete a group of endpoints | Yes |
Groups Permissions | Create | Create a new group of endpoints | Yes |
Groups Permissions | Move To Group | Move endpoint between groups required from version S 24.2.4 | Yes |
Hyperautomation Permissions | View | See the Hyperautomation page | Yes |
Hyperautomation Permissions | Edit | Change Hyperautomation configuration | Yes |
Local Upgrade Authorization Permissions | View | See the Site level authorization for local upgrades | Yes |
Local Upgrade Authorization Permissions | Edit | Edit the Site level authorization for local upgrades | Yes |
Locations Permissions | View | See configured endpoint Locations | Yes |
Locations Permissions | Edit | Edit configured endpoint Locations | Yes |
Locations Permissions | Delete | Delete configured endpoint Locations | Yes |
Locations Permissions | Create | Create endpoint Locations | Yes |
Metering Reports Permissions | View | See the Usage Metering dashboard and access the raw data via the powerQuery API | Yes |
Mobile Alerts Permissions | View | See alerts for mobile endpoints | Yes |
Mobile Alerts Permissions | Manage | Respond to alerts for mobile endpoints | Yes |
Mobile Endpoints Permissions | View | See mobile endpoint details |
|
Mobile Endpoints Permissions | Manage | Create and send invitations for mobile users |
|
Mobile Integrations Permissions | View | See the MBM integrations menu | Yes |
Mobile Integrations Permissions | Manage | Create and add an MDM integration | Yes |
Mobile Policies Permissions | View | See the overall mobile endpoint policy | Yes |
Mobile Policies Permissions | Manage | Change the options for the mobile endpoint policy | Yes |
Mobile Risks Permissions | View | See risks for mobile endpoints | Yes |
Mobile Risks Permissions | Manage | Mitigate and respond to risks for mobile endpoints | Yes |
Network Quarantine Permissions | View | See Configurable Network Quarantine Rules and Settings | Yes |
Network Quarantine Permissions | Manage Rules And Tags | Change Configurable Network Quarantine Rules and Tags | Yes |
Network Quarantine Permissions | Modify Settings | Change Configurable Network Quarantine Settings | Yes |
Unprotected Endpoints Discovery Permissions | View | See the Unprotected Endpoints page | Yes |
Unprotected Endpoints Discovery Permissions | Edit | Change Unprotected Endpoints Discovery configuration | Yes |
Unprotected Endpoints Discovery Permissions | View Cloud | See Cloud Rogues | Yes |
Network Discovery Permissions | View | See the Network Discovery Previously Ranger page | Yes |
Network Discovery Permissions | Manage Credentials | Create change and delete Sentinel Deploy Credentials | No |
Network Discovery Permissions | Edit | Edit a network to scan or change Network Discovery Previously Ranger settings | Yes |
Network Discovery Permissions | Deploy | Deploy Agents on remote unsecured endpoints in your network | Yes |
Notification Settings Permissions | View | See Settings Notifications | Yes |
Notification Settings Permissions | Edit | Change the settings of notifications | Yes |
Notification Settings Permissions | Delete | Remove email or syslog settings for notifications | Yes |
Notification Settings Permissions | Create | Add email or syslog settings for notifications | Yes |
Policy Enforcement Status Permissions | View | See the status of the enforced Identity Endpoint Protection Policies | Yes |
Policy Enforcement Status Permissions | Edit | Change the Identity Policy Enforcement Status | Yes |
Policy Override Permissions | View | See the Policy Override page | Yes |
Policy Override Permissions | Edit | Edit a policy override | Yes |
Policy Override Permissions | Delete | Remove as policy override | Yes |
Policy Override Permissions | Create | Add a policy override | Yes |
Purple AI Notebooks Permissions | View | Required to view shared Notebooks | Yes |
Purple AI Notebooks Permissions | Manage | Required to create and share Notebooks | Yes |
RemoteOps Permissions | View | See the Remote Ops page | Yes |
RemoteOps Permissions | View Output | See the Remote Ops output | Yes |
RemoteOps Permissions | Upload | Upload a custom script | Yes |
RemoteOps Permissions | Edit | Edit Custom script configuration | Yes |
RemoteOps Permissions | Delete | Delete a custom script | Yes |
RemoteOps Permissions | View Scheduled Tasks | See RemoteOps and RemoteOps Forensics scheduled tasks | Yes |
RemoteOps Permissions | Data Export Configuration View Destination Results | View RemoteOps script and forensics results in Skylight | Yes |
RemoteOps Permissions | Data Export Configuration View Destination Credentials | View the list of created Data Export profiles | Yes |
RemoteOps Permissions | Data Export Configuration Manage Destination Credentials | Create edit and delete Data Export profiles | Yes |
RemoteOps Permissions | Run Scripts Run Data Collection Script | Run Data Collection scripts | Yes |
RemoteOps Permissions | Run Scripts Run Artifact Collection Script | Run Artifact Collection Scripts | Yes |
RemoteOps Permissions | Run Scripts Run Action Script | Run Action Scripts | Yes |
RemoteOps Permissions | Run Scripts Review Pending Executions | View approve or decline pending scripts | Yes |
RemoteOps Permissions | Run Scripts Manage Guardrails | Configure Remote Ops Guardrails | Yes |
RemoteOps Permissions | Schedule Actions Update Scheduled Tasks | Edit when RemoteOps scripts and RemoteOps Forensics collections are scheduled to run | Yes |
RemoteOps Permissions | Schedule Actions Delete Scheduled Tasks | Remove RemoteOps and RemoteOps Forensics scheduled tasks | Yes |
RemoteOps Permissions | Schedule Actions Create Scheduled Tasks | Add new RemoteOps and RemoteOps Forensics scheduled tasks | Yes |
RemoteOps Permissions | Cancel Scripts Cancel Data Collection Script | Stop a Data Collection Script | Yes |
RemoteOps Permissions | Cancel Scripts Cancel Artifact Collection Script | Stop an Artifact Collection Script | Yes |
RemoteOps Permissions | Cancel Scripts Cancel Action Script | Stop an Action Script | Yes |
RemoteOps Permissions | Schedule Actions View Scheduled Tasks | See RemoteOps and RemoteOps Forensics scheduled tasks | Yes |
Remote Ops Forensics Permissions | View | View all RemoteOps Forensics profiles | Yes |
Remote Ops Forensics Permissions | Run Forensics Collection | Run RemoteOps Forensics Profiles and view Data Export Profiles | Yes |
Remote Ops Forensics Permissions | View Output | View the output after a RemoteOps Forensics Profile is run | Yes |
Remote Ops Forensics Permissions | Manage Destinations | View create or edit Data Export Configuration Profiles or set one as the default | Yes |
Remote Ops Forensics Permissions | Edit | Change the properties of Forensics Profiles | Yes |
Remote Ops Forensics Permissions | Delete | Delete Forensics Profiles | Yes |
Remote Ops Forensics Permissions | Create | Create Forensics Profiles | Yes |
Remote Ops Forensics Permissions | Cancel Collection Task | Cancel a forensic data collection task Can only be done if the status of the task is Pending | Yes |
Remote Ops Settings Permissions | View | View RemoteOps Settings | Yes |
Remote Ops Settings Permissions | View Remote Ops Password | View the default password | Yes |
Remote Ops Settings Permissions | Edit Remote Ops Password | Reset revert and configure a default password | Yes |
Reports Permissions | View | See the Reports page | Yes |
Reports Permissions | Edit | Edit a report | Yes |
Reports Permissions | Delete | Delete a report | Yes |
Reports Permissions | Create | Generate a report or report schedule | Yes |
Roles Permissions | View | See the Roles page | Yes |
Roles Permissions | Edit | Edit Role permissions | No |
Roles Permissions | Delete | Delete a Role | No |
Roles Permissions | Create | Create a custom Role | No |
STAR Custom Rules Permissions | View | See the STAR Custom Rules page | Yes |
STAR Custom Rules Permissions | Manage | Change STAR Custom Rules | Yes |
STAR Rule Alerts Permissions | View | See the Custom Alerts page | Yes |
STAR Rule Alerts Permissions | Update Incident Status | Change the Incident Status of Alerts | Yes |
STAR Rule Alerts Permissions | Update Analyst Verdict | Change the Analyst Verdict of Alerts | Yes |
Service Users Permissions | View | See Service Users | Yes |
Service Users Permissions | Edit | Edit Service Users | No |
Service Users Permissions | Delete | Delete Service Users | No |
Service Users Permissions | Create | Create Service Users | No |
Singularity Marketplace Permissions | View | See the Singularity Marketplace page | No |
Singularity Marketplace Permissions | Manage | Change Singularity Marketplace integrations | No |
Sites Permissions | View | See the Sites page | Yes |
Sites Permissions | Edit | Edit the properties of a site | No |
Sites Permissions | Delete | Delete a site | No |
Sites Permissions | Create | Add a site | No |
SDL Alerts Permissions | View | View Alerts in the console | Yes |
SDL Alerts Permissions | Manage | Create edit and delete Alerts in the console | Yes |
SDL API Keys Permissions | View | View API keys | Yes |
SDL API Keys Permissions | Manage | Add and delete API keys User must have Global or Account scope of access | Yes |
SDL Configuration Files Permissions | View | See configuration files of SDL objects such as alerts dashboards saved searches and automatic lookups Users with a Site scope have limited access | Yes |
SDL Configuration Files Permissions | Manage | Save edit and delete configuration files Users with a Site scope have limited access | Yes |
SDL Cost Management Permissions | View | This feature is coming soon | Yes |
SDL Cost Management Permissions | Manage | This feature is coming soon | Yes |
SDL Dashboards Permissions | View | View Dashboards | Yes |
SDL Dashboards Permissions | Manage | Create edit and delete Dashboards | Yes |
SDL Data Permissions | View | Prerequisite to use Event Search for EDR or XDR | Yes |
SDL Data Permissions | View Xdr | Use the XDR view of Event Search | Yes |
SDL Data Permissions | View Edr | Use the EDR view of Event Search | Yes |
SDL Ingestion API Permissions | View | User must have both View and Manage permissions to ingest events using APIs | Yes |
SDL Ingestion API Permissions | Manage | User must have both View and Manage permissions to ingest events using APIs User must have Global or Account scope of access | Yes |
SDL Long Range Query Permissions | View | Users with this permission can run long term queries for over one year in Event Search This requires a separate license | Yes |
SDL Log Processing Permissions | View | View Log Processing Filters | Yes |
SDL Log Processing Permissions | Manage | Create edit and delete Log Processing Filters | Yes |
SDL Monitors Permissions | View | View Monitor files User must have Global or Account scope of access and select an Account scope | Yes |
SDL Monitors Permissions | Manage | Create edit and delete Monitor files User must have Global or Account scope of access | Yes |
SDL Parsers Permissions | View | View Log Parsers The Manage Logs permission is required to enable this permission | Yes |
SDL Parsers Permissions | Manage | Create edit and delete Log Parsers User must have Global or Account scope of access The Manage Logs permission is required | Yes |
SDL Query API Permissions | View | Query data using the Query APIs User must have Global or Account scope of access This permission automatically enables RemoteOps View Activity View | Yes |
SDL Secrets Permissions | View | View the Secrets page | Yes |
SDL Secrets Permissions | Manage | View and create Secrets for use in SDL monitors and alert webhooks | Yes |
SDL Search Permissions | View | Access to all Deep Visibility pages A prerequisite to access to all Skylight pages Skylight EDR and XDR event search require the SDL Data permission | Yes |
SDL Search Permissions | File Fetch | Get files from Deep Visibility or Skylight | Yes |
SDL Search Permissions | Edit | Edit shared and saved queries | Yes |
SDL Search Permissions | Delete | Delete shared and saved queries | Yes |
SDL Search Permissions | Create | Create shared and saved queries | Yes |
SDL Usage Permissions | View | View the Usage page User must have Global or Account scope of access | Yes |
Task Management Permissions | View | See upgrade tasks | Yes |
Threat Intelligence Permissions | View | See IoCs connected to an account | Yes |
Threat Intelligence Permissions | Manage | Create edit see or delete IoCs connected to an account | Yes |
Threat Services Integrations Permissions | View | See the Threat Services Integrations page | Yes |
Threat Services Integrations Permissions | Manage | Configure selected third party Applications and authorize MDR Response Actions taken via these integrations | Yes |
Threat Services Permissions | View | See the Overview and Escalation Contacts pages of Threat Services | Yes |
Threat Services Permissions | Manage | Edit escalation contact information | Yes |
Unified Alerts Permissions | STAR Alerts View | See STAR alerts | Yes |
Unified Alerts Permissions | STAR Alerts Manage | Run actions on STAR alerts | Yes |
Unified Alerts Permissions | Mobile Alerts View | See Mobile alerts | Yes |
Unified Alerts Permissions | Mobile Alerts Manage | Run actions on Mobile alerts | Yes |
Unified Alerts Permissions | Identity Alerts View | See Identity alerts | Yes |
Unified Alerts Permissions | Identity Alerts Manage | Run actions on Identity alerts | Yes |
Unified Alerts Permissions | Generic Alerts View | See all alerts ingested via Singularity Marketplace | Yes |
Unified Alerts Permissions | Generic Alerts Manage | Run actions on alerts ingested via Singularity Marketplace | Yes |
Unified Alerts Permissions | Endpoint Alerts View | See Endpoint alerts | Yes |
Unified Alerts Permissions | Endpoint Alerts Manage | Run actions on Endpoint alerts | Yes |
Unified Alerts Permissions | Enrich | View third-party enrichment data for alerts Coming soon | Yes |
Unified Asset Inventory Permissions | View | See and use the Asset Inventory view and Graph Explorer | Yes |
Unified Asset Inventory Permissions | Edit | Run actions on assets permissions for the specific surface or activity are also required | Yes |
Unified Asset Inventory Permissions | Delete | Run actions on assets permissions for the specific surface or activity are also required | Yes |
Unified Asset Inventory Permissions | Create | Run actions on assets permissions for the specific surface or activity are also required | Yes |
Unified Asset Inventory Permissions | Assign Tags | Assign tags from the Inventory | Yes |
Unified Asset Inventory Permissions | View Network Discovery Assets | See Assets found by Network Discovery in the Asset Inventory | Yes |
Unified Asset Inventory Permissions | View Identity Assets | See Identity Assets in the Asset Inventory | Yes |
Unified Asset Inventory Permissions | View Endpoint Assets | See endpoint Assets in the Asset Inventory | Yes |
Unified Asset Inventory Permissions | View Cloud Assets | See Cloud Assets in the Asset Inventory | Yes |
Unprotected Endpoints Permissions | View | See the Unprotected Endpoints page | Yes |
Unprotected Endpoints Permissions | Edit | Change Unprotected Endpoints configuration | Yes |
Upgrade Policy Permissions | View | See the Upgrade Policy view | Yes |
Upgrade Policy Permissions | Edit | Edit an upgrade policy | No |