调查 Microsoft Defender 终结点设备列表中的设备Investigate devices in the Microsoft Defender for Endpoint Devices list

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

调查特定设备上引发警报的详细信息,以确定与警报或潜在泄露范围相关的其他行为或事件。Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.


作为调查或响应过程的一部分,你可以从设备收集调查包。As part of the investigation or response process, you can collect an investigation package from a device. 操作说明: 从设备收集调查包Here's how: Collect investigation package from devices.

只要在门户中看到受影响的设备,就可以单击它们,以打开有关该设备的详细报告。You can click on affected devices whenever you see them in the portal to open a detailed report about that device. 受影响的设备在以下方面进行标识:Affected devices are identified in the following areas:

调查特定设备时,你将看到:When you investigate a specific device, you'll see:

  • 设备详细信息Device details
  • 响应操作Response actions
  • 选项卡 (概述、警报、时间线、安全建议、软件清单、发现的漏洞、缺少的) Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs)
  • 卡片 (活动警报、已登录用户、安全评估) Cards (active alerts, logged on users, security assessment)


设备详细信息Device details

设备详细信息部分提供诸如设备的域、操作系统和运行状况等信息。The device details section provides information such as the domain, OS, and health state of the device. 如果设备上有可用的调查包,你将看到一个链接,允许你下载该程序包。If there's an investigation package available on the device, you'll see a link that allows you to download the package.

响应操作Response actions

响应操作沿着特定设备页面的顶部运行,包括:Response actions run along the top of a specific device page and include:

  • 管理标签Manage tags
  • 隔离设备Isolate device
  • 限制应用执行Restrict app execution
  • 运行防病毒扫描Run antivirus scan
  • 收集调查程序包Collect investigation package
  • 启动实时响应会话Initiate Live Response Session
  • 启动自动调查Initiate automated investigation
  • 咨询威胁专家Consult a threat expert
  • 操作中心Action center

可以在操作中心、特定设备页或特定文件页中执行响应操作。You can take response actions in the Action center, in a specific device page, or in a specific file page.

若要详细了解如何在设备上采取操作,请参阅 在设备上执行响应操作For more information on how to take action on a device, see Take response action on a device.

有关详细信息,请参阅调查 用户实体For more information, see Investigate user entities.


选项卡提供与设备相关的安全和威胁防护信息。The tabs provide relevant security and threat prevention information related to the device. 在每个选项卡中,可以通过从列标题上方的栏中选择"自定义列"来自定义显示的列。In each tab, you can customize the columns that are shown by selecting Customize columns from the bar above the column headers.


" 概述 "选项卡 显示活动 警报、已登录用户和安全评估的卡片。The Overview tab displays the cards for active alerts, logged on users, and security assessment.



警报 选项卡 提供与设备关联的警报列表。The Alerts tab provides a list of alerts that are associated with the device. 此列表是警报队列的筛选版本,显示警报、严重性 (高、中、低、信息) 、队列 (中的状态、新、正在进行、已解决) 、分类 (未设置、false 警报、真警报) 、调查状态、警报类别、解决警报的人和上次活动。This list is a filtered version of the Alerts queue, and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. 您还可以筛选警报。You can also filter the alerts.


当选择警报左侧的圆圈图标时,将出现一个飞出。When the circle icon to the left of an alert is selected, a fly-out appears. 从此面板中,你可以管理警报并查看更多详细信息,如事件编号和相关设备。From this panel you can manage the alert and view more details such as incident number and related devices. 可以一次选择多个警报。Multiple alerts can be selected at a time.

若要查看警报的完整页面视图,包括事件图和进程树,请选择警报的标题。To see a full page view of an alert including incident graph and process tree, select the title of the alert.


" 时间线 "选项卡提供设备上已观测到的事件和相关警报的时间顺序视图。The Timeline tab provides a chronological view of the events and associated alerts that have been observed on the device. 这可以帮助你关联与设备相关的任何事件、文件和 IP 地址。This can help you correlate any events, files, and IP addresses in relation to the device.

时间线还使您能够有选择地深入到给定时段内发生的事件。The timeline also enables you to selectively drill down into events that occurred within a given time period. 你可以查看所选时段内在设备上发生的事件的时间序列。You can view the temporal sequence of events that occurred on a device over a selected time period. 若要进一步控制视图,可以按事件组进行筛选或自定义列。To further control your view, you can filter by event groups or customize the columns.


若要显示防火墙事件,你需要启用审核策略,请参阅审核 筛选平台连接For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. 防火墙涵盖以下事件Firewall covers the following events

  • 5025 - 防火墙服务已停止5025 - firewall service stopped
  • 5031 - 阻止应用程序接受网络上传入的连接5031 - application blocked from accepting incoming connections on the network
  • 5157 - 阻止连接5157 - blocked connection


一些功能包括:Some of the functionality includes:

  • 搜索特定事件Search for specific events
    • 使用搜索栏查找特定的时间线事件。Use the search bar to look for specific timeline events.
  • 筛选特定日期的事件Filter events from a specific date
    • 选择表左上角的日历图标,以显示过去一天、一周、30 天或自定义范围中的事件。Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. 默认情况下,设备时间线设置为显示过去 30 天的事件。By default, the device timeline is set to display the events from the past 30 days.
    • 使用时间线通过突出显示部分跳转到特定时刻。Use the timeline to jump to a specific moment in time by highlighting the section. 时间线上的箭头定位自动调查The arrows on the timeline pinpoint automated investigations
  • 导出详细的设备时间线事件Export detailed device timeline events
    • 导出当前日期或指定日期范围(最多七天)的设备时间线。Export the device timeline for the current date or a specified date range up to seven days.

有关特定事件的更多详细信息,请参阅"其他信息 " 部分。More details about certain events are provided in the Additional information section. 这些详细信息因事件类型而异,例如:These details vary depending on the type of event, for example:

  • 包含在应用程序防护中 - Web 浏览器事件受隔离容器限制Contained by Application Guard - the web browser event was restricted by an isolated container
  • 检测到的活动威胁 - 威胁检测在威胁运行时发生Active threat detected - the threat detection occurred while the threat was running
  • 修正失败 - 尝试修正检测到的威胁已调用,但失败Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
  • 修正成功 - 已停止并清理检测到的威胁Remediation successful - the detected threat was stopped and cleaned
  • 用户绕过的警告 - Windows Defender SmartScreen 警告已消除且已被用户覆盖Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user
  • 检测到可疑脚本 - 发现有潜在恶意脚本正在运行Suspicious script detected - a potentially malicious script was found running
  • 警报类别 - 如果事件导致生成警报,则警报类别 ("横向移动",例如) 警报The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided

事件详情Event details

选择一个事件以查看有关该事件的相关详细信息。Select an event to view relevant details about that event. 将显示一个面板以显示常规事件信息。A panel displays to show general event information. 如果适用且数据可用,还将显示显示相关实体及其关系的图形。When applicable and data is available, a graph showing related entities and their relationships are also shown.

若要进一步检查事件和相关事件,可以通过为相关事件选择"搜寻"来 快速运行高级搜寻查询To further inspect the event and related events, you can quickly run an advanced hunting query by selecting Hunt for related events. 查询将返回所选事件以及同一终结点上同时发生的其他事件的列表。The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.


安全性建议Security recommendations

安全建议 由 Microsoft Defender 针对终结点的威胁和漏洞& 功能 生成。Security recommendations are generated from Microsoft Defender for Endpoint's Threat & Vulnerability Management capability. 选择建议将显示一个面板,您可以在其中查看相关详细信息,如建议说明和与不实施建议相关的潜在风险。Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. 有关详细信息 ,请参阅安全 建议。See Security recommendation for details.


软件清单Software inventory

借助 "软件 清单"选项卡,可以查看设备上的软件,以及任何漏洞或威胁。The Software inventory tab lets you view software on the device, along with any weaknesses or threats. 选择软件名称后,您将访问软件详细信息页,您可以在其中查看安全建议、发现的漏洞、已安装的设备以及版本分发。Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. 有关详细信息 ,请参阅 软件清单See Software inventory for details


发现的漏洞Discovered vulnerabilities

" 发现的漏洞" 选项卡显示设备上发现的漏洞的名称、严重性和威胁见解。The Discovered vulnerabilities tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. 选择特定漏洞将显示说明和详细信息。Selecting specific vulnerabilities will show a description and details.


缺少 KBMissing KBs

" 缺少的 KB" 选项卡列出了设备缺少的安全更新。The Missing KBs tab lists the missing security updates for the device.

缺少 kbs 选项卡的图像


活动警报Active alerts

如果 已启用 Azure ATP 功能,并且存在任何活动警报,Azure 高级威胁防护卡片将显示与设备及其风险级别相关的警报的高级概述。The Azure Advanced Threat Protection card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. "警报"向下钻取中提供了详细信息。More information is available in the "Alerts" drill down.



你需要在 Azure ATP 和 Defender for Endpoint 上启用集成才能使用此功能。You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. 在 Defender for Endpoint 中,可以在高级功能中启用此功能。In Defender for Endpoint, you can enable this feature in advanced features. 若要详细了解如何启用高级功能,请参阅 启用高级功能For more information on how to enable advanced features, see Turn on advanced features.

已登录用户Logged on users

"已登录用户" 卡片显示过去 30 天内登录的用户数,以及最多且最不频繁的用户。The Logged on users card shows how many users have logged on in the past 30 days, along with the most and least frequent users. 选择"查看所有用户"链接将打开详细信息窗格,其中显示诸如用户类型、登录类型以及首次看到用户和最后一次看到用户时的信息。Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. 有关详细信息,请参阅调查 用户实体For more information, see Investigate user entities.


安全评估Security assessments

安全 评估卡片 显示总体曝光级别、安全建议、已安装的软件和发现的漏洞。The Security assessments card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. 设备的曝光级别由待定安全建议累积影响决定。A device's exposure level is determined by the cumulative impact of its pending security recommendations.