了解高级搜寻架构Understand the advanced hunting schema

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

重要

某些信息与预发布的产品有关,在商业发布之前可能有重大修改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft 对此处所提供的信息不作任何明示或默示的保证。Microsoft makes no warranties, express or implied, with respect to the information provided here.

高级 搜寻 架构由多个表决定,这些表提供事件信息或有关设备、警报、标识和其他实体类型的信息。The advanced hunting schema is made up of multiple tables that provide either event information or information about devices, alerts, identities, and other entity types. 若要高效构建跨多个表的查询,需要了解高级搜寻架构中的表和列。To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.

在安全中心获取架构信息Get schema information in the security center

构造查询时,请使用内置架构参考快速获取有关架构中每个表的以下信息:While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:

  • 说明 表中包含的数据类型以及该数据的来源。Tables description—type of data contained in the table and the source of that data.
  • - 表中的所有列。Columns—all the columns in the table.
  • 操作 类型 - 列中可能 ActionType 的值,表示表支持的事件类型。Action types—possible values in the ActionType column representing the event types supported by the table. 此信息仅针对包含事件信息的表提供。This information is provided only for tables that contain event information.
  • 示例 查询 - 具有表利用方式的示例查询。Sample query—example queries that feature how the table can be utilized.

访问架构引用Access the schema reference

若要快速访问架构引用,请选择架构表示中表名称旁边的"查看引用"操作。To quickly access the schema reference, select the View reference action next to the table name in the schema representation. 还可以选择" 架构引用 "来搜索表。You can also select Schema reference to search for a table.

显示如何访问门户内架构参考的图像Image showing how to access in-portal schema reference

了解架构表Learn the schema tables

以下引用列出了架构中的所有表。The following reference lists all the tables in the schema. 每个表名称链接到描述该表的列名称的页面。Each table name links to a page describing the column names for that table. 表和列名称还将在安全中心列出,作为高级搜寻屏幕上的架构表示的一部分。Table and column names are also listed in the security center as part of the schema representation on the advanced hunting screen.

表名Table name 说明Description
AlertEvidenceAlertEvidence 与警报关联的文件、IP 地址、URL、用户或设备Files, IP addresses, URLs, users, or devices associated with alerts
AlertInfoAlertInfo 来自 Microsoft Defender for Endpoint、Microsoft Defender for Office 365、Microsoft Cloud App Security 和 Microsoft Defender for Identity 的警报,包括严重性信息和威胁分类Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization
CloudAppEventsCloudAppEvents 涉及客户和其他云应用Office 365中的帐户和对象的事件Events involving accounts and objects in Office 365 and other cloud apps and services
DeviceEventsDeviceEvents 多个事件类型,包括安全控件(如 Windows Defender 防病毒和 Exploit Protection)触发的事件Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceFileCertificateInfoDeviceFileCertificateInfo 从终结点上的证书验证事件获取的已签名文件的证书信息Certificate information of signed files obtained from certificate verification events on endpoints
DeviceFileEventsDeviceFileEvents 文件创建、修改和其他文件系统事件File creation, modification, and other file system events
DeviceImageLoadEventsDeviceImageLoadEvents DLL 加载事件DLL loading events
DeviceInfoDeviceInfo 计算机信息,包括操作系统信息Machine information, including OS information
DeviceLogonEventsDeviceLogonEvents 设备上登录和其他身份验证事件Sign-ins and other authentication events on devices
DeviceNetworkEventsDeviceNetworkEvents 网络连接和相关事件Network connection and related events
DeviceNetworkInfoDeviceNetworkInfo 设备的网络属性,包括物理适配器、IP 和 MAC 地址,以及连接的网络和域Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains
DeviceProcessEventsDeviceProcessEvents 过程创建和相关事件Process creation and related events
DeviceRegistryEventsDeviceRegistryEvents 创建和修改注册表项Creation and modification of registry entries
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessment 威胁和漏洞管理评估事件,指示设备上的各种安全配置的状态Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices
DeviceTvmSecureConfigurationAssessmentKBDeviceTvmSecureConfigurationAssessmentKB 威胁和漏洞管理用于评估设备的各种安全配置的知识库;包括各种标准和基准的映射Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
DeviceTvmSoftwareInventoryDeviceTvmSoftwareInventory 设备上安装的软件清单,包括其版本信息和停止支持状态Inventory of software installed on devices, including their version information and end-of-support status
DeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilities 在设备上发现的软件漏洞以及可解决每个漏洞的可用安全更新列表Software vulnerabilities found on devices and the list of available security updates that address each vulnerability
DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilitiesKB 公开披露的漏洞的知识库,包括攻击代码是否已公开Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available
EmailAttachmentInfoEmailAttachmentInfo 有关附加到电子邮件的文件的信息Information about files attached to emails
EmailEventsEmailEvents Microsoft 365电子邮件事件,包括电子邮件传递和阻止事件Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEventsEmailPostDeliveryEvents 邮件送达后发生的安全事件Microsoft 365将电子邮件传递到收件人邮箱之后Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfoEmailUrlInfo 有关电子邮件 URL 的信息Information about URLs on emails
IdentityDirectoryEventsIdentityDirectoryEvents 涉及运行 Active Directory 和 AD (本地域控制器) 。Events involving an on-premises domain controller running Active Directory (AD). 此表涵盖域控制器上一系列与标识相关的事件和系统事件。This table covers a range of identity-related events and system events on the domain controller.
IdentityInfoIdentityInfo 来自各种源的帐户信息,包括Azure Active DirectoryAccount information from various sources, including Azure Active Directory
IdentityLogonEventsIdentityLogonEvents Active Directory 和 Microsoft 联机服务上的身份验证事件Authentication events on Active Directory and Microsoft online services
IdentityQueryEventsIdentityQueryEvents 对 Active Directory 对象的查询,例如用户、组、设备和域Queries for Active Directory objects, such as users, groups, devices, and domains