https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-api-get-correlation-rules-least-priviledge/m-p/1251876#M390 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150470069">@J.MuozTriguero</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <DIV class="flex flex-col text-sm pb-25"> <SECTION class="text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn="assistant" data-scroll-anchor="true" data-testid="conversation-turn-4" data-turn-id="request-WEB:017d91c7-dad3-439e-8b53-b1dcd19ec90c-1"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex max-w-full flex-col gap-4 grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;]:mt-1" dir="auto" tabindex="0" data-turn-start-message="true" data-message-model-slug="gpt-5-3" data-message-id="a4ec2bb3-e4e9-4018-a352-ebf3e1ad344b" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word light markdown-new-styling"> <H3 data-section-id="1irqvfe" data-end="35" data-start="0">Custom Role for Correlation API</H3> <P data-end="304" data-start="37">No, it is currently not possible to create a custom role with sufficient permissions to execute the <CODE data-end="170" data-start="137">/public_api/v1/correlations/get</CODE> endpoint. This function is hard-coded by design to require either the built-in <STRONG data-end="276" data-start="250">Instance Administrator</STRONG> or <STRONG data-end="297" data-start="280">Account Admin</STRONG> roles.</P> <P data-end="304" data-start="37">&nbsp;</P> <P data-end="708" data-start="306">Attempts to use custom roles—even those granted the highest visible permissions (such as "View/Edit" for "Rules" or "Public API")—will result in a <STRONG data-end="470" data-start="453">403 Forbidden</STRONG> error with the message <EM data-end="535" data-start="494">“Insufficient permissions for api key.”</EM> This is a known product limitation, and feature requests (such as CXDR-I-2505) have been raised to enable more granular RBAC for administrative API endpoints in the future.</P> <P data-end="708" data-start="306">&nbsp;</P> <H4 data-end="757" data-start="715" data-section-id="137gkkz">Alternative Ways to Retrieve the Query</H4> <P data-end="904" data-start="759">If you cannot use the Instance Administrator role for an API key, here are alternative methods to retrieve the XQL query from a correlation rule:</P> <H4 data-end="934" data-start="906">Management Console (UI)</H4> <P data-end="1120" data-start="935">Users with sufficient RBAC permissions (typically <STRONG data-end="1035" data-start="985">Detections &amp; Threat Intel &gt; Detections &gt; Rules</STRONG> set to <EM data-end="1049" data-start="1043">View</EM> or <EM data-end="1064" data-start="1053">View/Edit</EM>) can manually retrieve the query via the web interface:</P> <UL data-end="1360" data-start="1122"> <LI data-end="1198" data-start="1122" data-section-id="1ncew8j">Navigate to <STRONG data-end="1198" data-start="1136">Detections &amp; Threat Intel → Detection Rules → Correlations</STRONG></LI> <LI data-end="1308" data-start="1199" data-section-id="ijkhe6">Right-click the specific rule and select <STRONG data-end="1257" data-start="1242">Open in XQL</STRONG> to view the underlying query in the Query Center</LI> <LI data-end="1360" data-start="1309" data-section-id="e1sx5c">Or select <STRONG data-end="1329" data-start="1321">Edit</STRONG> to view the rule configuration</LI> </UL> <P data-end="1636" data-start="1362"><STRONG data-end="1371" data-start="1362">Note:</STRONG><BR data-end="1374" data-start="1371" />If a rule uses a dataset that does not exist in the tenant (for example, a rule imported from the Marketplace for a source not yet ingested), it will be hidden from non-admin users. Only <STRONG data-end="1588" data-start="1561">Instance Administrators</STRONG> can view rules linked to non-existent datasets.</P> <H4 data-end="1681" data-start="1643"><BR />Scripting with Instance Admin Key</H4> <P data-end="1779" data-start="1682">If your goal is automation, you must use an API key assigned the <STRONG data-end="1773" data-start="1747">Instance Administrator</STRONG> role.</P> <P data-end="1779" data-start="1682">&nbsp;</P> <P data-end="1840" data-start="1781">You can verify connectivity by testing a standard endpoint:</P> <P data-end="1840" data-start="1781">&nbsp;</P> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="w-full overflow-x-hidden overflow-y-auto pe-11 pt-3"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼ5 ͼj" dir="ltr"> <DIV class="cm-scroller"> <DIV class="cm-content q9tKkq_readonly"><SPAN>curl -X POST <A href="https://api-[TENANT_FQDN]/public_api/v1/endpoints/get_endpoints" target="_blank">https://api-[TENANT_FQDN]/public_api/v1/endpoints/get_endpoints</A> \</SPAN><BR /><SPAN> -H "x-xdr-auth-id:[KEY_ID]" \</SPAN><BR /><SPAN> -H "Authorization:[API_KEY]" \</SPAN><BR /><SPAN> -H "Content-Type:application/json" \</SPAN><BR /><SPAN> -d '{"request_data": {}}'</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class=""> <DIV class="">&nbsp;</DIV> <H4><SPAN>Additional Requirement:</SPAN></H4> </DIV> </DIV> </DIV> </DIV> <P data-is-only-node="" data-is-last-node="" data-end="2392" data-start="2095">The <CODE data-end="2132" data-start="2099">/public_api/v1/correlations/get</CODE> endpoint is often disabled by default for new tenants. If you are an Instance Administrator and still receive errors indicating the resource is unavailable, you may need to contact support to have the internal server-side feature flag enabled for your tenant.</P> </DIV> </DIV> </DIV> </DIV> <DIV class="z-0 flex min-h-[46px] justify-start">&nbsp;</DIV> </DIV> </DIV> </SECTION> </DIV> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like</STRONG>&nbsp;and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 08 Apr 2026 15:11:17 GMT susekar 2026-04-08T15:11:17Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-api-get-correlation-rules-least-priviledge/m-p/1251719#M386 <DIV> <P>In the API reference, it states that you must have <STRONG>Instance Administrator</STRONG> permissions to run the endpoint <CODE>/public_api/v1/correlations/get</CODE>.</P> <P>Is it possible to create a custom role for the API key that has sufficient permissions to execute this endpoint?</P> <P>Do you know any other way to retrieve the query from a specific correlation rule?</P> </DIV> <P>&nbsp;</P> <P><SPAN><LI-PRODUCT title="Cortex XSIAM" id="Cortex_XSIAM"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</SPAN></P> Tue, 07 Apr 2026 06:50:38 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-api-get-correlation-rules-least-priviledge/m-p/1251719#M386 J.MuozTriguero 2026-04-07T06:50:38Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-api-get-correlation-rules-least-priviledge/m-p/1251876#M390 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150470069">@J.MuozTriguero</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <DIV class="flex flex-col text-sm pb-25"> <SECTION class="text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn="assistant" data-scroll-anchor="true" data-testid="conversation-turn-4" data-turn-id="request-WEB:017d91c7-dad3-439e-8b53-b1dcd19ec90c-1"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex max-w-full flex-col gap-4 grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;]:mt-1" dir="auto" tabindex="0" data-turn-start-message="true" data-message-model-slug="gpt-5-3" data-message-id="a4ec2bb3-e4e9-4018-a352-ebf3e1ad344b" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word light markdown-new-styling"> <H3 data-section-id="1irqvfe" data-end="35" data-start="0">Custom Role for Correlation API</H3> <P data-end="304" data-start="37">No, it is currently not possible to create a custom role with sufficient permissions to execute the <CODE data-end="170" data-start="137">/public_api/v1/correlations/get</CODE> endpoint. This function is hard-coded by design to require either the built-in <STRONG data-end="276" data-start="250">Instance Administrator</STRONG> or <STRONG data-end="297" data-start="280">Account Admin</STRONG> roles.</P> <P data-end="304" data-start="37">&nbsp;</P> <P data-end="708" data-start="306">Attempts to use custom roles—even those granted the highest visible permissions (such as "View/Edit" for "Rules" or "Public API")—will result in a <STRONG data-end="470" data-start="453">403 Forbidden</STRONG> error with the message <EM data-end="535" data-start="494">“Insufficient permissions for api key.”</EM> This is a known product limitation, and feature requests (such as CXDR-I-2505) have been raised to enable more granular RBAC for administrative API endpoints in the future.</P> <P data-end="708" data-start="306">&nbsp;</P> <H4 data-end="757" data-start="715" data-section-id="137gkkz">Alternative Ways to Retrieve the Query</H4> <P data-end="904" data-start="759">If you cannot use the Instance Administrator role for an API key, here are alternative methods to retrieve the XQL query from a correlation rule:</P> <H4 data-end="934" data-start="906">Management Console (UI)</H4> <P data-end="1120" data-start="935">Users with sufficient RBAC permissions (typically <STRONG data-end="1035" data-start="985">Detections &amp; Threat Intel &gt; Detections &gt; Rules</STRONG> set to <EM data-end="1049" data-start="1043">View</EM> or <EM data-end="1064" data-start="1053">View/Edit</EM>) can manually retrieve the query via the web interface:</P> <UL data-end="1360" data-start="1122"> <LI data-end="1198" data-start="1122" data-section-id="1ncew8j">Navigate to <STRONG data-end="1198" data-start="1136">Detections &amp; Threat Intel → Detection Rules → Correlations</STRONG></LI> <LI data-end="1308" data-start="1199" data-section-id="ijkhe6">Right-click the specific rule and select <STRONG data-end="1257" data-start="1242">Open in XQL</STRONG> to view the underlying query in the Query Center</LI> <LI data-end="1360" data-start="1309" data-section-id="e1sx5c">Or select <STRONG data-end="1329" data-start="1321">Edit</STRONG> to view the rule configuration</LI> </UL> <P data-end="1636" data-start="1362"><STRONG data-end="1371" data-start="1362">Note:</STRONG><BR data-end="1374" data-start="1371" />If a rule uses a dataset that does not exist in the tenant (for example, a rule imported from the Marketplace for a source not yet ingested), it will be hidden from non-admin users. Only <STRONG data-end="1588" data-start="1561">Instance Administrators</STRONG> can view rules linked to non-existent datasets.</P> <H4 data-end="1681" data-start="1643"><BR />Scripting with Instance Admin Key</H4> <P data-end="1779" data-start="1682">If your goal is automation, you must use an API key assigned the <STRONG data-end="1773" data-start="1747">Instance Administrator</STRONG> role.</P> <P data-end="1779" data-start="1682">&nbsp;</P> <P data-end="1840" data-start="1781">You can verify connectivity by testing a standard endpoint:</P> <P data-end="1840" data-start="1781">&nbsp;</P> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="w-full overflow-x-hidden overflow-y-auto pe-11 pt-3"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼ5 ͼj" dir="ltr"> <DIV class="cm-scroller"> <DIV class="cm-content q9tKkq_readonly"><SPAN>curl -X POST <A href="https://api-[TENANT_FQDN]/public_api/v1/endpoints/get_endpoints" target="_blank">https://api-[TENANT_FQDN]/public_api/v1/endpoints/get_endpoints</A> \</SPAN><BR /><SPAN> -H "x-xdr-auth-id:[KEY_ID]" \</SPAN><BR /><SPAN> -H "Authorization:[API_KEY]" \</SPAN><BR /><SPAN> -H "Content-Type:application/json" \</SPAN><BR /><SPAN> -d '{"request_data": {}}'</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class=""> <DIV class="">&nbsp;</DIV> <H4><SPAN>Additional Requirement:</SPAN></H4> </DIV> </DIV> </DIV> </DIV> <P data-is-only-node="" data-is-last-node="" data-end="2392" data-start="2095">The <CODE data-end="2132" data-start="2099">/public_api/v1/correlations/get</CODE> endpoint is often disabled by default for new tenants. If you are an Instance Administrator and still receive errors indicating the resource is unavailable, you may need to contact support to have the internal server-side feature flag enabled for your tenant.</P> </DIV> </DIV> </DIV> </DIV> <DIV class="z-0 flex min-h-[46px] justify-start">&nbsp;</DIV> </DIV> </DIV> </SECTION> </DIV> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like</STRONG>&nbsp;and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 08 Apr 2026 15:11:17 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-api-get-correlation-rules-least-priviledge/m-p/1251876#M390 susekar 2026-04-08T15:11:17Z