調查與 Microsoft Defender for Endpoint alert 相關聯的檔案Investigate a file associated with a Microsoft Defender for Endpoint alert

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

調查與特定警示、行為或事件相關聯之檔案的詳細資料,以協助判斷該檔案是否展示惡意活動、識別攻擊動機,以及瞭解遭到破壞的潛在範圍。Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.

有許多方式可以存取特定檔案的詳細設定檔頁面面。There are many ways to access the detailed profile page of a specific file. 例如,您可以使用「搜尋」功能,按一下 警示處理樹狀目錄事件曲線圖專案時程表 中的連結,或選取 裝置時程表 中所列的事件。For example, you can use the search feature, click on a link from the Alert process tree, Incident graph, Artifact timeline, or select an event listed in the Device timeline.

在 [詳細設定檔] 頁面上,您可以透過 [切換新的檔案] 頁面,在新的和舊的頁面配置之間切換。Once on the detailed profile page, you can switch between the new and old page layouts by toggling new File page. 本文的其餘部分將說明較新的頁面配置。The rest of this article describes the newer page layout.

您可以從下列 [檔案] 視圖中的區段取得資訊:You can get information from the following sections in the file view:

  • 檔案詳細資料、惡意程式碼偵測、檔傳播File details, Malware detection, File prevalence
  • 深入分析Deep analysis
  • 警示Alerts
  • 組織中的觀測Observed in organization
  • 深入分析Deep analysis
  • 檔案名稱File names

您也可以從這個頁面對檔案採取動作。You can also take action on a file from this page.

檔動作File actions

在 [設定檔] 頁面上,沿著檔資訊卡片上方。Along the top of the profile page, above the file information cards. 您可以在這裡執行的動作包括:Actions you can perform here include:

  • 停止和隔離Stop and quarantine
  • 新增/編輯指示器Add/edit indicator
  • 下載檔案Download file
  • 諮詢威脅專家Consult a threat expert
  • 控制中心Action center

如需這些動作的詳細資訊,請參閱 在檔案上採取回應動作For more information on these actions, see Take response action on a file.

檔案詳細資料、惡意程式碼偵測和檔傳播File details, Malware detection, and File prevalence

檔案詳細資料、事件、惡意程式碼偵測和檔案流行卡會顯示檔案的各種屬性。The file details, incident, malware detection, and file prevalence cards display various attributes about the file.

您會看到詳細資料,例如檔案的 MD5、病毒的偵測比率,以及 Microsoft Defender AV 偵測(若有的話),以及檔案的流行情況。You'll see details such as the file’s MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file’s prevalence.

檔傳播卡片顯示在組織中的裝置及全球範圍內,看到該檔案的位置。The file prevalence card shows where the file was seen in devices in the organization and worldwide.

注意

不同的使用者可能會在檔傳播卡片的 [ 組織中的裝置 ] 區段中看到不同的值。Different users may see dissimilar values in the devices in organization section of the file prevalence card. 這是因為名片會根據使用者所擁有的 RBAC 範圍來顯示資訊。This is because the card displays information based on the RBAC scope that a user has. 也就是說,如果使用者已被授與特定裝置集,只會看到這些裝置上的檔組織傳播。Meaning, if a user has been granted visibility on a specific set of devices, they will only see the file organizational prevalence on those devices.

檔資訊影像

警示Alerts

[ 警示 ] 索引標籤提供與檔案相關聯的警示清單。The Alerts tab provides a list of alerts that are associated with the file. 此清單涵蓋許多與警示佇列相同的資訊,但裝置群組(如果有的話)屬於,則受影響裝置除外。This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. 您可以從欄標題上方的工具列中,選取 [ 自訂資料行 ],以選擇要顯示的資訊類型。You can choose what kind of information is shown by selecting Customize columns from the toolbar above the column headers.

與檔案區段相關的警示圖像

組織中的觀測Observed in organization

[ 在組織中看到 的] 索引標籤可讓您指定日期範圍,以查看哪些裝置已對檔案進行觀測。The Observed in organization tab allows you to specify a date range to see which devices have been observed with the file.

注意

此索引標籤會顯示100裝置的數目上限。This tab will show a maximum number of 100 devices. 若要查看檔案中的 所有 裝置,請從索引標籤欄上方的 [動作] 功能表中,選取 [ 匯出 ],將索引標籤匯出至 CSV 檔案。To see all devices with the file, export the tab to a CSV file, by selecting Export from the action menu above the tab's column headers.

具有檔案的最近觀測裝置的影像

使用滑塊或範圍選取器,快速指定您要檢查與檔案相關之事件的時段。Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. 您可以指定小至一天的時間範圍。You can specify a time window as small as a single day. 這可讓您在該時間只看到與該 IP 位址通訊的檔案,以大幅減少不必要的滾動和搜尋。This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.

深入分析Deep analysis

[ 深入分析 ] 索引標籤可讓您 提交檔案進行深入分析,以找出檔案行為的詳細資訊,以及組織內所用的影響。The Deep analysis tab allows you to submit the file for deep analysis, to uncover more details about the file's behavior, as well as the effect it is having within your organizations. 在您提交檔案之後,[詳細分析] 報告會在此索引標籤中出現一次可用結果。After you submit the file, the deep analysis report will appear in this tab once results are available. 如果深入分析沒有找到任何專案,則報告將會是空的,而且結果空間也會保留空白。If deep analysis did not find anything, the report will be empty and the results space will remain blank.

深入分析索引標籤的影像

檔案名稱File names

[檔案 名稱 ] 索引標籤會列出已在組織中觀測出的所有檔案名。The File names tab lists all names the file has been observed to use, within your organizations.

[檔案名] 索引標籤的影像