在 Microsoft 365 Defender 中通过高级搜寻主动搜寻威胁Proactively hunt for threats with advanced hunting in Microsoft 365 Defender

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

希望体验 Microsoft 365 Defender?Want to experience Microsoft 365 Defender? 你可在验室环境中评估生产中运行试点项目You can evaluate it in a lab environment or run your pilot project in production.

高级搜寻是一种基于查询的威胁搜寻工具,可用于浏览多达 30 天的原始数据。Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. 你可以主动检查网络中事件,以查找威胁指示器和实体。You can proactively inspect events in your network to locate threat indicators and entities. 通过灵活的数据访问,可以不受限制地搜寻已知威胁和潜在威胁。The flexible access to data enables unconstrained hunting for both known and potential threats.

你可以使用相同的威胁搜寻查询来构建自定义检测规则。You can use the same threat-hunting queries to build custom detection rules. 这些规则将自动运行,以检查并响应可疑的泄露活动、错误配置的计算机和其他发现。These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.

此功能类似于 Microsoft Defender for Endpoint 中的高级搜寻This capability is similar to advanced hunting in Microsoft Defender for Endpoint. 此功能在 Microsoft 365 安全中心中可用,它支持从检查更广泛的数据集的查询:Available in Microsoft 365 security center, this capability supports queries that check a broader data set from:

  • Microsoft Defender for EndpointMicrosoft Defender for Endpoint
  • Microsoft Defender for Office 365Microsoft Defender for Office 365
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security
  • Microsoft Defender for IdentityMicrosoft Defender for Identity

若要使用高级搜寻, 请打开 Microsoft 365 DefenderTo use advanced hunting, turn on Microsoft 365 Defender.

高级搜寻入门Get started with advanced hunting

我们建议执行几个步骤以快速开始使用高级搜寻。We recommend going through several steps to quickly get started with advanced hunting.

学习目标Learning goal 说明Description 资源Resource
了解语言Learn the language 高级搜寻基于 Kusto 查询语言,支持相同的语法和运算符。Advanced hunting is based on Kusto query language, supporting the same syntax and operators. 通过运行第一个查询开始学习查询语言。Start learning the query language by running your first query. 查询语言概述Query language overview
了解如何使用查询结果Learn how to use the query results 了解图表以及查看或导出结果的各种方法。Learn about charts and various ways you can view or export your results. 了解如何快速调整查询、向下钻取以获取更丰富的信息以及执行响应操作。Explore how you can quickly tweak queries, drill down to get richer information, and take response actions. - 使用查询结果- Work with query results
- 对查询结果采取措施- Take action on query results
了解架构Understand the schema 更好地大致了解架构及其列中的表。Get a good, high-level understanding of the tables in the schema and their columns. 了解在构造查询时在何处查找数据。Learn where to look for data when constructing your queries. - 架构参考- Schema reference
- 从 Microsoft Defender for Endpoint 转换- Transition from Microsoft Defender for Endpoint
获取专家提示和示例Get expert tips and examples 通过 Microsoft 专家的指南免费培训。Train for free with guides from Microsoft experts. 浏览涵盖不同威胁搜寻方案的预定义查询集合。Explore collections of predefined queries covering different threat hunting scenarios. - 获取专家培训- Get expert training
- 使用共享查询- Use shared queries
- 去寻线- Go hunt
- 跨设备、电子邮件、应用和标识搜寻威胁- Hunt for threats across devices, emails, apps, and identities
优化查询和处理错误Optimize queries and handle errors 了解如何创建高效且无错误的查询。Understand how to create efficient and error-free queries. - 查询最佳做法- Query best practices
- 处理错误- Handle errors
创建自定义检测规则Create custom detection rules 了解如何使用高级搜寻查询来触发警报并自动执行响应操作。Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. - 自定义检测概述- Custom detections overview
- 自定义检测规则- Custom detection rules

获取访问权限Get access

若要使用高级搜寻或其他 Microsoft 365 Defender 功能,你需要在 Azure Active Directory 中担任适当的角色。To use advanced hunting or other Microsoft 365 Defender capabilities, you need an appropriate role in Azure Active Directory. 阅读高级搜寻所需的角色和权限Read about required roles and permissions for advanced hunting.

此外,对终结点数据的访问由基于角色的访问控制 (Microsoft Defender for Endpoint) RBAC 设置确定。Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. 阅读有关管理对 Microsoft 365 Defender 的访问权限Read about managing access to Microsoft 365 Defender.

数据新鲜度和更新频率Data freshness and update frequency

高级搜寻数据可以分为两种不同的类型,每种类型合并的方式不同。Advanced hunting data can be categorized into two distinct types, each consolidated differently.

  • 事件或活动数据- 填充有关警报、安全事件、系统事件和例程评估的表。Event or activity data—populates tables about alerts, security events, system events, and routine assessments. 高级搜寻在收集它们传感器将其成功传输到相应的云服务后,几乎会立即收到此数据。Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. 例如,在 Microsoft Defender for Endpoint 和 Microsoft Defender for Identity 上提供事件数据后,你几乎可以在工作站或域控制器上立即查询来自正常传感器的事件数据。For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they are available on Microsoft Defender for Endpoint and Microsoft Defender for Identity.
  • 实体 数据 - 使用有关用户和设备的信息填充表。Entity data—populates tables with information about users and devices. 此数据来自相对静态数据源和动态源,如 Active Directory 条目和事件日志。This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. 为了提供最新数据,表格每 15 分钟更新一次任何新信息,并添加可能未完全填充的行。To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. 每 24 小时合并一次数据,以插入包含有关每个实体的最新、最全面的数据集的记录。Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.

时区Time zone

高级搜寻中的时间信息采用 UTC 时区。Time information in advanced hunting is in the UTC time zone.