Microsoft Defender XDR · Security Detections
Detection Engineer
Creates and manages custom detections, alert tuning, threat indicators, and advanced hunting queries. The single role for all detection-related activities.
Scope: Detection engineering and threat intelligence across all workloads
Permissions
- Security data basics (read) - Full read access to hunting, devices, reports for detection development
- Detection tuning (manage) - Manage custom detections, alert tuning, threat indicators
- Email & collaboration metadata (read) - View email data for detection queries
Common use cases
- Detection engineers building custom detection rules
- Threat intelligence teams managing indicators of compromise (IOCs)
- SOC teams tuning alert noise and false positives
- Threat hunters creating reusable queries
Best practices
- Test detections in evaluation mode before enabling
- Document detection logic and purpose
- Coordinate with SOC on alert tuning decisions
- Review IOC effectiveness regularly
- Version control detection queries
Security considerations
- Can create detections that generate many alerts
- Can suppress alerts that may hide real threats
- IOCs can block legitimate files/URLs if misconfigured
- Detection changes affect entire organization
Common questions
When should I assign the Detection Engineer role?
Assign Detection Engineer when you need to: Detection engineers building custom detection rules; Threat intelligence teams managing indicators of compromise (IOCs); SOC teams tuning alert noise and false positives; and Threat hunters creating reusable queries. It is part of Microsoft Defender XDR and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Detection Engineer role do?
The Detection Engineer role grants permissions including: Security data basics (read) - Full read access to hunting, devices, reports for detection development; Detection tuning (manage) - Manage custom detections, alert tuning, threat indicators; and Email & collaboration metadata (read) - View email data for detection queries. See the Permissions section above for the full list.
What are the security risks of the Detection Engineer role?
Key considerations when assigning Detection Engineer: Can create detections that generate many alerts; Can suppress alerts that may hide real threats; IOCs can block legitimate files/URLs if misconfigured; and Detection changes affect entire organization. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.