建立及管理裝置群組Create and manage device groups

適用於:Applies to:

  • Azure Active DirectoryAzure Active Directory
  • Office 365Office 365

想要體驗適用於端點的 Microsoft Defender 嗎?Want to experience Microsoft Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

在企業案例中,一般會為安全性運作小組指派一組裝置。In an enterprise scenario, security operation teams are typically assigned a set of devices. 這些裝置會根據一組屬性(如其網域、電腦名稱稱或指定的標記)組合在一起。These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags.

在 Microsoft Defender for Endpoint 中,您可以建立裝置群組,並使用這些群組進行下列作業:In Microsoft Defender for Endpoint, you can create device groups and use them to:

  • 將相關警示和資料的存取許可權制為具有指派 RBAC 角色的特定 Azure AD 使用者群組Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
  • 設定不同裝置組的不同自動修復設定Configure different auto-remediation settings for different sets of devices
  • 在自動調查期間指派要套用的特定修正層級Assign specific remediation levels to apply during automated investigations
  • 在調查中,使用 群組 篩選,將 [裝置] 清單 篩選為特定裝置群組。In an investigation, filter the Devices list to specific device groups by using the Group filter.

您可以在以角色為基礎的 access (RBAC) 中建立裝置群組,以控制誰可以採取特定動作或透過將裝置群組指派 (s) 指派給使用者群組,以控制誰可以採取特定動作或查看資訊。You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device group(s) to a user group. 如需詳細資訊,請參閱 使用以角色為基礎的存取控制管理入口網站存取For more information, see Manage portal access using role-based access control.

提示

如需 RBAC 應用程式的完整外觀,請參閱: 您的 SOC 是以 rbac 執行平整For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.

在建立裝置群組的過程中,您會:As part of the process of creating a device group, you'll:

  • 設定該群組的自動修正層級。Set the automated remediation level for that group. 如需修正層級的詳細資訊,請參閱 使用自動調查調查和修正威脅For more information on remediation levels, see Use Automated investigation to investigate and remediate threats.
  • 指定符合規則,判斷哪個裝置群組屬於根據裝置名稱、網域、標籤和 OS 平臺的群組。Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. 如果裝置也符合其他群組,它只會新增至最高排名的裝置群組。If a device is also matched to other groups, it's added only to the highest ranked device group.
  • 選取應該具有裝置群組存取權的 Azure AD 使用者群組。Select the Azure AD user group that should have access to the device group.
  • 在建立其他群組之後,對此裝置群組進行排名。Rank the device group relative to other groups after it's created.

注意

如果您未指派任何 Azure AD 群組,則所有使用者都可以存取裝置群組。A device group is accessible to all users if you don’t assign any Azure AD groups to it.

建立裝置群組Create a device group

  1. 在功能窗格中,選取 [設定 > 端點 > 許可權 > 裝置群組]。In the navigation pane, select Settings > Endpoints > Permissions > Device groups.

  2. 按一下 [ 新增裝置群組]。Click Add device group.

  3. 輸入 [組名] 和 [自動化] 設定,並指定用來判斷哪些裝置屬於群組的符合規則。Enter the group name and automation settings and specify the matching rule that determines which devices belong to the group. 請參閱 自動調查的開始方式See How the automated investigation starts.

    提示

    如果您想依組織單位群組裝置,您可以為群組從屬設定登錄機碼。If you want to group devices by organizational unit, you can configure the registry key for the group affiliation. 如需裝置標記的詳細資訊,請參閱 Create and manage device tagsFor more information on device tagging, see Create and manage device tags.

  4. 預覽數個裝置,此規則將會符合此規則。Preview several devices that will be matched by this rule. 如果您對規則滿意,請按一下 [ 使用者存取 ] 索引標籤。If you're satisfied with the rule, click the User access tab.

  5. 指派可以存取您所建立之裝置群組的使用者群組。Assign the user groups that can access the device group you created.

    注意

    您只可將存取權授與指派給 RBAC 角色的 Azure AD 使用者群組。You can only grant access to Azure AD user groups that have been assigned to RBAC roles.

  6. 按一下 [關閉]Click Close. 設定變更。The configuration changes are applied.

管理裝置群組Manage device groups

您可以提升或降級裝置群組的排名,使其在比對的期間具有較高或較低的優先順序。You can promote or demote the rank of a device group so that it's given higher or lower priority during matching. 當裝置與一個以上的群組相符時,它只會新增至最高排名的群組。When a device is matched to more than one group, it's added only to the highest ranked group. 您也可以編輯和刪除群組。You can also edit and delete groups.

警告

刪除裝置群組可能會影響電子郵件通知規則。Deleting a device group may affect email notification rules. 如果已在電子郵件通知規則下設定裝置群組,它會從該規則中移除。If a device group is configured under an email notification rule, it will be removed from that rule. 如果設備群組是為電子郵件通知設定的唯一群組,則會與裝置群組一起刪除電子郵件通知規則。If the device group is the only group configured for an email notification, that email notification rule will be deleted along with the device group.

依預設,所有具有入口網站存取權的使用者皆可存取裝置群組。By default, device groups are accessible to all users with portal access. 您可以將 Azure AD 使用者群組指派給裝置群組,以變更預設行為。You can change the default behavior by assigning Azure AD user groups to the device group.

不符合任何群組的裝置會新增至取消群組裝置 (預設) 群組。Devices that aren't matched to any groups are added to Ungrouped devices (default) group. 您無法變更此群組的排名或加以刪除。You cannot change the rank of this group or delete it. 不過,您可以變更此群組的修正層級,並定義可以存取此群組的 Azure AD 使用者群組。However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.

注意

對裝置群組設定套用變更可能需要數分鐘的時間。Applying changes to device group configuration may take up to several minutes.

新增裝置群組定義Add device group definitions

裝置群組定義也可以包含每個條件的多個值。Device group definitions can also include multiple values for each condition. 您可以將多個標記、裝置名稱和網域設定為單一裝置群組的定義。You can set multiple tags, device names, and domains to the definition of a single device group.

  1. 建立新的裝置群組,然後選取 [ 裝置 ] 索引標籤。Create a new device group, then select Devices tab.
  2. 新增其中一個條件的第一個值。Add the first value for one of the conditions.
  3. 選取 + 此項可新增更多列的屬性類型。Select + to add more rows of the same property type.

提示

在相同條件類型的列之間使用 ' OR ' 運算子,允許每個屬性有多個值。Use the 'OR' operator between rows of the same condition type, which allows multiple values per property. 您可以為每個屬性類型-標籤、裝置名稱、網域) 新增多達10列 (數值。You can add up to 10 rows (values) for each property type - tag, device name, domain.

如需連結至裝置群組定義的詳細資訊,請參閱device groups-Microsoft 365 securityFor more information on linking to device groups definitions, see Device groups - Microsoft 365 security.