以適當的設定擴充高級搜尋範圍Extend advanced hunting coverage with the right settings

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint

[高級搜尋] 取決於來自各種來源的資料,包括您的裝置、您的 Office 365 工作區、Azure AD 及 Microsoft Defender 身分識別。Advanced hunting relies on data coming from various sources, including your devices, your Office 365 workspaces, Azure AD, and Microsoft Defender for Identity. 若要盡可能取得最完整的資料,請務必在對應的資料來源中具備正確的設定。To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.

Windows 裝置上的高級安全性審核Advanced security auditing on Windows devices

開啟這些高級審核設定,以確保您取得裝置上活動的相關資料,包括本機帳戶管理、本機安全性群組管理及服務建立。Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.

資料Data 描述Description 架構表格Schema table 如何設定How to configure
Account managementAccount management 以各種值來捕獲的事件, ActionType 表示本地帳戶建立、刪除及其他與帳戶相關的活動Events captured as various ActionType values indicating local account creation, deletion, and other account-related activities DeviceEventsDeviceEvents -部署高級安全性審核原則: 審核使用者帳戶管理- Deploy an advanced security audit policy: Audit User Account Management
- 深入瞭解高級安全性審核原則- Learn about advanced security audit policies
安全性群組管理Security group management 以各種值來捕獲的事件 ActionType ,表示本機安全性群組的建立和其他本地群組管理活動Events captured as various ActionType values indicating local security group creation and other local group management activities DeviceEventsDeviceEvents -部署高級安全性審核原則: 審核安全性群組管理- Deploy an advanced security audit policy: Audit Security Group Management
- 深入瞭解高級安全性審核原則- Learn about advanced security audit policies
服務安裝Service installation 以值捕獲的 ActionType 事件 ServiceInstalled ,表示已建立服務Events captured with the ActionType value ServiceInstalled, indicating that a service has been created DeviceEventsDeviceEvents -部署高級安全性審核原則: 審核安全性系統擴充- Deploy an advanced security audit policy: Audit Security System Extension
- 深入瞭解高級安全性審核原則- Learn about advanced security audit policies

網域控制站上的身分識別感應器的 Microsoft DefenderMicrosoft Defender for Identity sensor on the domain controller

如果您要在內部部署中執行 Active Directory,您必須在網域控制站上安裝 Microsoft Defender for Identity 感應器,以取得 Microsoft Defender 身分識別的資料。If you're running Active Directory on premises, you need to install the Microsoft Defender for Identity sensor on the domain controller to get data for Microsoft Defender for Identity. 安裝並正確設定後,此資料也會進入透過 Microsoft Defender 身分識別的高級搜尋,並提供網路中身分識別資訊和事件的整體功能。When installed and properly configured, this data also feeds into advanced hunting through Microsoft Defender for Identity and provides a more holistic picture of identity information and events in your network. 這項資料也會增強 Microsoft Defender 身分識別產生相關警示的功能,這些警示也會在高級搜尋中涵蓋。This data also enhances the ability of Microsoft Defender for Identity to generate relevant alerts that are also covered by advanced hunting.

資料Data 描述Description 架構表格Schema table 如何設定How to configure
網域控制站Domain controller 從內部部署 Active Directory 傳送至 Microsoft Defender 以進行身分識別的資料,濃縮身分識別相關的資訊,例如帳戶詳細資料、登入活動和 Active Directory 查詢Data from on-premises Active Directory sent to Microsoft Defender for Identity, enriching identity-related information, such as account details, logon activity, and Active Directory queries 多個資料表,包括 IdentityInfoIdentityLogonEventsIdentityQueryEventsMultiple tables, including IdentityInfo, IdentityLogonEvents, and IdentityQueryEvents - 安裝 Microsoft Defender 的身分識別感應器- Install the Microsoft Defender for Identity sensor
- 開啟相關的 Windows 事件- Turn on relevant Windows Events

注意

本文中的部分表格可能無法在 Microsoft Defender for Endpoint 中使用。Some tables in this article might not be available in Microsoft Defender for Endpoint. 使用更多資料來源開啟 Microsoft 365 Defender以搜尋威脅。Turn on Microsoft 365 Defender to hunt for threats using more data sources. 您可以遵循從 microsoft defender for endpoint 遷移高級搜尋查詢中的步驟,將您的高級搜尋工作流程從 microsoft defender for endpoint 移至 Microsoft 365 Defender。You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.