Microsoft Defender XDR · Security Operations
Threat Hunting Analyst
Proactively hunts for threats using advanced hunting queries, analyzes attack patterns, and identifies indicators of compromise. Specialized role focused on threat discovery.
Scope: Proactive threat hunting and advanced analysis across all Defender workloads
Permissions
- Security data basics (read) - Full read access to all hunting tables, devices, alerts, incidents
- Email & collaboration metadata (read) - View email data for hunting across email threats
- Email & collaboration content (read) - Access email content for deep threat analysis
- Basic live response (manage) - Investigate devices during active hunts
Common use cases
- Proactive threat hunting for unknown threats
- Developing new hunting hypotheses and queries
- Analyzing attack chains and lateral movement
- Identifying indicators of compromise (IOCs) for Detection Engineer
- Supporting incident investigations with deep analysis
Best practices
- Document hunting hypotheses and findings
- Share successful hunting queries with Detection Engineer for automation
- Collaborate with threat intelligence teams
- Use scheduled hunting queries for continuous monitoring
- Track hunting metrics (hunts performed, threats found)
Security considerations
- Can view all security data including sensitive email content
- Hunting queries can be resource-intensive
- Cannot take response actions - must escalate to Incident Responder
- Access to raw data requires careful handling
Common questions
When should I assign the Threat Hunting Analyst role?
Assign Threat Hunting Analyst when you need to: Proactive threat hunting for unknown threats; Developing new hunting hypotheses and queries; Analyzing attack chains and lateral movement; Identifying indicators of compromise (IOCs) for Detection Engineer; and Supporting incident investigations with deep analysis. It is part of Microsoft Defender XDR and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Threat Hunting Analyst role do?
The Threat Hunting Analyst role grants permissions including: Security data basics (read) - Full read access to all hunting tables, devices, alerts, incidents; Email & collaboration metadata (read) - View email data for hunting across email threats; Email & collaboration content (read) - Access email content for deep threat analysis; and Basic live response (manage) - Investigate devices during active hunts. See the Permissions section above for the full list.
What are the security risks of the Threat Hunting Analyst role?
Key considerations when assigning Threat Hunting Analyst: Can view all security data including sensitive email content; Hunting queries can be resource-intensive; Cannot take response actions - must escalate to Incident Responder; and Access to raw data requires careful handling. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.