安全建议 - 威胁和漏洞管理Security recommendations - threat and vulnerability management

适用于:Applies to:

想要体验 Microsoft Defender for Endpoint?Want to experience Microsoft Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

组织中标识的网络安全漏洞将映射到可操作的安全建议,并按其影响确定优先级。Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. 优先建议有助于缩短缓解或修正漏洞和推动合规性的时间。Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.

每个安全建议都包括可操作修正步骤。Each security recommendation includes actionable remediation steps. 为了帮助进行任务管理,也可使用 Microsoft Intune 和 Microsoft Endpoint Configuration Manager 发送建议。To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. 当威胁形势发生变化时,建议也会发生变化,因为它会持续从你的环境收集信息。When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.

提示

若要获取有关新漏洞事件的电子邮件,请参阅在 Microsoft Defender for Endpoint中配置漏洞电子邮件通知To get emails about new vulnerability events, see Configure vulnerability email notifications in Microsoft Defender for Endpoint

运作方式How it works

组织的每台设备都基于三个重要因素进行评分,以帮助客户在正确的时间专注于正确的内容。Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.

  • 威胁 - 组织设备中的漏洞和攻击的特征和泄露历史记录。Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. 根据这些因素,安全建议显示活动警报的相应链接、正在进行的威胁活动及其相应的威胁分析报告。Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.

  • 泄露可能性 - 组织的安全状态和抵御威胁的复原能力Breach likelihood - Your organization's security posture and resilience against threats

  • 业务价值 - 组织的资产、关键流程和知识产权Business value - Your organization's assets, critical processes, and intellectual properties

以几种不同方式访问"安全建议"页:Access the Security recommendations page a few different ways:

查看以下位置的相关安全建议:View related security recommendations in the following places:

  • "软件"页Software page
  • 设备页面Device page

转到威胁和漏洞管理导航菜单,然后选择 安全建议Go to the threat and vulnerability management navigation menu and select Security recommendations. 此页面包含针对组织中发现的威胁和漏洞的安全建议列表。The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.

威胁和漏洞管理仪表板中的主要安全建议Top security recommendations in the threat and vulnerability management dashboard

在给定一天中,作为安全管理员,你可以查看威胁和漏洞管理仪表板,并排查看你的曝光分数和 Microsoft 设备安全分数In a given day as a Security Administrator, you can take a look at the threat and vulnerability management dashboard to see your exposure score side by side with your Microsoft Secure Score for Devices. 目标是 降低组织对 漏洞的暴露程度,提高组织的设备安全性,以更稳定地抵御网络安全威胁攻击。The goal is to lower your organization's exposure from vulnerabilities, and increase your organization's device security to be more resilient against cybersecurity threat attacks. 顶级安全建议列表可帮助你实现该目标。The top security recommendations list can help you achieve that goal.

顶级安全建议卡片示例,具有四个安全建议。

顶级安全建议列出了根据上一节中提到的重要因素(威胁、被泄露的可能性和价值)确定优先级的改进机会。The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. 选择一个建议将你访问包含更多详细信息的安全建议页面。Selecting a recommendation will take you to the security recommendations page with more details.

安全建议概述Security recommendations overview

查看建议、发现漏洞的数量、相关组件、威胁见解、公开设备的数量、状态、修正类型、修正活动、对曝光分数和 Microsoft 设备安全分数的影响以及关联的标记。View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure score and Microsoft Secure Score for Devices, and associated tags.

"公开设备 "图的颜色 随着趋势的变化而更改。The color of the Exposed devices graph changes as the trend changes. 如果公开的设备数量上升,则颜色将变为红色。If the number of exposed devices is on the rise, the color changes into red. 如果公开设备的数量减少,图形的颜色将变为绿色。If there's a decrease in the number of exposed devices, the color of the graph will change into green.

备注

威胁和漏洞管理显示最多 30 天之前使用的设备。Threat and vulnerability management shows devices that were in use up to 30 days ago. 这不同于适用于终结点的 Microsoft Defender 的其余部分,如果设备已使用超过 7 天,则设备处于"非活动"状态。This is different from the rest of Microsoft Defender for Endpoint, where if a device has not been in use for more than 7 days it has in an ‘Inactive’ status.

安全建议登录页面示例。

图标Icons

有用的图标也会快速吸引你注意:Useful icons also quickly call your attention to:

  • 箭头命中目标 可能的活动警报possible active alerts
  • 红色 bug 关联的公共攻击associated public exploits
  • 光灯 建议见解recommendation insights

探索安全建议选项Explore security recommendation options

选择要调查或处理的安全建议。Select the security recommendation that you want to investigate or process.

安全建议飞出页的示例。

从飞出菜单,可以选择以下任一选项:From the flyout, you can choose any of the following options:

  • 打开软件页 - 打开软件页,获取有关软件及其分发方式的更多上下文。Open software page - Open the software page to get more context on the software and how it's distributed. 这些信息可能包括威胁上下文、相关建议、发现的漏洞、公开的设备数量、发现的漏洞、已安装软件的设备的名称和详细信息以及版本分发。The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.

  • 修正选项 - 提交修正请求以在 Microsoft Intune 中打开票证,让 IT 管理员进行选取和解决。Remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT administrator to pick up and address. 在"修正"页中跟踪修正活动。Track the remediation activity in the Remediation page.

  • 例外选项 - 提交异常、提供理由以及设置异常持续时间(如果尚无法修正问题)。Exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.

备注

在设备上进行软件更改时,通常需要 2 个小时才能将数据反映在安全门户中。When a software change is made on a device, it typically takes 2 hours for the data to be reflected in the security portal. 但是,有时可能需要更长时间。However, it may sometimes take longer. 配置更改可能需要 4 到 24 小时。Configuration changes can take anywhere from 4 to 24 hours.

调查设备曝光或影响的更改Investigate changes in device exposure or impact

如果公开设备的数量明显增长,或者对组织曝光分数和 Microsoft 设备安全分数的影响明显增加,则值得调查该安全建议。If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating.

  1. 选择建议和 "打开软件"页Select the recommendation and Open software page
  2. 选择 "事件时间线 "选项卡以查看与该软件相关的所有影响事件,例如新漏洞或新的公共攻击。Select the Event timeline tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. 详细了解事件时间线Learn more about event timeline
  3. 确定如何处理增加或组织的曝光,例如提交修正请求Decide how to address the increase or your organization's exposure, such as submitting a remediation request

请求修正Request remediation

威胁和漏洞管理修正功能通过修正请求工作流填补了安全和 IT 管理员之间的空白。The threat and vulnerability management remediation capability bridges the gap between Security and IT administrators through the remediation request workflow. 安全管理员(如你可以请求 IT 管理员将漏洞从安全建议页面修正到Intune)Security admins like you can request for the IT Administrator to remediate a vulnerability from the Security recommendation page to Intune. 了解有关修正选项的详细信息Learn more about remediation options

如何请求修正How to request remediation

选择要请求修正的安全建议,然后选择"修正 选项"。Select a security recommendation you would like to request remediation for, and then select Remediation options. 填写表单,然后选择"提交 请求"。Fill out the form and select Submit request. 转到" 修正" 页以查看修正请求的状态。Go to the Remediation page to view the status of your remediation request. 了解有关如何请求修正的信息Learn more about how to request remediation

异常文件File for exception

当建议此时不相关时,作为修正请求的替代方法,你可以为建议创建例外。As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. 详细了解异常Learn more about exceptions

只有具有"异常处理"权限的用户才能添加异常。Only users with “exceptions handling” permissions can add exception. 详细了解 RBAC 角色Learn more about RBAC roles.

为建议创建例外时,建议不再处于活动状态。When an exception is created for a recommendation, the recommendation is no longer active. 建议状态将更改为"完全 异常"或"部分异常 (按设备组) 。The recommendation state will change to Full exception or Partial exception (by device group).

如何创建异常How to create an exception

选择要为 创建例外的安全建议,然后选择例外 选项Select a security recommendation you would like create an exception for, and then select Exception options.

显示"异常选项"按钮在安全建议飞出控件中的位置。

填写表单并提交。Fill out the form and submit. 若要查看当前 (和过去) 的所有异常,请导航到"威胁 & 漏洞管理 "菜单下的"修正 " 页并选择"异常 "选项卡。 详细了解如何创建 异常To view all your exceptions (current and past), navigate to the Remediation page under the Threat & Vulnerability Management menu and select the Exceptions tab. Learn more about how to create an exception

报告 inaccuracyReport inaccuracy

当你看到任何模糊、不准确、不完整或已修正的安全建议信息时,你可以报告误报。You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.

  1. 打开安全建议。Open the Security recommendation.

  2. 选择要报告的安全建议旁边的三个点,然后选择"报告 不准确"。Select the three dots beside the security recommendation that you want to report, then select Report inaccuracy.

    显示"报告不准确"按钮在安全建议飞出控件中。

  3. 从弹出窗格中,从下拉菜单中选择不准确类别,填写您的电子邮件地址和有关不准确的详细信息。From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.

  4. 选择“提交”。Select Submit. 将立即将反馈发送给威胁和漏洞管理专家。Your feedback is immediately sent to the threat and vulnerability management experts.