获取高级搜寻方面的专家培训Get expert training on advanced hunting

重要

改进的 Microsoft 365 安全中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 此新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全团队现可管理所有终结点、电子邮件和跨产品调查、配置和修正,而无需导航到单独的产品门户。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 了解有关更改的详细信息Learn more about what's changed.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

通过跟踪攻击者快速提升高级搜寻的知识,这是一个针对新安全分析师和经验丰富的威胁情报人员的网络广播系列。Boost your knowledge of advanced hunting quickly with Tracking the adversary, a webcast series for new security analysts and seasoned threat hunters. 本系列将指导您完成创建您自己的复杂查询的基础知识。The series guides you through the basics all the way to creating your own sophisticated queries. 从基础的第一个视频开始,或跳转到适合您的体验级别的更高级视频。Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience.

标题Title 说明Description WatchWatch 查询Queries
第 1 节:KQL 基础知识Episode 1: KQL fundamentals 此部分介绍了 Microsoft 365 Defender 中高级搜寻的基础知识。This episode covers the basics of advanced hunting in Microsoft 365 Defender. 了解可用的高级搜寻数据和基本 KQL 语法和运算符。Learn about available advanced hunting data and basic KQL syntax and operators. YouTube (54:14) YouTube (54:14) CSL 文件CSL file
第 2 集:加入Episode 2: Joins 继续了解高级搜寻数据以及如何将表联接在一起。Continue learning about data in advanced hunting and how to join tables together. 了解 inner 、 、 和 联接,并了解默认 outer unique Kusto 联接的 semi innerunique 细微差别。Learn about inner, outer, unique, and semi joins, and understand the nuances of the default Kusto innerunique join. YouTube (53:33) YouTube (53:33) CSL 文件CSL file
第 3 部分:汇总、透视和可视化数据Episode 3: Summarizing, pivoting, and visualizing data 现在,你已经了解了筛选、操作和联接数据,是时候总结、量化、透视和可视化了。Now that you've learned to filter, manipulate, and join data, it’s time to summarize, quantify, pivot, and visualize. 此部分讨论了 summarize 运算符和各种计算,同时引入了架构中的其他表。This episode discusses the summarize operator and various calculations, while introducing additional tables in the schema. 你还将学习如何将数据集转换为图表,帮助你提取见解。You'll also learn to turn datasets into charts that can help you extract insight. YouTube (48:52) YouTube (48:52) CSL 文件CSL file
第 4 集:让我们搜寻!Episode 4: Let’s hunt! 将 KQL 应用于事件跟踪Applying KQL to incident tracking 在此集中,你将了解跟踪某些攻击者活动。In this episode, you learn to track some attacker activity. 我们使用对 Kusto 和高级搜寻的改进了解来跟踪攻击。We use our improved understanding of Kusto and advanced hunting to track an attack. 了解现场使用的实际技巧,包括网络安全的 APC 以及如何将它们应用于事件响应。Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response. YouTube (59:36) YouTube (59:36) CSL 文件CSL file

使用 L33TSP3AK 获取更多专家培训:Microsoft 365 Defender 中的高级搜寻,这是一个网络广播系列,供希望扩展其技术知识和实用技能以在 Microsoft 365 Defender 中使用高级搜寻执行安全调查的分析师。Get more expert training with L33TSP3AK: Advanced hunting in Microsoft 365 Defender, a webcast series for analysts looking to expand their technical knowledge and practical skills in conducting security investigations using advanced hunting in Microsoft 365 Defender.

标题Title 说明Description WatchWatch 查询Queries
第 1 集Episode 1 在此集中,你将了解运行高级搜寻查询的不同最佳做法。In this episode, you will learn different best practices in running advanced hunting queries. 涵盖的主题包括:如何优化查询、使用高级勒索软件搜寻、将 JSON 作为动态类型处理以及使用外部数据运算符。Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. YouTube (56:34) YouTube (56:34) CSL 文件CSL file

如何使用 CSL 文件How to use the CSL file

开始剧集之前,访问 GitHub 上的相应 Kusto CSL 文件,将其内容复制到高级搜寻查询编辑器。Before starting an episode, access the corresponding Kusto CSL file on GitHub and copy its contents to the advanced hunting query editor. 在观看剧集时,可以使用复制的内容关注演讲者并运行查询。As you watch an episode, you can use the copied contents to follow the speaker and run queries.

CSL 文件的以下摘录显示了一组使用 标记为注释的全面指南 //The following excerpt from a CSL file shows a comprehensive set of guidance marked as comments with //.

// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp

同一 CSL 文件包含注释的之前和之后查询,如下所示。The same CSL file includes queries before and after the comments as shown below. 若要在编辑器中运行包含多个 查询的特定查询,请移动光标到该查询,然后选择"运行查询"。To run a specific query with multiple queries in the editor, move the cursor to that query and select Run query.

DeviceLogonEvents
| count

// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp

AppFileEvents
| take 100
| sort by Timestamp desc