You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-overview.md
+29-5Lines changed: 29 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ appliesto:
22
22
- Microsoft Defender XDR
23
23
- Microsoft Sentinel in the Microsoft Defender portal
24
24
search.appverid: met150
25
-
ms.date: 09/09/2025
25
+
ms.date: 11/19/2025
26
26
27
27
---
28
28
@@ -55,10 +55,34 @@ For more information on advanced hunting in Microsoft Defender for Cloud Apps da
55
55
56
56
## Get access
57
57
58
-
To use advanced hunting or other [Microsoft Defender XDR](microsoft-365-defender.md) capabilities, you need an appropriate role in Microsoft Entra ID. [Read about required roles and permissions for advanced hunting](custom-roles.md).
59
-
60
-
Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. [Read about managing access to Microsoft Defender XDR](m365d-permissions.md).
61
-
58
+
You need to be assigned permissions before you can run Advanced Hunting queries. You have the following options:
59
+
60
+
-[Microsoft Defender XDR Unified role based access control (URBAC)](manage-rbac.md):
61
+
-**Read-only Advanced Hunting access (Email & Collaboration tables)**: Membership assigned with the **Security operations**\>**Security data**\>**Security data basic (read)** URBAC permission. This permission provides access to:
62
+
-**EmailEvents**
63
+
-**EmailUrlInfo**
64
+
-**EmailAttachmentInfo**
65
+
-**UrlClickEvents**
66
+
-**Email entity metadata**
67
+
68
+
-[Email & collaboration permissions in the Microsoft Defender portal](/defender-office-365/mdo-portal-permissions): Membership in one of the following Email & Collaboration role groups provides access to email data tables in Advanced Hunting:
69
+
-**Security Administrator**
70
+
-**Security Operator**
71
+
-**Security Reader**
72
+
73
+
-[Exchange Online permissions](/exchange/permissions-exo/permissions-exo): To access Exchange Online data surfaced in Advanced Hunting, users must be members of one of the following Exchange Online role groups:
74
+
-**View-Only Organization Management**
75
+
-**View-Only Configuration**
76
+
-**Security Reader**
77
+
-**Global Reader**
78
+
79
+
-[Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in one of the following Microsoft Entra roles grants full read access to all Advanced Hunting data:
80
+
-**Global Administrator**
81
+
-**Security Administrator**
82
+
-**Security Reader**
83
+
-**Global Reader**
84
+
85
+
Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. For more information, see [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](m365d-permissions.md).
0 commit comments