使用 go 搜尋快速尋找實體或事件資訊Quickly hunt for entity or event information with go hunt

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint

使用 [ 尋找 ] [搜尋] 動作,您可以使用強大查詢的 高級搜尋 功能,快速調查事件及各種實體類型。With the go hunt action, you can quickly investigate events and various entity types using powerful query-based advanced hunting capabilities. 此巨集指令會自動執行高級搜尋查詢,以尋找所選取事件或實體的相關資訊。This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.

每當顯示事件或實體詳細資料時,就會在安全性中心的各個區段中使用「 繼續搜尋 」動作。The go hunt action is available in various sections of the security center whenever event or entity details are displayed. 例如,您可以使用下列各節的「 繼續搜尋 」:For example, you can use go hunt from the following sections:

  • [事件] 頁面中,您可以查看使用者、裝置及其他許多與事件相關聯之實體的詳細資料。In the incident page, you can review details about users, devices, and many other entities associated with an incident. 當您選取實體時,您會收到額外的資訊,以及您在該實體上可以採取的各種動作。As you select an entity, you get additional information as well as various actions you could take on that entity. 在下列範例中,會選取一個信箱,顯示信箱的詳細資料,也就是尋找該信箱的詳細資訊的選項。In the example below, a mailbox is selected, showing details about the mailbox as well the option to hunt for more information about the mailbox.

    使用 [搜尋] 選項顯示信箱詳細資料的影像

  • 在 [事件] 頁面中,您也可以在 [證據] 索引標籤下存取實體清單。選取其中一個實體時,會提供一個選項,以快速尋找該實體的相關資訊。In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.

    在 [證據] 索引標籤中,以 [搜尋] 選項顯示選取檔案的影像

  • 當您查看裝置的時程表時,您可以選取時程表中的事件,以查看有關該事件的其他資訊。When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. 選取事件後,您可以在 [高級搜尋] 中取得搜尋其他相關事件的選項。Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.

    顯示 [搜尋] 選項的事件詳細資料的影像

選取 [ 搜尋 ] 或 [ 搜尋相關的事件 ] 會傳送不同的查詢,視您是否已選取實體或事件而定。Selecting Go hunt or Hunt for related events passes different queries, depending on whether you've selected an entity or an event.

查詢實體資訊Query for entity information

當您使用「 搜尋 以查詢使用者、裝置或任何其他類型的實體」的相關資訊時,查詢會檢查涉及該實體之任何事件的所有相關架構資料表。When using go hunt to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. 若要讓結果保持可管理,查詢的範圍會設定為與過去30天(包含實體並與該事件相關聯)的最早活動的時段。To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.

以下是裝置的 go 搜尋查詢範例:Here is an example of the go hunt query for a device:

let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
let deviceName = "fv-az770.example.com";
let deviceId = "device-guid";
search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
and DeviceName == deviceName
// or RemoteDeviceName == deviceName
// or DeviceId == deviceId
| take 100

支援的實體類型Supported entity types

您可以在選取下列任何實體類型之後,使用 [ 搜尋 ]:You can use go hunt after selecting any of these entity types:

  • 檔案Files
  • 電子郵件Emails
  • 電子郵件聚簇Email clusters
  • 信箱Mailboxes
  • 使用者Users
  • 裝置Devices
  • IP 位址IP addresses
  • URLURLs

事件資訊的查詢Query for event information

當您使用「 搜尋 以查詢」時程表事件的相關資訊時,查詢會檢查所選事件時間四周其他事件的所有相關架構資料表。When using go hunt to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. 例如,下列查詢會列出在相同裝置上的相同時段內發生的各種架構表格事件:For example, the following query lists events in various schema tables that occurred around the same time period on the same device:

// List relevant events 30 minutes before and after selected LogonAttempted event
let selectedEventTimestamp = datetime(2020-06-04T01:29:09.2496688Z);
search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
    Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
    and DeviceId == "079ecf9c5798d249128817619606c1c47369eb3e"
| sort by Timestamp desc
| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
| project-reorder Relevance

調整查詢Adjust the query

您可以使用一些 查詢語言的知識,將查詢調整為您的喜好設定。With some knowledge of the query language, you can adjust the query to your preference. 例如,您可以調整此線,它會決定時間範圍的大小:For example, you can adjust this line, which determines the size of the time window:

Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))

除了修改查詢以取得更相關的結果之外,您還可以:In addition to modifying the query to get more relevant results, you can also:

注意

本文中的部分表格可能無法在 Microsoft Defender for Endpoint 中使用。Some tables in this article might not be available in Microsoft Defender for Endpoint. 使用更多資料來源開啟 Microsoft 365 Defender以搜尋威脅。Turn on Microsoft 365 Defender to hunt for threats using more data sources. 您可以遵循從 microsoft defender for endpoint 遷移高級搜尋查詢中的步驟,將您的高級搜尋工作流程從 microsoft defender for endpoint 移至 Microsoft 365 Defender。You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.