Microsoft 365 Defender 中的事件Incidents in Microsoft 365 Defender

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

希望体验 Microsoft 365 Defender?Want to experience Microsoft 365 Defender? 你可在验室环境中评估生产中运行试点项目You can evaluate it in a lab environment or run your pilot project in production.

Microsoft 365 Defender 中的事件是关联警报和关联数据的集合,这些警报和关联数据是攻击案例的一部分。An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365 服务和应用在检测到可疑或恶意事件或活动时创建警报。Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. 个别警报提供有关已完成或持续攻击的有价值的线索。Individual alerts provide valuable clues about a completed or ongoing attack. 但是,攻击通常对不同类型的实体(如设备、用户和邮箱)使用各种技术。However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. 结果是租户中多个实体收到多个警报。The result is multiple alerts for multiple entities in your tenant.

由于将各个警报分组在一起以深入了解攻击可能非常困难且耗时,因此 Microsoft 365 Defender 会自动将警报及其相关信息聚合到事件中。Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Microsoft 365 Defender 如何将实体中的事件关联到事件中

观看此简短概述,了解 Microsoft 365 Defender (4 分钟) 。Watch this short overview of incidents in Microsoft 365 Defender (4 minutes).


将相关警报分组到事件可为你提供攻击的全面视图。Grouping related alerts into an incident gives you a comprehensive view of an attack. 例如,可以看到:For example, you can see:

  • 攻击的开始位置。Where the attack started.
  • 使用了哪些策略。What tactics were used.
  • 攻击已进入你的租户多远。How far the attack has gone into your tenant.
  • 攻击范围,如影响的设备、用户和邮箱数量。The scope of the attack, such as how many devices, users, and mailboxes were impacted.
  • 与攻击关联的所有数据。All of the data associated with the attack.

如果 启用,Microsoft365 Defender 可以通过自动化和人工智能自动调查和解决警报。If enabled, Microsoft 365 Defender can automatically investigate and resolve alerts through automation and artificial intelligence. 还可以执行其他修正步骤来解决攻击。You can also perform additional remediation steps to resolve the attack.

Microsoft 365 安全中心中的事件和警报Incidents and alerts in the Microsoft 365 security center

在快速启动 Microsoft 365 安全中心&事件>事件或事件管理事件 (security.microsoft.com) 。 You manage incidents from Incidents & alerts > Incidents on the quick launch of the Microsoft 365 security center (security.microsoft.com). 下面是一个示例。Here's an example.

Microsoft 365 安全中心中的"事件"页面

选择事件名称将显示事件摘要,并提供对包含其他信息的选项卡的访问权限。Selecting an incident name displays a summary of the incident and provides access to tabs with additional information.

Microsoft 365 安全中心内事件的"摘要"页面示例

事件的其他选项卡包括:The additional tabs for an incident are:

  • 警报Alerts

    与事件及其信息相关的所有警报。All the alerts related to the incident and their information.

  • 设备Devices

    标识为事件的一部分或与事件相关的所有设备。All the devices that have been identified to be part of or related to the incident.

  • 用户Users

    标识为事件的一部分或与事件相关的所有用户。All the users that have been identified to be part of or related to the incident.

  • 邮箱Mailboxes

    已标识为事件的一部分或与事件相关的所有邮箱。All the mailboxes that have been identified to be part of or related to the incident.

  • 调查Investigations

    事件警报触发的所有自动调查。All the automated investigations triggered by alerts in the incident.

  • 证据和响应Evidence and Response

    事件警报中支持的所有事件和可疑实体。All the supported events and suspicious entities in the alerts in the incident.

下面是 Microsoft 365 安全中心内事件及其数据与事件选项卡之间的关系。Here's the relationship between an incident and its data and the tabs of an incident in the Microsoft 365 security center.

Microsoft 365 安全中心内事件及其数据与事件选项卡的关系

后续步骤Next step

"事件"页 中的事件 队列列出了最近事件。The incident queue from the Incidents page lists the most recent incidents. 在这里,你可以:From here, you can:

  • 查看应基于严重性 其他因素对哪些事件进行优先排序。See which incidents should be prioritized based on severity and other factors.
  • 事件 进行调查。Perform an investigation of an incident.
  • 管理事件,包括重命名、分配事件、对事件管理工作流进行分类和添加标记。Manage incidents, which includes renaming, assigning them, classifying, and adding tags for your incident management workflow.