事件Microsoft 365 DefenderIncidents in Microsoft 365 Defender

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

希望体验 Microsoft 365 Defender?Want to experience Microsoft 365 Defender? 你可在验室环境中评估生产中运行试点项目You can evaluate it in a lab environment or run your pilot project in production.

事件Microsoft 365 Defender是关联警报和关联数据的集合,这些警报和关联数据是攻击事件的一部分。An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365服务和应用在检测到可疑或恶意事件或活动时创建警报。Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. 个别警报提供有关已完成或持续攻击的有价值的线索。Individual alerts provide valuable clues about a completed or ongoing attack. 但是,攻击通常对不同类型的实体(如设备、用户和邮箱)使用各种技术。However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. 结果是租户中多个实体收到多个警报。The result is multiple alerts for multiple entities in your tenant.

由于将各个警报分组在一起以深入了解攻击可能非常困难且耗时,Microsoft 365 Defender自动将警报及其相关信息聚合到事件中。Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

如何将Microsoft 365 Defender事件与事件关联

观看此简短事件概述,Microsoft 365 Defender (4 分钟内) 。Watch this short overview of incidents in Microsoft 365 Defender (4 minutes).


将相关警报分组到事件可为你提供攻击的全面视图。Grouping related alerts into an incident gives you a comprehensive view of an attack. 例如,可以看到:For example, you can see:

  • 攻击的开始位置。Where the attack started.
  • 使用了哪些策略。What tactics were used.
  • 攻击已进入你的租户多远。How far the attack has gone into your tenant.
  • 攻击范围,如影响的设备、用户和邮箱数量。The scope of the attack, such as how many devices, users, and mailboxes were impacted.
  • 与攻击关联的所有数据。All of the data associated with the attack.

如果启用,Microsoft 365 Defender可以通过自动化和人工智能自动调查和解决警报。If enabled, Microsoft 365 Defender can automatically investigate and resolve alerts through automation and artificial intelligence. 还可以执行其他修正步骤来解决攻击。You can also perform additional remediation steps to resolve the attack.

Microsoft 365 Defender 门户中的事件和警报Incidents and alerts in the Microsoft 365 Defender portal

在快速启动 > & (security.microsoft.com) 时,你可以管理事件Microsoft 365 Defender警报) 。 You manage incidents from Incidents & alerts > Incidents on the quick launch of the Microsoft 365 Defender portal (security.microsoft.com). 下面是一个示例。Here's an example.

事件门户中的Microsoft 365 Defender页面

选择事件名称将显示事件摘要,并提供对包含其他信息的选项卡的访问权限。Selecting an incident name displays a summary of the incident and provides access to tabs with additional information.

事件门户中事件的"摘要"Microsoft 365 Defender示例

事件的其他选项卡包括:The additional tabs for an incident are:

  • 警报Alerts

    与事件及其信息相关的所有警报。All the alerts related to the incident and their information.

  • 设备Devices

    标识为事件的一部分或与事件相关的所有设备。All the devices that have been identified to be part of or related to the incident.

  • 用户Users

    标识为事件的一部分或与事件相关的所有用户。All the users that have been identified to be part of or related to the incident.

  • 邮箱Mailboxes

    已标识为事件的一部分或与事件相关的所有邮箱。All the mailboxes that have been identified to be part of or related to the incident.

  • 调查Investigations

    事件 警报 触发的所有自动调查。All the automated investigations triggered by alerts in the incident.

  • 证据和响应Evidence and Response

    事件警报中支持的所有事件和可疑实体。All the supported events and suspicious entities in the alerts in the incident.

  • Graph (预览版) Graph (in preview)

    显示警报与组织中受影响资产的连接的图。A figure showing the connection of alerts to the impacted assets in your organization.

下面是事件及其数据与事件门户中事件选项卡Microsoft 365 Defender关系。Here's the relationship between an incident and its data and the tabs of an incident in the Microsoft 365 Defender portal.

事件及其数据与事件门户中事件选项卡Microsoft 365 Defender关系

事件响应工作流示例Microsoft 365 DefenderExample incident response workflow for Microsoft 365 Defender

下面是一个工作流示例,用于通过 Microsoft 365 门户Microsoft 365 Defender事件。Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft 365 Defender portal.

事件的事件响应工作流示例Microsoft 365

持续确定事件队列中用于分析和解决的最高优先级事件,并使它们做好响应准备。On an ongoing basis, identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. 这是以下两者的组合:This is a combination of:

  • 通过 筛选和事件队列排序来确定最高优先级事件的会审。Triaging to determining the highest priority incidents through filtering and sorting of the incident queue.
  • 通过 修改事件的标题、将其分配给分析员以及添加标签和注释来管理事件。Managing incidents by modifying their title, assigning them to an analyst, and adding tags and comments.
  1. 对于每个事件,开始 攻击和警报调查和分析For each incident, begin an attack and alert investigation and analysis:

    1. 查看事件的摘要,了解事件的范围和严重性以及受影响实体 ("摘要"选项卡) 。 View the summary of the incident to understand it's scope and severity and what entities are affected (the Summary tab).

    2. 开始分析警报,了解警报的来源、范围和严重性 (警报 选项卡) 。Begin analyzing the alerts to understand their origin, scope, and severity (the Alerts tab).

    3. 根据需要,在"设备、用户"和"邮箱"选项卡上 (受影响的设备、用户和) 。 As needed, gather information on impacted devices, users, and mailboxes (the Devices, Users, and Mailboxes tabs).

    4. 请参阅Microsoft 365 Defender"调查 "选项卡 (自动 解决某些) 。See how Microsoft 365 Defender has automatically resolved some alerts (the Investigations tab).

    5. 根据需要,使用事件数据集中的信息获取"证据和 (响应 "选项卡) 。As needed, use information in the data set for the incident for more information (the Evidence and Response tab).

  2. 在分析之后或分析过程中,执行抑制,以减少攻击和安全威胁的任何额外影响。After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat.

  3. 尽可能将租户资源还原到事件发生前的状态,从而从攻击中恢复。As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.

  4. 解决 事件并花时间了解事件后情况:Resolve the incident and take time for post-incident learning to:

    • 了解攻击的类型及其影响。Understand the type of the attack and its impact.
    • 研究威胁分析 和安全 社区中的攻击,以寻找安全攻击趋势。Research the attack in Threat Analytics and the security community for a security attack trend.
    • 重新调用用于解决事件的工作流,并根据需要更新标准工作流、流程、策略和操作手册。Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed.
    • 确定是否需要更改安全配置,并实施这些更改。Determine whether changes in your security configuration are needed and implement them.

如果你是安全分析的新增人员,请参阅第一个事件响应简介,了解其他信息并逐步查看示例事件。If you are new to security analysis, see the introduction to responding to your first incident for additional information and to step through an example incident.

有关跨 Microsoft 产品的事件响应详细信息,请参阅 本文For more information about incident response across Microsoft products, see this article.

示例安全操作Microsoft 365 DefenderExample security operations for Microsoft 365 Defender

下面是使用 SecOps (安全) 示例Microsoft 365 Defender。Here's an example of security operations (SecOps) for Microsoft 365 Defender.

安全操作示例Microsoft 365 Defender

日常任务可能包括:Daily tasks can include:

每月任务可能包括:Monthly tasks can include:

季度任务可包括向 CISO (首席信息安全官报告并) 。Quarterly tasks can include a report and briefing of security results to the Chief Information Security Officer (CISO).

年度任务可能包括执行重大事件或泄露练习,以测试员工、系统和流程。Annual tasks can include conducting a major incident or breach exercise to test your staff, systems, and processes.

每日、每月、季度和年度任务可用于更新或优化流程、策略和安全配置。Daily, monthly, quarterly, and annual tasks can be used to update or refine processes, policies, and security configurations.

跨 Microsoft 产品的 SecOps 资源SecOps resources across Microsoft products

有关 Microsoft 产品中 SecOps 详细信息,请参阅以下资源:For more information about SecOps across Microsoft's products, see these resources:

后续步骤Next steps

如果你是安全分析和 事件响应的新增人员:If you are new to security analysis and incident response:

  • 请参阅响应你的第一个事件演练,获取有关示例攻击的 Microsoft 365 Defender 门户中分析、修正和事后评审的典型流程的引导教程。See the Respond to your first incident walkthrough to get a guided tour of a typical process of analysis, remediation, and post-incident review in the Microsoft 365 Defender portal with an example attack.

如果你有安全分析和 事件响应的经验:If you have experience with security analysis and incident response:

  • 从事件门户的"事件 "页面开始 Microsoft 365 Defender队列。Get started with the incident queue from the Incidents page of the Microsoft 365 Defender portal. 在这里,你可以:From here, you can:

    • 查看应基于严重性 其他因素对哪些事件进行优先排序。See which incidents should be prioritized based on severity and other factors.

    • 管理事件,其中包括根据事件管理工作流重命名、分配、分类和添加标记和注释。Manage incidents, which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow.

    • 执行事件调查。Perform investigations of incidents.

  • 请参阅 这些事件响应手册, 获取网络钓鱼、密码加密以及应用许可授予攻击的详细指南。See these incident response playbooks for detailed guidance for phishing, password spray, and app consent grant attacks.