调查与 Microsoft Defender for Endpoint 警报关联的文件Investigate a file associated with a Microsoft Defender for Endpoint alert

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

调查与特定警报、行为或事件相关联的文件的详细信息,以帮助确定文件是否呈现恶意活动、确定攻击动机并了解漏洞的潜在范围。Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.

有许多方法可以访问特定文件的详细配置文件页。There are many ways to access the detailed profile page of a specific file. 例如,可以使用搜索功能、单击警报进程树中的链接、事件 、项目时间线,或选择设备时间线中列出的 事件For example, you can use the search feature, click on a link from the Alert process tree, Incident graph, Artifact timeline, or select an event listed in the Device timeline.

进入详细的配置文件页面后,可以通过切换新的文件页面在新的和旧的页面布局 之间切换Once on the detailed profile page, you can switch between the new and old page layouts by toggling new File page. 本文的其余部分介绍了较新的页面布局。The rest of this article describes the newer page layout.

可以从文件视图中的以下部分获取信息:You can get information from the following sections in the file view:

  • 文件详细信息, 恶意软件检测, 文件普遍程度File details, Malware detection, File prevalence
  • 深度分析Deep analysis
  • 警报Alerts
  • 在组织中观测到Observed in organization
  • 深度分析Deep analysis
  • 文件名File names

您还可以从此页对文件采取操作。You can also take action on a file from this page.

文件操作File actions

在配置文件页面顶部,在文件信息卡上方。Along the top of the profile page, above the file information cards. 可在此处执行的操作包括:Actions you can perform here include:

  • 停止和隔离Stop and quarantine
  • 添加/编辑指示器Add/edit indicator
  • 下载文件Download file
  • 咨询威胁专家Consult a threat expert
  • 操作中心Action center

有关这些操作详细信息,请参阅 对文件执行响应操作For more information on these actions, see Take response action on a file.

文件详细信息、恶意软件检测和文件普遍程度File details, Malware detection, and File prevalence

文件详细信息、事件、恶意软件检测和文件流行卡片显示有关文件的各种属性。The file details, incident, malware detection, and file prevalence cards display various attributes about the file.

你将看到详细信息,如文件的 MD5、病毒总检测比率和 Microsoft Defender AV 检测(如果可用)以及文件的普遍程度。You'll see details such as the file’s MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file’s prevalence.

文件流行卡片显示文件在组织和全球的设备中的显示位置。The file prevalence card shows where the file was seen in devices in the organization and worldwide.

备注

不同的用户可能会看到不同值在文件流行卡片的"组织单位"部分中。Different users may see dissimilar values in the devices in organization section of the file prevalence card. 这是因为卡片显示基于用户具有的 RBAC 范围的信息。This is because the card displays information based on the RBAC scope that a user has. 这意味着,如果用户已被授予对一组特定设备的可见性,他们只会看到这些设备上的文件组织普遍程度。Meaning, if a user has been granted visibility on a specific set of devices, they will only see the file organizational prevalence on those devices.

文件信息的图像

警报Alerts

" 警报 "选项卡提供与文件关联的警报列表。The Alerts tab provides a list of alerts that are associated with the file. 此列表涵盖了大部分与警报队列相同的信息,但受影响的设备所属的设备组(如果有)除外。This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. 您可以通过从列标题上方的工具栏中选择"自定义列"来选择显示的信息类型。You can choose what kind of information is shown by selecting Customize columns from the toolbar above the column headers.

与文件部分相关的警报的图像

在组织中观测到Observed in organization

" 在组织中观测 到"选项卡允许你指定日期范围,以查看已使用该文件观测到哪些设备。The Observed in organization tab allows you to specify a date range to see which devices have been observed with the file.

备注

此选项卡将显示最多 100 台设备。This tab will show a maximum number of 100 devices. To see all devices with the file, export the tab to a CSV file, by selecting Export from the action menu above the tab's column headers.To see all devices with the file, export the tab to a CSV file, by selecting Export from the action menu above the tab's column headers.

最新观察到的设备与文件的图像

使用滑块或范围选择器快速指定要检查与文件有关的事件的时间段。Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. 可以将时间窗口指定为一天。You can specify a time window as small as a single day. 这样一来,你只能看到当时与该 IP 地址通信的文件,从而大大减少了不必要的滚动和搜索。This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.

深度分析Deep analysis

"深度 分析"选项卡允许您提交 文件进行深入分析,以发现有关文件行为的更多详细信息,以及文件在组织中的影响。The Deep analysis tab allows you to submit the file for deep analysis, to uncover more details about the file's behavior, as well as the effect it is having within your organizations. 提交文件后,一旦结果可用,深入分析报告将显示在此选项卡中。After you submit the file, the deep analysis report will appear in this tab once results are available. 如果深度分析找不到任何内容,则报告将为空,并且结果空间将保留为空。If deep analysis did not find anything, the report will be empty and the results space will remain blank.

深入分析选项卡的图像

文件名File names

" 文件名 "选项卡列出了观测到的文件在组织中使用的所有名称。The File names tab lists all names the file has been observed to use, within your organizations.

文件名选项卡的图像