查看和組織 Microsoft Defender for Endpoint 警示佇列View and organize the Microsoft Defender for Endpoint Alerts queue

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

警示佇列 顯示從您網路中的裝置標記的警示清單。The Alerts queue shows a list of alerts that were flagged from devices in your network. 依預設,佇列會顯示過去30天的分組視圖中看到的警示。By default, the queue displays alerts seen in the last 30 days in a grouped view. 最新的提醒會顯示在清單的頂端,可協助您先看到最近的警示。The most recent alerts are showed at the top of the list helping you see the most recent alerts first.

注意

透過自動化調查和修正功能大幅減少警示佇列,讓安全性作業專家能夠將重點放在更複雜的威脅及其他高價值計畫上。The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. 當警示包含自動調查的支援實體時 (例如,在具有支援之作業系統之裝置中的檔案) ,便可以開始進行自動調查和修正。When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. 如需自動調查的詳細資訊,請參閱 自動化調查的概述For more information on automated investigations, see Overview of Automated investigations.

您可以選擇從多個選項自訂 [提醒] 佇列視圖。There are several options you can choose from to customize the alerts queue view.

您可以在上方導覽上進行下列作業:On the top navigation you can:

  • 選取分組的 view 或 list viewSelect grouped view or list view
  • 自訂欄以新增或移除欄Customize columns to add or remove columns
  • 選取每頁顯示的專案Select the items to show per page
  • 在頁面間流覽Navigate between pages
  • 套用篩選Apply filters

警示佇列的影像

排序、篩選和群組警示佇列Sort, filter, and group the alerts queue

您可以套用下列篩選器來限制警示清單,並取得更具焦點的查看警示。You can apply the following filters to limit the list of alerts and get a more focused view the alerts.

嚴重性Severity

警示嚴重性Alert severity 描述Description
High
(Red) (Red)
與高級持續性威脅 (APT) 相關聯的警示。Alerts commonly seen associated with advanced persistent threats (APT). 這些警示指出高風險,因為它們可能會對裝置造成損毀。These alerts indicate a high risk because of the severity of damage they can inflict on devices. 一些範例包括:認證盜竊工具活動、未與任何群組相關聯的勒索軟體活動、篡改安全性感應器,或任何惡意活動表示的人體敵人。Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
Medium
(橙色) (Orange)
Endpoint 偵測的警示,以及可能是「高級持續性」威脅 (APT) 部分的入侵後行為。Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). 這包括常見的攻擊階段、反常登錄變更、可疑檔案執行等的觀察行為。This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. 雖然有些可能是內部安全性測試的一部分,但它需要進行調查,因為它也可能是高級攻擊的一部分。Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
Low
(黃色) (Yellow)
與流行惡意程式碼相關聯的威脅警示。Alerts on threats associated with prevalent malware. 例如,駭客的非惡意程式碼駭客工具(例如執行探索命令、清除記錄等)通常不表示組織的高級威脅。For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. 它也可以來自組織中的使用者所進行的隔離安全性工具測試。It could also come from an isolated security tool testing by a user in your organization.
參考Informational
(灰色) (Grey)
可能不會被視為對網路有害,但可促進組織對潛在安全性問題的安全性意識的警示。Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.

瞭解警示嚴重性Understanding alert severity

Microsoft Defender 防毒軟體 (Microsoft Defender AV) 和 Defender for Endpoint alert 嚴重性不同,因為它們代表不同的範圍。Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes.

Microsoft Defender AV 威脅嚴重性代表偵測到之威脅 (惡意程式碼) 中的絕對嚴重性,並根據個別裝置可能的潛在風險(如果受到感染)進行指派。The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected.

Defender for Endpoint alert 嚴重性代表偵測到的行為嚴重性、實際的裝置風險,但很重要的是組織的潛在風險。The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.

因此,例如:So, for example:

  • 有關 Microsoft Defender AV 的 Defender for Endpoint 警示的嚴重性偵測到已完全避免但未感染裝置的威脅已分類為「資訊」,因為沒有實際的損毀。The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
  • 執行時偵測到商業惡意程式碼的警示,但由於 Microsoft Defender AV 封鎖並修正,所以歸類為「低」,因為這可能會造成個別裝置的某些損毀,但不會造成任何組織威脅。An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.
  • 執行時偵測到惡意程式碼的警示,其可能不僅會對個別裝置造成威脅,也不論是否最後封鎖,都可能會排名為「中」或「高」。An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
  • 未封鎖或修正的可疑行為警示,將會排名「低」、「中」或「高」,遵循相同的組織威脅考慮。Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.

瞭解警示類別Understanding alert categories

我們已重新定義警示類別,使其符合MITRE ATT&CK matrix中的企業攻擊戰術We've redefined the alert categories to align to the enterprise attack tactics in the MITRE ATT&CK matrix. 新的類別名稱會套用至所有新的警示。New category names apply to all new alerts. 現有的提醒會保留先前的類別名稱。Existing alerts will keep the previous category names.

下表列出目前的類別,以及它們通常對應至先前類別的方式。The table below lists the current categories and how they generally map to previous categories.

新增類別New category API 類別名稱API category name 偵測到的威脅活動或元件Detected threat activity or component
集合Collection 集合Collection 尋找及收集 exfiltration 的資料Locating and collecting data for exfiltration
命令和控制項Command and control CommandAndControlCommandAndControl 連接攻擊者控制的網路基礎結構以轉送資料或接收命令Connecting to attacker-controlled network infrastructure to relay data or receive commands
認證存取Credential access CredentialAccessCredentialAccess 取得有效的認證,以在網路中擴充裝置和其他資源的控制權Obtaining valid credentials to extend control over devices and other resources in the network
國防規避Defense evasion DefenseEvasionDefenseEvasion 避免安全性控制,例如,關閉安全性應用程式、刪除 implants,以及執行 rootkitAvoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits
發現Discovery 發現Discovery 收集重要裝置和資源的相關資訊,例如系統管理員電腦、網域控制站及檔案伺服器Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers
執行Execution 執行Execution 啟動攻擊者工具和惡意程式碼(包括 Rat 和後門程式)Launching attacker tools and malicious code, including RATs and backdoors
ExfiltrationExfiltration ExfiltrationExfiltration 將網路中的資料解壓縮至外部的受攻擊者控制的位置Extracting data from the network to an external, attacker-controlled location
利用Exploit 利用Exploit 攻擊程式碼和可能的攻擊活動Exploit code and possible exploitation activity
初始存取Initial access InitialAccessInitialAccess 取得目標網路的初始專案,通常涉及密碼猜測、入侵或網路釣魚電子郵件Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails
橫向移動Lateral movement LateralMovementLateralMovement 在目標網路中的裝置間移動,以達到重要資源或取得網路暫留Moving between devices in the target network to reach critical resources or gain network persistence
惡意程式碼Malware 惡意程式碼Malware 後門程式、特洛伊木馬程式和其他類型的惡意程式碼Backdoors, trojans, and other types of malicious code
堅持Persistence 堅持Persistence 建立 autostart 擴充點 (ASEPs) 保持使用中且可經受系統重新開機Creating autostart extensibility points (ASEPs) to remain active and survive system restarts
許可權提升Privilege escalation PrivilegeEscalationPrivilegeEscalation 在特權程式或帳戶的上下文中執行程式碼,以取得更高的許可權層級Obtaining higher permission levels for code by running it in the context of a privileged process or account
軟體Ransomware 軟體Ransomware 惡意程式碼會加密檔案和 extorts 付款以還原存取Malware that encrypts files and extorts payment to restore access
可疑的活動Suspicious activity SuspiciousActivitySuspiciousActivity 可能成為惡意程式碼或部分攻擊的非典型活動Atypical activity that could be malware activity or part of an attack
不需要的軟體Unwanted software UnwantedSoftwareUnwantedSoftware 影響生產力和使用者經驗的低信譽應用程式和應用程式偵測到可能有害的應用程式 (PUAs) Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs)

狀態Status

您可以選擇根據其狀態來限制警示清單。You can choose to limit the list of alerts based on their status.

調查狀態Investigation state

會對應至自動調查狀態。Corresponds to the automated investigation state.

CategoryCategory

您可以選擇篩選佇列以顯示特定類型的惡意活動。You can choose to filter the queue to display specific types of malicious activity.

指派給Assigned to

您可以選擇顯示指派給您或自動化的警示。You can choose between showing alerts that are assigned to you or automation.

偵測來源Detection source

選取觸發警示偵測的來源。Select the source that triggered the alert detection. Microsoft 威脅專家預覽參與者現在可以篩選並查看新威脅專家管理之搜尋服務中的偵測結果。Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.

注意

只有在裝置使用 Microsoft Defender 防毒軟體作為預設即時保護反惡意軟體產品時,才會顯示防病毒篩選器。The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.

偵測來源Detection source API 值API value
協力廠商感應器3rd party sensors ThirdPartySensorsThirdPartySensors
防毒Antivirus WindowsDefenderAvWindowsDefenderAv
自動調查Automated investigation AutomatedInvestigationAutomatedInvestigation
自訂偵測Custom detection CustomDetectionCustomDetection
自訂 TICustom TI CustomerTICustomerTI
EDREDR WindowsDefenderAtpWindowsDefenderAtp
Microsoft 365 DefenderMicrosoft 365 Defender 具有 MTP 之MTP
適用於 Office 365 的 Microsoft DefenderMicrosoft Defender for Office 365 OfficeATPOfficeATP
Microsoft 威脅專家Microsoft Threat Experts ThreatExpertsThreatExperts
SmartScreenSmartScreen WindowsDefenderSmartScreenWindowsDefenderSmartScreen

作業系統平臺OS platform

選取您要調查的作業系統平臺,以限制提醒佇列查看。Limit the alerts queue view by selecting the OS platform that you're interested in investigating.

裝置群組Device group

如果您有想要檢查的特定裝置群組,您可以選取群組來限制警示佇列的顯示。If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view.

相關威脅Associated threat

使用此篩選器,將重點放在與高設定檔威脅相關的警示上。Use this filter to focus on alerts that are related to high profile threats. 您可以在 威脅分析中看到高設定檔威脅的完整清單。You can see the full list of high-profile threats in Threat analytics.