Microsoft Defender XDR · Security Operations
Threat Hunting Analyst
Proactively hunts for threats using advanced hunting queries, analyzes attack patterns, and identifies indicators of compromise. Specialized role focused on threat discovery.
Scope: Proactive threat hunting and advanced analysis across all Defender workloads
Permissions
- Security data basics (read) - Full read access to all hunting tables, devices, alerts, incidents
- Email & collaboration metadata (read) - View email data for hunting across email threats
- Email & collaboration content (read) - Access email content for deep threat analysis
- Basic live response (manage) - Investigate devices during active hunts
Common use cases
- Proactive threat hunting for unknown threats
- Developing new hunting hypotheses and queries
- Analyzing attack chains and lateral movement
- Identifying indicators of compromise (IOCs) for Detection Engineer
- Supporting incident investigations with deep analysis
Best practices
- Document hunting hypotheses and findings
- Share successful hunting queries with Detection Engineer for automation
- Collaborate with threat intelligence teams
- Use scheduled hunting queries for continuous monitoring
- Track hunting metrics (hunts performed, threats found)
Security considerations
- Can view all security data including sensitive email content
- Hunting queries can be resource-intensive
- Cannot take response actions - must escalate to Incident Responder
- Access to raw data requires careful handling