创建和查看安全建议例外 - 威胁和漏洞管理Create and view exceptions for security recommendations - threat and vulnerability management

适用于:Applies to:

想要体验 Microsoft Defender for Endpoint?Want to experience Microsoft Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

当建议此时不相关时,作为修正请求的替代方法,你可以为建议创建例外。As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. 如果你的组织具有设备组,你将能够将异常范围范围缩小到特定设备组。If your organization has device groups, you will be able to scope the exception to specific device groups. 可以针对所选设备组或过去和现在的所有设备组创建例外。Exceptions can either be created for selected device groups, or for all device groups past and present.

为建议创建例外时,建议在例外持续时间结束之前不会处于活动状态。When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. 建议状态将更改为"完全 异常"或"部分异常 (按设备组) 。The recommendation state will change to Full exception or Partial exception (by device group).

权限Permissions

只有具有"异常处理"权限的用户才能管理异常 (包括创建或取消) 。Only users with “exceptions handling” permissions can manage exceptions (including creating or canceling). 详细了解 RBAC 角色Learn more about RBAC roles.

异常处理权限的视图。

创建异常Create an exception

选择要创建例外的安全建议,然后选择" 例外"选项 并填写表单。Select a security recommendation you would like create an exception for, and then select Exception options and fill out the form.

显示"异常选项"按钮在安全建议飞出控件中的位置。

按设备组分组的异常Exception by device group

将异常应用于所有当前设备组或选择特定设备组。Apply the exception to all current device groups or choose specific device groups. 将来设备组不会包含在异常中。Future device groups won't be included in the exception. 列表中不会显示已具有异常的设备组。Device groups that already have an exception will not be displayed in the list. 如果你仅选择某些设备组,建议状态将从"活动"更改为"部分异常"。If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” 如果选择所有设备组,状态将更改为"完全异常"。The state will change to “full exception” if you select all the device groups.

显示设备组下拉列表。

筛选的视图Filtered views

如果你已在任何威胁和漏洞管理页面上按设备组进行筛选,则只有经过筛选的设备组将显示为选项。If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options.

这是在任何威胁和漏洞管理页面上按设备组筛选的按钮:This is the button to filter by device group on any of the threat and vulnerability management pages:

显示所选设备组筛选器。

具有已筛选设备组的异常视图:Exception view with filtered device groups:

显示筛选的设备组下拉列表。

大量设备组Large number of device groups

如果你的组织拥有 20 多个设备组,请选择 已筛选 设备组选项旁边的"编辑"。If your organization has more than 20 device groups, select Edit next to the filtered device group option.

显示如何编辑大量组。

将出现一个飞出框,可在其中搜索和选择想要包含的设备组。A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.Select the check mark icon below Search to check/uncheck all.

显示大型设备组飞出。

全局例外Global exceptions

如果您具有全局管理员权限,您将能够创建和取消全局异常。If you have global administrator permissions, you will be able to create and cancel a global exception. 它会影响 组织 的所有当前和未来设备组,只有具有相似权限的用户才能更改它。It affects all current and future device groups in your organization, and only a user with similar permission would be able to change it. 建议状态将从"活动"更改为"完全例外"。The recommendation state will change from “active” to “full exception.”

显示全局例外选项。

需要记住的一些内容:Some things to keep in mind:

  • 如果建议在全局例外下,则设备组的新创建异常将暂停,直到全局异常过期或取消。If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. 此后,新的设备组例外将生效,直到它们过期。After that point, the new device group exceptions will go into effect until they expire.
  • 如果建议已具有特定设备组的例外,并且创建了全局例外,则设备组异常将暂停,直到它过期,或者全局异常在过期之前被取消。If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires.

JustificationJustification

选择需要提交异常的理由,而不是修正相关安全建议。Select your justification for the exception you need to file instead of remediating the security recommendation in question. 填写理由上下文,然后设置例外持续时间。Fill out the justification context, then set the exception duration.

以下列表详细介绍了例外选项背后的理由:The following list details the justifications behind the exception options:

  • 第三 方控制 - 第三方产品或软件已解决此建议 - 选择此理由类型将降低曝光分数并增加安全分数,因为风险已降低Third party control - A third party product or software already addresses this recommendation - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
  • 备用缓解 - 内部工具已解决此建议 - 选择此理由类型将降低曝光分数并增加安全分数,因为风险已降低Alternate mitigation - An internal tool already addresses this recommendation - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
  • 接受风险 - 风险较低且/或实施建议成本过高Risk accepted - Poses low risk and/or implementing the recommendation is too expensive
  • 计划的修正 (宽限期) - 已计划,但正在等待执行或授权Planned remediation (grace) - Already planned but is awaiting execution or authorization

查看所有异常View all exceptions

导航到 "修正" 页中的"例外 " 选项卡。Navigate to the Exceptions tab in the Remediation page. 可以按理由、类型和状态进行筛选。You can filter by justification, type, and status.

选择例外以打开包含更多详细信息的飞出区。Select an exception to open a flyout with more details. 每个设备组的例外将包含例外范围中每个设备组的列表,你可以导出该列表。Exceptions per devices group will have a list of every device group the exception covers, which you can export. 您还可以查看相关建议或取消例外。You can also view the related recommendation or cancel the exception.

在"修正"页中显示"异常"选项卡。

如何取消异常How to cancel an exception

若要取消异常,请导航到" 修正"页 中的"例外 " 选项卡。To cancel an exception, navigate to the Exceptions tab in the Remediation page. 选择例外。Select the exception.

若要取消所有设备组或全局例外的异常,请选择"取消 所有设备组例外" 按钮。To cancel the exception for all device groups or for a global exception, select the Cancel exception for all device groups button. 你只能取消你有权使用的设备组的例外。You will only be able to cancel exceptions for device groups you have permissions for.

取消按钮。

取消特定设备组的例外Cancel the exception for a specific device group

选择特定设备组以取消它的例外。Select the specific device group to cancel the exception for it. 设备组将显示一个飞出,并且可以选择取消 异常A flyout will appear for the device group, and you can select Cancel exception.

显示如何选择特定设备组。

应用例外后查看影响View impact after exceptions are applied

在"安全建议"页中,选择"自定义列 ", 并选中"在异常发生后公开 ("和"在) 后影响 ("复选框 ) 。In the Security Recommendations page, select Customize columns and check the boxes for Exposed devices (after exceptions) and Impact (after exceptions).

显示自定义列选项。

在应用 (后) 公开的设备会显示在应用异常后仍易受漏洞攻击的其余设备。The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. 影响曝光的异常理由包括"第三方控制"和"备用缓解"。Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. 其他理由不会减少设备的曝光,并且它们仍被视为公开。Other justifications do not reduce the exposure of a device, and they are still considered exposed.

异常 (后的影响) 在应用异常后对曝光分数或安全分数的剩余影响。The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. 影响分数的异常理由包括"第三方控制"和"备用缓解"。Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ 其他理由不会减少设备的曝光,因此曝光分数和安全分数不会更改。Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.

显示表格中的列。