Skip to content

Document permissions for Advanced Hunting access #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Document permissions for Advanced Hunting access #384

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions defender-xdr/advanced-hunting-overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,52 @@ For more information on advanced hunting in Microsoft Defender for Cloud Apps da

To use advanced hunting or other [Microsoft Defender XDR](microsoft-365-defender.md) capabilities, you need an appropriate role in Microsoft Entra ID. [Read about required roles and permissions for advanced hunting](custom-roles.md).


## Permissions required for Advanced Hunting

You need to be assigned permissions before you can run Advanced Hunting queries. You have the following options:

### **Microsoft Defender XDR Unified role-based access control (URBAC)**

**Read-only Advanced Hunting access (Email & Collaboration tables):**
Membership assigned with the following Defender URBAC permission:

* **Security operations → Security data → Security data basic (read)**

This permission provides access to:

* **EmailEvents**
* **EmailUrlInfo**
* **EmailAttachmentInfo**
* **UrlClickEvents**
* **Email entity metadata**

### **Email & Collaboration (EOP / Defender for Office 365) permissions**

Membership in one of the following Email & Collaboration role groups provides access to email data tables in Advanced Hunting:

* **Security Administrator**
* **Security Operator**
* **Security Reader**

### **Exchange Online RBAC permissions**

To access EXO-related data surfaced in Advanced Hunting, users must be members of one of the following Exchange Online role groups:

* **View-Only Organization Management**
* **View-Only Configuration**
* **Security Reader**
* **Global Reader**

### **Microsoft Entra permissions**

Membership in one of the following Microsoft Entra roles grants full read access to all Advanced Hunting data:

* **Global Administrator**
* **Security Administrator**
* **Security Reader**
* **Global Reader**

Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. [Read about managing access to Microsoft Defender XDR](m365d-permissions.md).


Expand Down