Microsoft Defender XDR · Security Operations
Security Analyst
Investigates security incidents, hunts for threats, and analyzes alerts. Read-focused role with hunting and investigation capabilities.
Scope: Investigation and threat hunting across all Defender workloads
Permissions
- Security data basics (read) - View incidents, alerts, investigations, devices, hunting data
- Alerts (read) - View and triage alerts
- Email & collaboration metadata (read) - View email data in hunting scenarios
- Basic live response (manage) - Initiate sessions, download files for investigation
Common use cases
- Tier 1/2 SOC analysts triaging and investigating alerts
- Threat hunters proactively searching for threats
- Security researchers analyzing attack patterns
Best practices
- Primary role for SOC analysts focused on investigation
- Combine with device groups for regional scoping
- Escalate to Incident Responder for response actions
Security considerations
- Can view all security data within scope
- Can access sensitive email metadata
- Cannot take response actions or modify configurations