取得高級搜尋的專家訓練Get expert training on advanced hunting

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint

透過 追蹤敵人,以提升您的高級搜尋知識,獲得新安全性分析師和經驗豐富威脅 hunters 的網路廣播系列。Boost your knowledge of advanced hunting quickly with Tracking the adversary, a webcast series for new security analysts and seasoned threat hunters. 該數列會逐步引導您建立您自己複雜的查詢的基本方法。The series guides you through the basics all the way to creating your own sophisticated queries. 先從第一個影片開始,或跳到更多符合您經驗水準的視頻。Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience.

職稱Title 描述Description 觀看Watch 查詢Queries
第1集: KQL 基礎Episode 1: KQL fundamentals 這一部分涵蓋 Microsoft 365 Defender 中的高級搜尋基本知識。This episode covers the basics of advanced hunting in Microsoft 365 Defender. 深入瞭解可用的高級搜尋資料和基本 KQL 語法及運算子。Learn about available advanced hunting data and basic KQL syntax and operators. YouTube (54:14) YouTube (54:14) 文字檔Text file
劇集2:聯接Episode 2: Joins 繼續瞭解高級搜尋中的資料,以及如何將資料表結合在一起。Continue learning about data in advanced hunting and how to join tables together. 深入瞭解 innerouteruniquesemi 加入,並瞭解預設 Kusto join 的細微差別 inneruniqueLearn about inner, outer, unique, and semi joins, and understand the nuances of the default Kusto innerunique join. YouTube (53:33) YouTube (53:33) 文字檔Text file
第3集:匯總、切換和視覺化資料Episode 3: Summarizing, pivoting, and visualizing data 現在,您已瞭解如何篩選、處理及加入資料,這是時間摘要、量化、透視及顯示。Now that you've learned to filter, manipulate, and join data, it’s time to summarize, quantify, pivot, and visualize. 本文將討論 summarize 運算子和各種計算,同時還會引入架構中的其他資料表。This episode discusses the summarize operator and various calculations, while introducing additional tables in the schema. 您也將瞭解如何將資料集變成可協助您抽出洞察力的圖表中。You'll also learn to turn datasets into charts that can help you extract insight. YouTube (48:52) YouTube (48:52) 文字檔Text file
第4集:讓我們尋找!Episode 4: Let’s hunt! 將 KQL 套用至事件追蹤Applying KQL to incident tracking 在此中,您將瞭解如何追蹤某些攻擊者的活動。In this episode, you learn to track some attacker activity. 我們使用我們對 Kusto 和高級搜尋的深入瞭解,以追蹤攻擊。We use our improved understanding of Kusto and advanced hunting to track an attack. 瞭解欄位中使用的實際墩,包括 ABCs 的 cybersecurity,以及如何將其套用至事件回應。Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response. YouTube (59:36) YouTube (59:36) 文字檔Text file

透過 L33TSP3AK 取得更多專家訓練 : Microsoft 365 Defender 的高級搜尋,這是一種網路廣播的網路廣播系列,用來尋找在 Microsoft 365 Defender 中使用「高級搜尋」來進行安全性調查的技術知識及實際技能。Get more expert training with L33TSP3AK: Advanced hunting in Microsoft 365 Defender, a webcast series for analysts looking to expand their technical knowledge and practical skills in conducting security investigations using advanced hunting in Microsoft 365 Defender.

職稱Title 描述Description 觀看Watch 查詢Queries
劇集1Episode 1 在此中,您將瞭解執行高級搜尋查詢的不同最佳作法。In this episode, you will learn different best practices in running advanced hunting queries. 涵蓋的主題包括:如何優化您的查詢、使用勒索軟體的高級搜尋、將 JSON 當做動態類型處理,以及使用外部資料運算子。Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. YouTube (56:34) YouTube (56:34) 文字檔Text file
劇集2Episode 2 在此中,您將瞭解如何透過收件匣轉寄規則調查和回應可疑或不尋常的登入位置和資料 exfiltration。In this episode, you will learn how to investigate and respond to suspicious or unusual logon locations and data exfiltration via inbox forwarding rules. Sebastien Molendijk,Cloud Security CxE 的資深計畫經理,分享如何使用高級搜尋來調查使用 Microsoft Cloud App Security 資料的多階段事件。Sebastien Molendijk, Senior Program Manager for Cloud Security CxE, shares how to use advanced hunting to investigate multi-stage incidents with Microsoft Cloud App Security data. YouTube (57:07) YouTube (57:07) 文字檔Text file

如何使用 CSL 檔案How to use the CSL file

開始劇集之前,請先在 GitHub 上存取對應的文字檔,然後將其內容複寫到高級搜尋查詢編輯器。Before starting an episode, access the corresponding text file on GitHub and copy its contents to the advanced hunting query editor. 當您觀賞劇集時,您可以使用複製的內容來追蹤喇叭,並執行查詢。As you watch an episode, you can use the copied contents to follow the speaker and run queries.

下列來自包含查詢的文字檔摘錄會顯示一組完整的指導方針,其標示為批註 //The following excerpt from a text file containing the queries shows a comprehensive set of guidance marked as comments with //.

// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp

同一個文字檔會包含批註前面和後面的查詢,如下所示。The same text file includes queries before and after the comments as shown below. 若要 在編輯器中使用多個查詢執行特定查詢,請將游標移至該查詢,然後選取 [ 執行查詢]。To run a specific query with multiple queries in the editor, move the cursor to that query and select Run query.

DeviceLogonEvents
| count

// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp

CloudAppEvents
| take 100
| sort by Timestamp desc