在 Microsoft 365 Defender 中管理事件Manage incidents in Microsoft 365 Defender

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

事件管理对于确保包含和解决威胁至关重要。Incident management is critical in ensuring that threats are contained and addressed.

在快速启动 Microsoft 365 安全中心&事件>事件或事件管理事件 (security.microsoft.com) 。 You manage incidents from Incidents & alerts > Incidents on the quick launch of the Microsoft 365 security center (security.microsoft.com). 下面是一个示例。Here's an example.

事件队列示例

以下是管理事件的方法:Here are the ways you can manage your incidents:

  • 更改事件名称Change the incident name
  • 添加事件标记。Add incident tags.
  • 将事件分配给用户帐户Assign the incident to a user account
  • 解决它们Resolve them
  • 设置其分类和确定Set its classification and determination
  • 添加注释。Add comments.

可以从事件的"管理事件 "窗格中 管理事件。You can manage incidents from the Manage incident pane for an incident. 下面是一个示例。Here's an example.

事件的"管理事件"窗格示例

可以从以下位置的"管理 事件"链接显示 此窗格:You can display this pane from the Manage incident link on the:

  • 事件队列中事件的属性窗格。Properties pane of an incident in the incident queue.
  • 事件的 摘要页。Summary page of an incident.

在调查时,若要将警报从一个事件移动到另一个事件,也可以从"警报"选项卡进行移动,从而创建包含所有相关警报的较大或较小的事件。In cases where, while investigating you would like to move alerts from one incident to another, you can also do so from the Alerts tab, thus creating a larger or smaller incident that includes all relevant alerts.

编辑事件名称Edit the incident name

Microsoft 365 Defender 根据警报属性自动分配名称,如受影响的终结点数、受影响的用户数、检测源或类别。Microsoft 365 Defender automatically assigns a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. 这使您可以快速了解事件的范围。This allows you to quickly understand the scope of the incident. 例如: 多个源报告的多个终结点上的多阶段事件。For example: Multi-stage incident on multiple endpoints reported by multiple sources.

可以从"管理事件"窗格上的" 事件名称 "字段中 编辑事件 名称。You can edit the incident name from the Incident name field on the Manage incident pane.

备注

在推出自动事件命名功能之前已存在的事件将保留其名称。Incidents that existed before the rollout of the automatic incident naming feature will retain their name.

添加事件标记Add incident tags

可以将自定义标记添加到事件,例如,标记一组具有共同特征的事件。You can add custom tags to an incident, for example to flag a group of incidents with a common characteristic. 稍后可以筛选包含特定标记的所有事件的事件队列。You can later filter the incident queue for all incidents that contain a specific tag.

开始键入时,您可以选择从所选标记列表进行选择。When you start typing, you have the option to select from a list of selected tags.

分配事件Assign incidents

如果尚未分配事件,可以选择"分配给 "并指定 用户帐户。If an incident has not yet been assigned, you can select Assign to and specify the user account. 这样做将分配事件的所有权以及与其关联的所有警报。Doing so assigns ownership of the incident and all the alerts associated with it.

解决事件Resolve incident

如果事件已修复,请选择"解决 事件 "以将切换开关向右移动。If the incident has been remediated, select Resolve incident to move the toggle to the right. 请注意,解决事件还会解决与事件相关的所有链接和活动警报。Note that resolving an incident also resolves all the linked and active alerts related to the incident.

未解决的事件显示为"活动 "。An incident that is not resolved displays as Active.

设置分类和确定Set the classification and determination

事件分类是真正的警报还是假警报,从"分类"字段 进行 配置。The incident classification is whether it was a true alert or a false alert, which you configure from the Classification field.

如果这是真正的警报,则还应使用"确定"字段指定 威胁的类型。If it was a true alert, you should also specify what type of threat it was with the Determination field. 指定威胁类型可帮助安全团队查看威胁模式,并采取行动保护组织抵御威胁模式。Specifying the threat type helps your security team see threat patterns and act to defend your organization from them.

添加备注Add comments

可以使用"注释"字段向事件添加 多个 注释。You can add multiple comments to an incident with the Comment field. 每个注释将添加到事件的历史事件中。Each comment gets added to the historical events of the incident. You can see the comments and history of an incident from the Comments and history link on the Summary page.You can see the comments and history of an incident from the Comments and history link on the Summary page.