Microsoft Defender XDR · Security Detections
Detection Engineer
Creates and manages custom detections, alert tuning, threat indicators, and advanced hunting queries. The single role for all detection-related activities.
Scope: Detection engineering and threat intelligence across all workloads
Permissions
- Security data basics (read) - Full read access to hunting, devices, reports for detection development
- Detection tuning (manage) - Manage custom detections, alert tuning, threat indicators
- Email & collaboration metadata (read) - View email data for detection queries
Common use cases
- Detection engineers building custom detection rules
- Threat intelligence teams managing indicators of compromise (IOCs)
- SOC teams tuning alert noise and false positives
- Threat hunters creating reusable queries
Best practices
- Test detections in evaluation mode before enabling
- Document detection logic and purpose
- Coordinate with SOC on alert tuning decisions
- Review IOC effectiveness regularly
- Version control detection queries
Security considerations
- Can create detections that generate many alerts
- Can suppress alerts that may hide real threats
- IOCs can block legitimate files/URLs if misconfigured
- Detection changes affect entire organization