Microsoft Defender XDR · Security Operations
Security Analyst
Investigates security incidents, hunts for threats, and analyzes alerts. Read-focused role with hunting and investigation capabilities.
Scope: Investigation and threat hunting across all Defender workloads
Permissions
- Security data basics (read) - View incidents, alerts, investigations, devices, hunting data
- Alerts (read) - View and triage alerts
- Email & collaboration metadata (read) - View email data in hunting scenarios
- Basic live response (manage) - Initiate sessions, download files for investigation
Common use cases
- Tier 1/2 SOC analysts triaging and investigating alerts
- Threat hunters proactively searching for threats
- Security researchers analyzing attack patterns
Best practices
- Primary role for SOC analysts focused on investigation
- Combine with device groups for regional scoping
- Escalate to Incident Responder for response actions
Security considerations
- Can view all security data within scope
- Can access sensitive email metadata
- Cannot take response actions or modify configurations
Common questions
When should I assign the Security Analyst role?
Assign Security Analyst when you need to: Tier 1/2 SOC analysts triaging and investigating alerts; Threat hunters proactively searching for threats; and Security researchers analyzing attack patterns. It is part of Microsoft Defender XDR and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Security Analyst role do?
The Security Analyst role grants permissions including: Security data basics (read) - View incidents, alerts, investigations, devices, hunting data; Alerts (read) - View and triage alerts; Email & collaboration metadata (read) - View email data in hunting scenarios; and Basic live response (manage) - Initiate sessions, download files for investigation. See the Permissions section above for the full list.
What are the security risks of the Security Analyst role?
Key considerations when assigning Security Analyst: Can view all security data within scope; Can access sensitive email metadata; and Cannot take response actions or modify configurations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.