使用高级搜寻的共享查询Use shared queries in advanced hunting

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • Microsoft Defender for EndpointMicrosoft Defender for Endpoint

可以与同一个组织内的用户共享高级搜寻查询。Advanced hunting queries can be shared among users in the same organization. 还可以查找在 GitHub 上公开共享的查询。You can also find queries shared publicly on GitHub. 借助这些查询,你可以快速追寻特定威胁搜寻方案,而无需从头开始编写查询。These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.

共享查询的图像

保存、修改和共享查询Save, modify, and share a query

可以保存新的或已有的查询,以便只有你可以访问它,或将它与组织内的其他用户共享。You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.

  1. 创建或修改查询。Create or modify a query.

  2. 单击“保存查询”下拉按钮,并选择“另存为”。Click the Save query drop-down button and select Save as.

  3. 输入查询的名称。Enter a name for the query.

    保存查询的图像

  4. 选择要将查询保存到的文件夹。Select the folder where you'd like to save the query.

    • 共享查询 — 与组织内的所有用户共享Shared queries — shared to all users your organization
    • 我的查询 — 只有你可以访问My queries — accessible only to you
  5. 选择“保存”。Select Save.

删除或重命名查询Delete or rename a query

  1. 右键单击要重命名或删除的查询。Right-click on a query you want to rename or delete.

    删除查询的图像

  2. 选择“删除”,并确认删除。Select Delete and confirm deletion. 或者选择“重命名”,并为查询提供新名称。Or select Rename and provide a new name for the query.

若要生成直接在高级搜寻查询编辑器中打开查询的链接,请完成查询并选择"共享链接"。To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select Share link.

访问 GitHub 存储库中的查询Access queries in the GitHub repository

Microsoft 安全研究人员定期在指定的 GitHub 公共存储库中共享高级搜寻查询。Microsoft security researchers regularly share advanced hunting queries in a designated public repository on GitHub. 此存储库可自行参与。This repository is open to contributions. 免费加入 GitHub,即可参与。To contribute, join GitHub for free.

提示

此外,Microsoft 研究人员还提供了高级搜寻查询,你可以使用它们查找与存在的威胁关联的活动和指示器。Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. 将这些查询作为 Microsoft Defender 安全中心威胁分析报告的一部分提供。These queries are provided as part of the threat analytics reports in Microsoft Defender Security Center.

备注

本文中的某些表在 Microsoft Defender for Endpoint 中可能不可用。Some tables in this article might not be available in Microsoft Defender for Endpoint. 打开 Microsoft 365 Defender 以使用更多数据源搜寻威胁。Turn on Microsoft 365 Defender to hunt for threats using more data sources. 你可以按照从 Microsoft Defender for Endpoint 迁移高级搜寻查询中的步骤将高级搜寻工作流从 Microsoft Defender for Endpoint移动到 Microsoft 365 Defender。You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.