在自動調查後複查修正動作Review remediation actions following an automated investigation

補救動作Remediation actions

自動調查 執行時,會針對每個證據調查產生一個判定。When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts 可能是 惡意可疑沒有發現威脅Verdicts can be Malicious, Suspicious, or No threats found.

根據Depending on

  • 威脅類型the type of threat,
  • 產生的判定和the resulting verdict, and
  • 如何設定組織的 裝置群組how your organization's device groups are configured,

修正動作可以自動進行,也可以只在組織的安全性運作小組核准時進行。remediation actions can occur automatically or only upon approval by your organization’s security operations team.

以下是一些範例:Here are a few examples:

  • 範例 1: Fabrikam 的裝置群組會自動設定為 完整修正威脅 (建議設定) 。Example 1: Fabrikam's device groups are set to Full - remediate threats automatically (the recommended setting). 在此情況下,會自動對被視為惡意調查的偽像執行修正動作。 (請參閱 複查已完成的動作) 。In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation (see Review completed actions).

  • 範例 2: Contoso 的裝置會包含在裝置群組中,此裝置群組是針對 任何修正要求核准 所設定的。Example 2: Contoso's devices are included in a device group that is set for Semi - require approval for any remediation. 在此案例中,Contoso 的安全操作小組必須在自動調查後複查及核准所有修正動作 (請參閱 複查擱置的動作) 。In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation (see Review pending actions).

  • 範例 3: Tailspin 玩具的裝置群組設定為 無自動回應 (不建議) 。Example 3: Tailspin Toys has their device groups set to No automated response (not recommended). 在此情況下,不會進行自動調查。In this case, automated investigations do not occur. 未採取任何修正動作或擱置,而且不會在其裝置的 動作中心 記錄任何動作 (請參閱 Manage device groups) 。No remediation actions are taken or pending, and no actions are logged in the Action center for their devices (see Manage device groups).

不論是自動或核准,自動調查都可能會產生一或多項修正動作:Whether taken automatically or upon approval, an automated investigation can result in one or more of the remediation actions:

  • 隔離檔Quarantine a file
  • 移除登錄機碼Remove a registry key
  • 終止進程Kill a process
  • 停止服務Stop a service
  • 停用驅動程式Disable a driver
  • 移除排程任務Remove a scheduled task

審閱擱置的動作Review pending actions

  1. 請移至 Microsoft 365 security center (https://security.microsoft.com) 並登入。Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.
  2. 在功能窗格中,選擇 [控制中心]。In the navigation pane, choose Action center.
  3. 檢查 [ 止] 索引標籤上的專案。Review the items on the Pending tab.
  4. 選取動作開啟其彈出窗格。Select an action to open its flyout pane.
  5. 在飛入窗格中,複查資訊,然後執行下列其中一個步驟:In the flyout pane, review the information, and then take one of the following steps:
    • 選取 [ 開啟調查] 頁面 ,以查看有關調查的詳細資料。Select Open investigation page to view more details about the investigation.
    • 選取 [ 核准 ] 以啟動暫止的動作。Select Approve to initiate a pending action.
    • 選取 [ 拒絕 ] 以避免採取暫止的動作。Select Reject to prevent a pending action from being taken.
    • 選取 [ 移至搜尋 ] 以進入 高級搜尋Select Go hunt to go into Advanced hunting.

查看已完成的動作Review completed actions

  1. 請移至 Microsoft 365 security center (https://security.microsoft.com) 並登入。Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.
  2. 在功能窗格中,選擇 [控制中心]。In the navigation pane, choose Action center.
  3. 檢查 [ 記錄 ] 索引標籤上的專案。Review the items on the History tab.
  4. 選取專案,以查看有關修正動作的詳細資料。Select an item to view more details about that remediation action.

復原完成的動作Undo completed actions

如果您已判斷某個裝置或檔案不是威脅,您可以復原採取的修正動作,不論這些動作是自動或手動採取的動作。If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. 在 [ 記錄 ] 索引標籤上的 [操作中心] 中,您可以復原下列任何動作:In the Action center, on the History tab, you can undo any of the following actions:

動作來源Action source 支援的動作Supported Actions
-自動調查- Automated investigation
-Microsoft Defender 防毒軟體- Microsoft Defender Antivirus
-手動回應動作- Manual response actions
隔離裝置- Isolate device
-限制執行程式碼- Restrict code execution
-隔離檔- Quarantine a file
-移除登錄機碼- Remove a registry key
-停止服務- Stop a service
-停用驅動程式- Disable a driver
-移除排程任務- Remove a scheduled task

一次取消執行多個動作To undo multiple actions at one time

  1. 請移至「行動中心」 (https://security.microsoft.com/action-center) 並登入。Go to the Action center (https://security.microsoft.com/action-center) and sign in.
  2. 在 [ 記錄 ] 索引標籤上,選取您要復原的動作。On the History tab, select the actions that you want to undo. 請務必選取具有相同動作類型的專案。Make sure to select items that have the same Action type. 隨即開啟彈出窗格。A flyout pane opens.
  3. 在快顯視窗中,選取 [ 復原]。In the flyout pane, select Undo.

在多個裝置間移除隔離檔To remove a file from quarantine across multiple devices

  1. 請移至「行動中心」 (https://security.microsoft.com/action-center) 並登入。Go to the Action center (https://security.microsoft.com/action-center) and sign in.
  2. 在 [ 記錄 ] 索引標籤上,選取具有 [ 隔離 檔] 動作類型的專案。On the History tab, select an item that has the Action type Quarantine file.
  3. 在飛入窗格中,選取 [套用 至此檔案的 X 個實例],然後選取 [ 復原]。In the flyout pane, select Apply to X more instances of this file, and then select Undo.

自動化層級、自動調查結果和結果動作Automation levels, automated investigation results, and resulting actions

自動化層級會影響是否會自動或只在核准時採取某些修正動作。Automation levels affect whether certain remediation actions are taken automatically or only upon approval. 在某些情況下,您的安全性作業小組也會有更多步驟,視自動調查的結果而定。Sometimes your security operations team has more steps to take, depending on the results of an automated investigation. 下表摘要說明自動化層級、自動化調查的結果,以及每個案例中應執行的動作。The following table summarizes automation levels, results of automated investigations, and what to do in each case.

裝置群組設定Device group setting 自動調查結果Automated investigation results 處理方式What to do
完整修正威脅會自動 (建議設定) Full - remediate threats automatically (the recommended setting) 對一條證據達成 惡意的蓄意 性。A verdict of Malicious is reached for a piece of evidence.

系統會自動採取適當的修復動作。Appropriate remediation actions are taken automatically.
查看已完成的動作Review completed actions
自動修正威脅Full - remediate threats automatically 有一條證據會達到 可疑 的判定。A verdict of Suspicious is reached for a piece of evidence.

修正動作正待核准,繼續進行。Remediation actions are pending approval to proceed.
核准 (或拒絕) 擱置的動作Approve (or reject) pending actions
半要求進行任何修正的核准Semi - require approval for any remediation 針對某個證據,會達到對 惡意可疑 的判定。A verdict of either Malicious or Suspicious is reached for a piece of evidence.

修正動作正待核准,繼續進行。Remediation actions are pending approval to proceed.
核准 (或拒絕) 擱置的動作Approve (or reject) pending actions
半自動要求核心資料夾修正的核准Semi - require approval for core folders remediation 對一條證據達成 惡意的蓄意 性。A verdict of Malicious is reached for a piece of evidence.

如果專案是檔案或可執行檔,且位於作業系統目錄中,例如 Windows 資料夾或 Program files 資料夾,則修正動作會等候等候核准。If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval.

如果專案 在作業系統目錄中,就會自動採取修復動作。If the artifact is not in an operating system directory, remediation actions are taken automatically.
1. 核准 (或拒絕) 擱置的動作1. Approve (or reject) pending actions

2. 檢查完成的動作2. Review completed actions
半自動要求核心資料夾修正的核准Semi - require approval for core folders remediation 有一條證據會達到 可疑 的判定。A verdict of Suspicious is reached for a piece of evidence.

修正動作正待核准。Remediation actions are pending approval.
核准 (或拒絕) 擱置的動作Approve (or reject) pending actions.
非 temp 資料夾修正的半要求核准Semi - require approval for non-temp folders remediation 對一條證據達成 惡意的蓄意 性。A verdict of Malicious is reached for a piece of evidence.

如果專案是不在暫存資料夾中的檔案或可執行檔,例如使用者的 [下載] 資料夾或 temp 資料夾,則修正動作會等候進行核准。If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval.

如果專案是暫存資料夾中的檔案或可執行檔 ,便會 自動採取修正動作。If the artifact is a file or executable that is in a temporary folder, remediation actions are taken automatically.
1. 核准 (或拒絕) 擱置的動作1. Approve (or reject) pending actions

2. 檢查完成的動作2. Review completed actions
非 temp 資料夾修正的半要求核准Semi - require approval for non-temp folders remediation 有一條證據會達到 可疑 的判定。A verdict of Suspicious is reached for a piece of evidence.

修正動作正待核准。Remediation actions are pending approval.
核准 (或拒絕) 擱置的動作Approve (or reject) pending actions
任何 完整半成品 的自動化層級Any of the Full or Semi automation levels 對某項證據的判定,未 找到任何威脅A verdict of No threats found is reached for a piece of evidence.

不會採取任何修正動作,也不會有任何動作正待核准。No remediation actions are taken, and no actions are pending approval.
檢視自動調查的詳細資料和結果View details and results of automated investigations
不建議使用 自動回應 () No automated response (not recommended) 不會執行自動調查,因此不會達到 verdicts,也不會採取任何修正動作,也不會等候核准。No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. 考慮設定或變更您的裝置群組,以使用 完整 個自動化Consider setting up or changing your device groups to use Full or Semi automation

在 Microsoft Defender for Endpoint 中,所有的 verdicts 都會在「 行動中心」追蹤。In Microsoft Defender for Endpoint, all verdicts are tracked in the Action center.

後續步驟Next steps

另請參閱See also