在進階搜捕中使用共用查詢Use shared queries in advanced hunting

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint

您可以在同一個組織的多位使用者之間共用進階搜捕查詢。Advanced hunting queries can be shared among users in the same organization. 您也可以在 GitHub 尋找公開的查詢。You can also find queries shared publicly on GitHub. 這些查詢可讓您快速地執行特定威脅搜捕案例,而不需要從頭開始撰寫查詢。These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.

共用查詢的影像

儲存、修改及共用查詢Save, modify, and share a query

您可以儲存新的或現有的查詢,以便只有組織中的其他使用者能存取或共用。You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.

  1. 建立或修改查詢。Create or modify a query.

  2. 按一下 [儲存查詢] 下拉式按鈕,然後選取 [另存新檔]。Click the Save query drop-down button and select Save as.

  3. 輸入查詢的名稱。Enter a name for the query.

    儲存查詢的影像

  4. 選取您要儲存查詢的資料夾。Select the folder where you'd like to save the query.

    • 共用的查詢 — 與組織的所有使用者共用Shared queries — shared to all users your organization
    • 我的查詢 —只有您可以存取My queries — accessible only to you
  5. 選取 [儲存]。Select Save.

刪除或重新命名查詢Delete or rename a query

  1. 以滑鼠右鍵按一下您要重新命名或刪除的查詢。Right-click on a query you want to rename or delete.

    刪除查詢的影像

  2. 選取 [刪除] 並確認刪除。Select Delete and confirm deletion. 或選取 [重新命名],並為查詢提供新名稱。Or select Rename and provide a new name for the query.

若要產生連結,以直接在高級搜尋查詢編輯器中開啟查詢,請完成查詢並選取 [ 共用] 連結To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select Share link.

存取 GitHub 儲存庫中的查詢Access queries in the GitHub repository

Microsoft 安全研究人員會定期在 GitHub 上的指定公開儲存庫中共用進階搜捕查詢。Microsoft security researchers regularly share advanced hunting queries in a designated public repository on GitHub. 這個儲存庫開放個人提出貢獻。This repository is open to contributions. 若要貢獻,請免費加入 GitHub To contribute, join GitHub for free.

提示

Microsoft 安全研究人員也會提供進階搜捕查詢,您可以用來尋找與新興威脅相關聯的活動和指標。Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. 這些查詢是由 Microsoft Defender 安全性中心中的威脅分析報告提供。These queries are provided as part of the threat analytics reports in Microsoft Defender Security Center.

注意

本文中的部分表格可能無法在 Microsoft Defender for Endpoint 中使用。Some tables in this article might not be available in Microsoft Defender for Endpoint. 開啟 Microsoft 365 Defender 以使用更多資料來源尋找威脅。Turn on Microsoft 365 Defender to hunt for threats using more data sources. 您可以遵循 從 Microsoft defender For Endpoint 遷移高級搜尋查詢中的步驟,將您的高級搜尋工作流程從 microsoft Defender for endpoint 移至 Microsoft 365 Defender。You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.