使用正确的设置扩展高级搜寻范围Extend advanced hunting coverage with the right settings

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

高级搜寻 依赖于来自各种源的数据,包括你的设备、Office 365 工作区、Azure AD 和 Microsoft Defender for Identity。Advanced hunting relies on data coming from various sources, including your devices, your Office 365 workspaces, Azure AD, and Microsoft Defender for Identity. 若要尽可能获取最全面的数据,请确保在相应的数据源中具有正确的设置。To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.

Windows 设备上的高级安全审核Advanced security auditing on Windows devices

打开这些高级审核设置,以确保获取有关设备上活动的数据,包括本地帐户管理、本地安全组管理和服务创建。Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.

DataData 说明Description 架构表Schema table 如何配置How to configure
帐户管理Account management 捕获为指示本地帐户创建、删除和其他与帐户相关的活动 ActionType 的各种值的事件Events captured as various ActionType values indicating local account creation, deletion, and other account-related activities DeviceEventsDeviceEvents - 部署高级安全审核策略 :审核用户帐户管理- Deploy an advanced security audit policy: Audit User Account Management
- 了解高级安全审核策略- Learn about advanced security audit policies
安全组管理Security group management 捕获为指示本地安全组创建和其他本地组管理活动 ActionType 的各种值的事件Events captured as various ActionType values indicating local security group creation and other local group management activities DeviceEventsDeviceEvents - 部署高级安全审核策略: 审核安全组管理- Deploy an advanced security audit policy: Audit Security Group Management
- 了解高级安全审核策略- Learn about advanced security audit policies
服务安装Service installation 使用 值 捕获的事件 ActionType ServiceInstalled ,指示已创建服务Events captured with the ActionType value ServiceInstalled, indicating that a service has been created DeviceEventsDeviceEvents - 部署高级安全审核策略: 审核安全系统扩展- Deploy an advanced security audit policy: Audit Security System Extension
- 了解高级安全审核策略- Learn about advanced security audit policies

域控制器上的 Microsoft Defender for Identity 传感器Microsoft Defender for Identity sensor on the domain controller

如果你正在本地运行 Active Directory,则需要在域控制器上安装 Microsoft Defender for Identity 传感器,才能获取 Microsoft Defender for Identity 的数据。If you're running Active Directory on premises, you need to install the Microsoft Defender for Identity sensor on the domain controller to get data for Microsoft Defender for Identity. 安装并正确配置后,此数据还将通过 Microsoft Defender for Identity 馈送到高级搜寻中,并提供标识信息和网络中事件的更全面的图片。When installed and properly configured, this data also feeds into advanced hunting through Microsoft Defender for Identity and provides a more holistic picture of identity information and events in your network. 此数据还增强了 Microsoft Defender for Identity 生成高级搜寻也涵盖的相关警报的能力。This data also enhances the ability of Microsoft Defender for Identity to generate relevant alerts that are also covered by advanced hunting.

DataData 说明Description 架构表Schema table 如何配置How to configure
域控制器Domain controller 从本地 Active Directory 发送到 Microsoft Defender for Identity 的数据,丰富了与标识有关的信息,例如帐户详细信息、登录活动和 Active Directory 查询Data from on-premises Active Directory sent to Microsoft Defender for Identity, enriching identity-related information, such as account details, logon activity, and Active Directory queries 多个表,包括IdentityInfo、IdentityLogonEventsIdentityQueryEvents Multiple tables, including IdentityInfo, IdentityLogonEvents, and IdentityQueryEvents - 安装 Microsoft Defender for Identity 传感器- Install the Microsoft Defender for Identity sensor
- 打开相关的 Windows 事件- Turn on relevant Windows Events