使用 Microsoft 365 Defender 中的高級搜尋主動搜尋威脅Proactively hunt for threats with advanced hunting in Microsoft 365 Defender


改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

想要體驗 Microsoft 365 Defender 嗎?Want to experience Microsoft 365 Defender? 您可以在實驗室環境中評估在生產環境中執行試驗專案You can evaluate it in a lab environment or run your pilot project in production.

進階搜捕是一種查詢式威脅搜捕工具,可讓您探索最多 30 天的原始資料。Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. 您可以主動檢查您網路中的事件,以找出威脅指示器和實體。You can proactively inspect events in your network to locate threat indicators and entities. 對資料的靈活存取可對已知和潛在的威脅進行無限制的搜尋。The flexible access to data enables unconstrained hunting for both known and potential threats.

您可以使用相同的威脅搜尋查詢來建立自訂的偵測規則。You can use the same threat-hunting queries to build custom detection rules. 這些規則會自動執行,以檢查是否有可疑的破壞活動、錯誤設定的機器及其他發現的回應。These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.

這項功能類似于 Microsoft Defender For Endpoint 中的高級搜尋This capability is similar to advanced hunting in Microsoft Defender for Endpoint. 可在 Microsoft 365 的安全性中心使用此功能,可支援從下列專案中檢查更廣泛資料集的查詢:Available in Microsoft 365 security center, this capability supports queries that check a broader data set from:

  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint
  • 適用於 Office 365 的 Microsoft DefenderMicrosoft Defender for Office 365
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security
  • 適用於身分識別的 Microsoft DefenderMicrosoft Defender for Identity

若要使用高級搜尋,請 開啟 Microsoft 365 DefenderTo use advanced hunting, turn on Microsoft 365 Defender.

開始使用進階搜捕Get started with advanced hunting

我們建議您逐步完成一些步驟,快速開始使用高級搜尋。We recommend going through several steps to quickly get started with advanced hunting.

學習目標Learning goal 描述Description 資源Resource
瞭解語言Learn the language 「高級搜尋」是以 Kusto 查詢語言為基礎,支援相同的語法及運算子。Advanced hunting is based on Kusto query language, supporting the same syntax and operators. 執行您的第一個查詢來開始學習查詢語言。Start learning the query language by running your first query. 查詢語言概觀Query language overview
瞭解如何使用查詢結果Learn how to use the query results 深入瞭解圖表和您可以查看或匯出結果的各種方式。Learn about charts and various ways you can view or export your results. 探索您如何快速調整查詢、深入查看以取得更豐富的資訊,以及採取回應動作。Explore how you can quickly tweak queries, drill down to get richer information, and take response actions. - 使用查詢結果- Work with query results
- 對查詢結果採取動作- Take action on query results
了解結構描述Understand the schema 深入了解結構描述中的資料表和資料行。Get a good, high-level understanding of the tables in the schema and their columns. 瞭解在建立查詢時要尋找資料的位置。Learn where to look for data when constructing your queries. - 架構參考- Schema reference
- 從 Microsoft Defender for Endpoint 轉換- Transition from Microsoft Defender for Endpoint
取得專家秘訣和範例Get expert tips and examples 透過 Microsoft 專家的指南訓練。Train for free with guides from Microsoft experts. 探索涵蓋不同威脅搜捕案例的預先定義查詢集合。Explore collections of predefined queries covering different threat hunting scenarios. - 取得專家訓練- Get expert training
- 使用共用查詢- Use shared queries
- 開始搜尋- Go hunt
- 尋找跨裝置、電子郵件、應用程式和身分識別的威脅- Hunt for threats across devices, emails, apps, and identities
優化查詢並處理錯誤Optimize queries and handle errors 瞭解如何建立高效且無錯誤的查詢。Understand how to create efficient and error-free queries. - 查詢最佳作法- Query best practices
- 處理錯誤- Handle errors
建立自訂偵測規則Create custom detection rules 瞭解您可以如何使用高級搜尋查詢來觸發提醒並自動採取回應動作。Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. - 自訂偵測簡介- Custom detections overview
- 自訂偵測規則- Custom detection rules

取得存取權Get access

若要使用高級搜尋或其他 Microsoft 365 Defender 功能,您需要在 Azure Active Directory 中使用適當的角色。To use advanced hunting or other Microsoft 365 Defender capabilities, you need an appropriate role in Azure Active Directory. 閱讀高級搜尋所需的角色和許可權Read about required roles and permissions for advanced hunting.

此外,您可以使用 Microsoft Defender for Endpoint 中的角色型存取控制 (RBAC) 設定來決定您對端點資料的存取。Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. 閱讀管理 Microsoft 365 Defender 存取的相關資訊Read about managing access to Microsoft 365 Defender.

資料新鮮度和更新頻率Data freshness and update frequency

「高級搜尋」資料可以分類成兩種不同的類型,每個不同的合併。Advanced hunting data can be categorized into two distinct types, each consolidated differently.

  • 事件或活動資料--填入有關警示、安全性事件、系統事件及例行評估的表格。Event or activity data—populates tables about alerts, security events, system events, and routine assessments. [!注意] 高級搜尋幾乎會在收集成功的感應器成功傳送至對應的雲端服務之後立即接收這類資料。Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. 例如,您可以在工作站或網域控制站上的狀況良好的感應器上直接查詢事件資料,而這些資料在 Microsoft Defender for Endpoint 和 Microsoft Defender 身分識別後幾乎可以使用。For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they are available on Microsoft Defender for Endpoint and Microsoft Defender for Identity.
  • 實體資料—以使用者和裝置的相關資訊填入資料表。Entity data—populates tables with information about users and devices. 此資料來自相對靜態資料來源和動態來源,例如 Active Directory 專案和事件記錄。This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. 若要提供全新的資料,每隔15分鐘更新一次所有新資訊的資料表,新增可能不會填滿的資料列。To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. 每24小時都會合並資料,以插入記錄,其中包含每個實體的最新、最全面的資料集。Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.

時區Time zone

「高級搜尋」中的時間資訊是在 UTC 時區。Time information in advanced hunting is in the UTC time zone.