终结点检测和响应概述Overview of endpoint detection and response

适用于:Applies to:

想要体验 Microsoft Defender for Endpoint?Want to experience Microsoft Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable.Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. 安全分析员可以有效地确定警报的优先级,了解整个泄露范围,并采取响应措施来修正威胁。Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

检测到威胁时,将在系统中创建警报以供分析人员进行调查。When a threat is detected, alerts are created in the system for an analyst to investigate. 使用相同攻击技术或归属于同一攻击者的警报会被聚合到名为 “事件” 的实体中。Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident. 以此方式聚合警报可便于分析员更轻松地综合调查和响应威胁。Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

受"假设泄露"意识启发,Defender for Endpoint 持续收集行为网络遥测。Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects behavioral cyber telemetry. 其中包括流程信息、网络活动、内核和内存管理程序的深入信息、用户登录活动、注册表和文件系统更改等。This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. 此类信息存储六个月,这样分析员可以追溯到攻击开始的时间。The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. 然后,分析员可以对各种视图进行透视,并通过多个攻击途径展开调查。The analyst can then pivot in various views and approach an investigation through multiple vectors.

借助响应功能,可以对受影响的实体采取行动,从而快速修正威胁。The response capabilities give you the power to promptly remediate threats by acting on the affected entities.