Custom Role for Correlation API
No, it is currently not possible to create a custom role with sufficient permissions to execute the /public_api/v1/correlations/get endpoint. This function is hard-coded by design to require either the built-in Instance Administrator or Account Admin roles.
Attempts to use custom roles—even those granted the highest visible permissions (such as "View/Edit" for "Rules" or "Public API")—will result in a 403 Forbidden error with the message “Insufficient permissions for api key.” This is a known product limitation, and feature requests (such as CXDR-I-2505) have been raised to enable more granular RBAC for administrative API endpoints in the future.
Alternative Ways to Retrieve the Query
If you cannot use the Instance Administrator role for an API key, here are alternative methods to retrieve the XQL query from a correlation rule:
Management Console (UI)
Users with sufficient RBAC permissions (typically Detections & Threat Intel > Detections > Rules set to View or View/Edit) can manually retrieve the query via the web interface:
- Navigate to Detections & Threat Intel → Detection Rules → Correlations
- Right-click the specific rule and select Open in XQL to view the underlying query in the Query Center
- Or select Edit to view the rule configuration
Note:
If a rule uses a dataset that does not exist in the tenant (for example, a rule imported from the Marketplace for a source not yet ingested), it will be hidden from non-admin users. Only Instance Administrators can view rules linked to non-existent datasets.
Scripting with Instance Admin Key
If your goal is automation, you must use an API key assigned the Instance Administrator role.
You can verify connectivity by testing a standard endpoint:
The /public_api/v1/correlations/get endpoint is often disabled by default for new tenants. If you are an Instance Administrator and still receive errors indicating the resource is unavailable, you may need to contact support to have the internal server-side feature flag enabled for your tenant.
