分析 Microsoft 365 Defender 中的事件Analyze incidents in Microsoft 365 Defender


改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

Microsoft 365 Defender 将来自你的设备、用户和邮箱的所有用户的相关警报、资产、调查和证据聚合到事件中,让你全面了解整个攻击范围。Microsoft 365 Defender aggregates all related alerts, assets, investigations, and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.

在事件内,分析影响网络的警报,了解它们的含义,并整理证据,以便制定有效的修正计划。Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.

初始分析Initial analysis

在深入讨论详细信息之前,请看一下事件的属性和摘要。Before diving into the details, take a look at the properties and summary of the incident.

你可以从选中标记列中选择事件开始。You can start by selecting the incident from the check mark column. 下面是一个示例。Here's an example.


当你这样做时,将打开一个摘要窗格,其中包含有关事件的关键信息,如严重性、分配到该事件的人以及事件的MITRE ATT ™ &CK 类别。When you do, a summary pane opens with key information about the incident, such as severity, to whom it is assigned, and the MITRE ATT&CK™ categories for the incident. 下面是一个示例。Here's an example.


从此处,可以选择"打开 事件页面"。From here, you can select Open incident page. 这将打开事件的主页,你将在此找到警报、设备、用户、调查和证据的更多摘要信息和选项卡。This opens the main page for the incident where you'll find more summary information and tabs for alerts, devices, users, investigations, and evidence.

您还可以通过从事件队列中选择事件名称来打开事件的主页。You can also open the main page for an incident by selecting the incident name from the incident queue.


通过 "摘要 "页面,您可以快速查看有关事件的顶部注意事项。The Summary page gives you a snapshot glance at the top things to notice about the incident.

Microsoft 365 安全中心内事件的"摘要"页面示例

攻击类别可直观和数字地了解攻击对击杀链的进度。The attack categories give you a visual and numeric view of how advanced the attack has progressed against the kill chain. 与其他 Microsoft 安全产品一样,Microsoft 365 Defender 与MITRE ATT&™ CK框架一致。As with other Microsoft security products, Microsoft 365 Defender is aligned to the MITRE ATT&CK™ framework.

“范围” 部分提供了属于此事件的最受影响的资产列表。The scope section gives you a list of top impacted assets that are part of this incident. 如果存在有关此资产的具体信息(例如风险级别、调查优先级以及资产上的任何标记),也将在本节中显示。If there is specific information regarding this asset, such as risk level, investigation priority as well as any tagging on the assets this will also surface in this section.

警报时间线可快速了解警报发生的时间顺序,以及这些警报链接到此事件的原因。The alerts timeline provides a sneak peek into the chronological order in which the alerts occurred, as well as the reasons that these alerts are linked to this incident.

最后 , 证据部分提供事件中包含的不同项目及其修正状态的摘要,以便你可以立即确定你是否需要任何操作。And last - the evidence section provides a summary of how many different artifacts were included in the incident and their remediation status, so you can immediately identify if any action is needed by you.

本概述可通过深入了解应了解的事件主要特征,帮助对事件进行初始会审。This overview can assist in the initial triage of the incident by providing insight into the top characteristics of the incident that you should be aware of.


"警报 "选项卡上,您可以查看警报队列,了解与事件相关的警报及其其他信息,例如:On the Alert tab, you can view the alert queue for alerts related to the incident and other information about them such as:

  • 严重性。Severity.
  • 警报中涉及的实体。The entities that were involved in the alert.
  • Microsoft Defender for Identity、Microsoft Defender for Endpoint、Microsoft Defender for Office 365 (警报的来源) 。The source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365).
  • 链接在一起的原因。The reason they were linked together.

下面是一个示例。Here's an example.


默认情况下,警报按时间顺序排序,以便查看事件如何随着时间的推移而播放。By default, the alerts are ordered chronologically to allow you to see how the incident played out over time. 选择每个警报将你访问警报的主页,你可以在这里对此警报进行深入分析。Selecting each alert takes you to the alert's main page where you can conduct an in-depth analysis of that alert.

了解如何在分析警报中使用警报队列 和警报页面Learn how to use the alert queue and alert pages in analyze alerts


" 设备 "选项卡列出了与事件相关的所有设备。The Devices tab lists all the devices related to the incident. 下面是一个示例。Here's an example.


可以选择设备的选中标记以查看设备、目录数据、活动警报和登录用户的详细信息。You can select the check mark for a device to see details of the device, directory data, active alerts, and logged on users. 选择设备名称以查看 Microsoft Defender for Endpoints 设备清单中的设备详细信息。Select the name of the device to see device details in the Microsoft Defender for Endpoints device inventory.

适用于终结点的 Microsoft Defender 的设备页面示例

从设备页面,你可以收集有关设备的其他信息,例如其所有警报、时间线和安全建议。From the device page, you can gather additional information about the device, such as all of its alerts, a timeline, and security recommendations. 例如,从"时间线"选项卡中,你可以滚动浏览计算机时间线,并按时间顺序查看计算机上观测到的所有事件和行为,与所发出警报的交错。For example, from the Timeline tab, you can scroll through the machine timeline and view all events and behaviors observed on the machine in chronological order, interspersed with the alerts raised.


可以在设备页面上执行按需扫描。You can do on-demand scans on a device page. In the Microsoft 365 security center, choose Endpoints > Device inventory.In the Microsoft 365 security center, choose Endpoints > Device inventory. 选择具有警报的设备,然后运行防病毒扫描。Select a device that has alerts, and then run an antivirus scan. 防病毒扫描等操作会进行跟踪,并且显示在"设备清单 "页上。Actions, such as antivirus scans, are tracked and are visible on the Device inventory page. 若要了解更多信息,请参阅 在设备上运行 Microsoft Defender 防病毒扫描To learn more, see Run Microsoft Defender Antivirus scan on devices.


" 用户 "选项卡列出了标识为事件的一部分或与事件相关的所有用户。The Users tab lists all the users that have been identified to be part of or related to the incident. 下面是一个示例。Here's an example.


可以选择用户的选中标记以查看用户帐户威胁、曝光和联系人信息的详细信息。You can select the check mark for a user to see details of the user account threat, exposure, and contact information. 选择用户名以查看其他用户帐户详细信息。Select the user name to see additional user account details.


" 邮箱 "选项卡列出了标识为事件的一部分或与事件相关的所有邮箱。The Mailboxes tab lists all the mailboxes that have been identified to be part of or related to the incident. 下面是一个示例。Here's an example.


您可以选择邮箱的选中标记以查看活动警报列表。You can select the check mark for a mailbox to see a list of active alerts. 选择邮箱名称以查看适用于 Office 365 的 Microsoft Defender 的资源管理器页面上的其他邮箱详细信息。Select the mailbox name to see additional mailbox details on the Explorer page for Microsoft Defender for Office 365.


" 调查 "选项卡列出了此事件中的警报触发的所有自动调查。The Investigations tab lists all the automated investigations triggered by alerts in this incident. 调查将执行修正操作或等待分析员批准操作,具体取决于如何将自动调查配置为在 Microsoft Defender for Endpoint 和 Defender for Office 365 中运行。The investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Microsoft Defender for Endpoint and Defender for Office 365.


选择“调查”,以导航到调查详细信息页面,获取有关调查和修复状态的完整信息。Select an investigation to navigate to the Investigation details page to get full information on the investigation and remediation status. 如果有作为调查的一部分等待审批的任何操作,它们将显示在"挂起的操作"选项卡中。采取操作作为事件修正的一部分。If there are any actions pending for approval as part of the investigation, they will appear in the Pending actions tab. Take action as part of incident remediation.

证据和响应Evidence and Response

" 证据和响应 "选项卡显示事件警报中所有受支持的事件和可疑实体。The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident. 下面是一个示例。Here's an example.


Microsoft 365 Defender 自动调查警报中所有事件支持的事件和可疑实体,并提供有关重要电子邮件、文件、流程、服务、IP 地址等的信息。Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more. 这可以帮助您快速检测和阻止事件中的潜在威胁。This helps you quickly detect and block potential threats in the incident.

每个被分析的实体都标记为"恶意 (可疑、) 清理"和修正状态。Each of the analyzed entities is marked with a verdict (Malicious, Suspicious, Clean) and a remediation status. 这可以帮助您了解整个事件的修正状态以及可以采取哪些下一步操作。This helps you understand the remediation status of the entire incident and what next steps can be taken.