了解進階搜捕結構描述Understand the advanced hunting schema

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

重要

部分資訊與發行前版本產品有關,在正式發行之前可能會實質上進行修改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft 對此處提供的資訊,不提供任何明確或隱含的瑕疵擔保。Microsoft makes no warranties, express or implied, with respect to the information provided here.

[!附注] 高級搜尋 架構是由多個表格組成,可提供事件資訊或裝置、警示、身分識別及其他實體類型的相關資訊。The advanced hunting schema is made up of multiple tables that provide either event information or information about devices, alerts, identities, and other entity types. 若要有效組建跨越多個表格的查詢,您需要了解進階搜捕結構描述中的表格和欄。To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.

在安全性中心取得架構資訊Get schema information in the security center

建立查詢時,請使用內建架構參考,快速取得架構中每個資料表的下列相關資訊:While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:

  • 資料表描述—資料表中包含的資料類型和該資料的來源。Tables description—type of data contained in the table and the source of that data.
  • -表格中的所有欄。Columns—all the columns in the table.
  • 動作類型—欄中的可能值, ActionType 代表資料表支援的事件種類。Action types—possible values in the ActionType column representing the event types supported by the table. 此資訊只是針對包含事件資訊的資料表提供。This information is provided only for tables that contain event information.
  • 範例查詢--可用於功能如何使用表格的範例查詢。Sample query—example queries that feature how the table can be utilized.

存取架構參考Access the schema reference

若要快速存取架構參照,請選取架構表示中的資料表名稱旁邊的 View reference 動作。To quickly access the schema reference, select the View reference action next to the table name in the schema representation. 您也可以選取 [ 架構參考 ],以搜尋表格。You can also select Schema reference to search for a table.

顯示如何存取入口網站架構參考的影像Image showing how to access in-portal schema reference

瞭解架構表格Learn the schema tables

以下參考列出結構描述中的所有表格。The following reference lists all the tables in the schema. 每個表格名稱都會連結到描述該表格之欄名稱的頁面。Each table name links to a page describing the column names for that table. 表格和欄名稱也會列在 [安全性中心] 中,做為 [高級搜尋] 畫面上架構表示的一部分。Table and column names are also listed in the security center as part of the schema representation on the advanced hunting screen.

表格名稱Table name 描述Description
AlertEvidenceAlertEvidence 與警示相關聯的檔案、IP 位址、URLs、使用者或裝置Files, IP addresses, URLs, users, or devices associated with alerts
AlertInfoAlertInfo 來自 Microsoft Defender for Endpoint、microsoft Defender for Office 365、Microsoft Cloud App Security 及 Microsoft Defender for Identity 的警示,包括嚴重性資訊和威脅分類Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization
AppFileEventsAppFileEvents 雲端應用程式和服務中的檔相關活動File-related activities in cloud apps and services
CloudAppEventsCloudAppEvents 涉及 Office 365 和其他雲端應用程式和服務中的帳戶和物件的事件Events involving accounts and objects in Office 365 and other cloud apps and services
DeviceEventsDeviceEvents 多種事件種類,包括由安全性控制項觸發的事件,例如 Windows Defender 防毒軟體和惡意探索保護Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceFileCertificateInfoDeviceFileCertificateInfo 從端點上的憑證驗證事件取得的簽署檔憑證資訊Certificate information of signed files obtained from certificate verification events on endpoints
DeviceFileEventsDeviceFileEvents 檔案建立、修改及其他檔案系統事件File creation, modification, and other file system events
DeviceImageLoadEventsDeviceImageLoadEvents DLL 載入事件DLL loading events
DeviceInfoDeviceInfo 電腦資訊,包括作業系統資訊Machine information, including OS information
DeviceLogonEventsDeviceLogonEvents 裝置上的登入和其他驗證事件Sign-ins and other authentication events on devices
DeviceNetworkEventsDeviceNetworkEvents 網路連結與相關事件Network connection and related events
DeviceNetworkInfoDeviceNetworkInfo 裝置的網路內容,包括實體配接器、IP 和 MAC 位址,以及連接的網路和網域Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains
DeviceProcessEventsDeviceProcessEvents 程序建立與相關事件Process creation and related events
DeviceRegistryEventsDeviceRegistryEvents 登錄項目的建立及修改Creation and modification of registry entries
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessment 威脅與弱點管理評定事件,可表示裝置上的各種安全性設定狀態Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices
DeviceTvmSecureConfigurationAssessmentKBDeviceTvmSecureConfigurationAssessmentKB 由威脅與弱點管理所使用之各種安全性設定的知識庫來評定裝置,包含各種標準和效能評定的對應Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
DeviceTvmSoftwareInventoryDeviceTvmSoftwareInventory 安裝在裝置上的軟體清單,包括其版本資訊和支援終止狀態Inventory of software installed on devices, including their version information and end-of-support status
DeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilities 裝置上的軟體弱點,以及解決每個弱點的可用安全性更新清單Software vulnerabilities found on devices and the list of available security updates that address each vulnerability
DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilitiesKB 公開披露弱點的知識庫,包括是否公開提供惡意探索代碼Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available
EmailAttachmentInfoEmailAttachmentInfo 附加至電子郵件之檔案的相關資訊Information about files attached to emails
EmailEventsEmailEvents Microsoft 365 電子郵件事件,包括電子郵件傳遞和封鎖事件Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEventsEmailPostDeliveryEvents Microsoft 365 將電子郵件傳遞至收件者信箱之後,進行傳遞後的安全性事件Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfoEmailUrlInfo 有關電子郵件 URLs 的資訊Information about URLs on emails
IdentityDirectoryEventsIdentityDirectoryEvents 與執行 Active Directory (AD) 的內部部署網域控制站相關的事件。Events involving an on-premises domain controller running Active Directory (AD). 此表格涵蓋網域控制站上的身分識別相關事件和系統事件範圍。This table covers a range of identity-related events and system events on the domain controller.
IdentityInfoIdentityInfo 各來源的帳戶資訊,包括 Azure Active DirectoryAccount information from various sources, including Azure Active Directory
IdentityLogonEventsIdentityLogonEvents Active Directory 和 Microsoft online services 上的驗證事件Authentication events on Active Directory and Microsoft online services
IdentityQueryEventsIdentityQueryEvents 使用 Active Directory 物件的查詢,例如使用者、群組、裝置和網域Queries for Active Directory objects, such as users, groups, devices, and domains