建立及管理自訂的偵測規則Create and manage custom detections rules


改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint

自訂偵測規則是您可以使用 高級搜尋 查詢進行設計和調整的規則。Custom detection rules are rules you can design and tweak using advanced hunting queries. 這些規則可讓您主動監視各種事件和系統狀態,包括可疑的侵犯活動和設定不當的端點。These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. 您可以將其設定為定期執行,並在每個專案相符時產生提醒並採取回應動作。You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.

管理自訂偵測的必要許可權Required permissions for managing custom detections

若要管理自訂偵測,您必須被指派其中一個角色:To manage custom detections, you need to be assigned one of these roles:

  • 安全性管理員:具有此 Azure Active Directory 角色的使用者可以管理 Microsoft 365 安全性中心及其他入口網站和服務中的安全性設定。Security administrator—Users with this Azure Active Directory role can manage security settings in Microsoft 365 security center and other portals and services.

  • 安全操作員-具有此 Azure Active Directory 角色的使用者可以管理提醒,並具有安全性相關功能的全域唯讀許可權,包括 Microsoft 365 安全中心的所有資訊。Security operator—Users with this Azure Active Directory role can manage alerts and have global read-only access to security-related features, including all information in Microsoft 365 security center. 只有在 Microsoft Defender for Endpoint 中關閉以角色為基礎的存取控制 (RBAC) 時,此角色才足以管理自訂偵測。This role is sufficient for managing custom detections only if role-based access control (RBAC) is turned off in Microsoft Defender for Endpoint. 如果您已設定 RBAC,您也需要使用 Defender for Endpoint 的「 管理安全性設定 」許可權。If you have RBAC configured, you also need the manage security settings permission for Defender for Endpoint.

若要管理必要的許可權, 全域管理員 可以:To manage required permissions, a global administrator can:

  • 在 [角色] 安全性管理員底下的 Microsoft 365 系統管理中心指派 安全性管理員安全性操作員 角色 > ****。Assign the security administrator or security operator role in Microsoft 365 admin center under Roles > Security admin.
  • 在 [ 設定 > 許可權 > 角色] 底下的 Microsoft Defender 資訊安全中心中檢查 Microsoft Defender for Endpoint 的 RBAC 設定。Check RBAC settings for Microsoft Defender for Endpoint in Microsoft Defender Security Center under Settings > Permissions > Roles. 選取對應的角色以指派「 管理安全性設定 」許可權。Select the corresponding role to assign the manage security settings permission.


若要管理自訂偵測,當已開啟 RBAC 時, 安全性操作員 會需要 Microsoft Defender for Endpoint 中的「 管理安全性設定 」許可權。To manage custom detections, security operators will need the manage security settings permission in Microsoft Defender for Endpoint if RBAC is turned on.

建立自訂偵測規則Create a custom detection rule

1. 準備查詢。1. Prepare the query.

在 Microsoft 365 的安全性中心,移至 [高級搜尋],然後選取現有的查詢或建立新的查詢。In Microsoft 365 security center, go to Advanced hunting and select an existing query or create a new query. 使用新的查詢時,請執行查詢以識別錯誤,並瞭解可能的結果。When using a new query, run the query to identify errors and understand possible results.


若要防止服務傳回太多警示,每個規則都限制為每次執行時只產生100警示。To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. 在建立規則之前,請先調整您的查詢,以避免正常、日常活動的警示。Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.

查詢結果中的必要欄Required columns in the query results

若要建立自訂偵測規則,查詢必須傳回下列資料行:To create a custom detection rule, the query must return the following columns:

  • Timestamp-用於設定所產生警示的時間戳記Timestamp—used to set the timestamp for generated alerts
  • ReportId-啟用原始記錄的查閱ReportId—enables lookups for the original records
  • 下列其中一欄可識別特定裝置、使用者或信箱:One of the following columns that identify specific devices, users, or mailboxes:
    • DeviceId
    • DeviceName
    • RemoteDeviceName
    • RecipientEmailAddress
    • SenderFromAddress (信封寄件者或 Return-Path 位址) SenderFromAddress (envelope sender or Return-Path address)
    • SenderMailFromAddress 電子郵件客戶程式顯示的 (寄件者位址) SenderMailFromAddress (sender address displayed by email client)
    • RecipientObjectId
    • AccountObjectId
    • AccountSid
    • AccountUpn
    • InitiatingProcessAccountSid
    • InitiatingProcessAccountUpn
    • InitiatingProcessAccountObjectId


當新的資料表新增至 高級搜尋架構時,將新增額外實體的支援。Support for additional entities will be added as new tables are added to the advanced hunting schema.

簡單的查詢(如未使用 project or summarize 運算子自訂或匯總結果的查詢)通常會傳回這些通用欄。Simple queries, such as those that don't use the project or summarize operator to customize or aggregate results, typically return these common columns.

有多種方式可確保更複雜的查詢傳回這些欄位。There are various ways to ensure more complex queries return these columns. 例如,如果您想要依實體(如所示)匯總和計數 DeviceId ,仍然可以傳回 Timestamp ,並 ReportId 從每個唯一相關的最近事件中取得 DeviceIdFor example, if you prefer to aggregate and count by entity under a column such as DeviceId, you can still return Timestamp and ReportId by getting it from the most recent event involving each unique DeviceId.

下列範例查詢計算使用防病毒偵測 () 的唯一裝置數目 DeviceId ,並使用此計數來找出超過五個偵測的裝置。The sample query below counts the number of unique devices (DeviceId) with antivirus detections and uses this count to find only the devices with more than five detections. 若要傳回最新 Timestamp 和對應的 ReportId ,它會搭配 summarize 函數使用運算子 arg_maxTo return the latest Timestamp and the corresponding ReportId, it uses the summarize operator with the arg_max function.

| where Timestamp > ago(1d)
| where ActionType == "AntivirusDetection"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| where count_ > 5


為了獲得更佳的查詢效能,請設定符合規則之預定執行頻率的時間篩選。For better query performance, set a time filter that matches your intended run frequency for the rule. 由於頻率最低的執行是 每24小時,篩選過去一天會涵蓋所有新的資料。Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.

2. 建立新的規則,並提供警示詳細資料。2. Create new rule and provide alert details.

使用查詢編輯器中的查詢,選取 [ 建立偵測規則 ],並指定下列警示詳細資料:With the query in the query editor, select Create detection rule and specify the following alert details:

  • 偵測名稱—偵測規則的名稱Detection name—name of the detection rule
  • Frequency:執行查詢和採取動作的間隔。Frequency—interval for running the query and taking action. 請參閱以下其他指導方針See additional guidance below
  • 警示標題—顯示規則所觸發警示的標題Alert title—title displayed with alerts triggered by the rule
  • 嚴重性(由規則所識別之元件或活動的潛在風險)Severity—potential risk of the component or activity identified by the rule
  • 類別:由規則識別的威脅元件或活動Category—threat component or activity identified by the rule
  • MITRE ATT&CK 技術-由規則識別的一或多個攻擊技術(如 MITRE ATT 中所述) &CK frameworkMITRE ATT&CK techniques—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. 此區段針對某些警示類別(包括惡意程式碼、勒索軟體、可疑活動和不需要的軟體)隱藏。This section is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software
  • 描述-規則所識別之元件或活動的詳細資訊Description—more information about the component or activity identified by the rule
  • 建議動作-回應者可能會採取以回應警示的其他動作Recommended actions—additional actions that responders might take in response to an alert

規則頻率Rule frequency

當您儲存新規則時,它會執行並檢查過去30天的資料是否相符。When you save a new rule, it runs and checks for matches from the past 30 days of data. 然後,此規則會以固定間隔重新執行,並根據您選擇的頻率套用 lookback 持續時間:The rule then runs again at fixed intervals, applying a lookback duration based on the frequency you choose:

  • 每24小時-每24小時執行一次,檢查過去30天的資料Every 24 hours—runs every 24 hours, checking data from the past 30 days
  • 每12小時-每12小時執行一次,檢查過去24小時的資料Every 12 hours—runs every 12 hours, checking data from the past 24 hours
  • 每3小時,每3小時執行一次,檢查過去6個小時的資料Every 3 hours—runs every 3 hours, checking data from the past 6 hours
  • 每小時-每小時執行一次,檢查過去2個小時的資料Every hour—runs hourly, checking data from the past 2 hours

當您編輯規則時,會根據您設定的頻率,在下一個執行時間執行所套用的變更。When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set.


使查詢中的時間篩選與 lookback 持續時間相符。Match the time filters in your query with the lookback duration. Lookback 持續時間以外的結果會被忽略。Results outside of the lookback duration are ignored.

選取頻率,以符合您要監視偵測的程度。Select the frequency that matches how closely you want to monitor detections. 請考慮您組織的容量,以回應提醒。Consider your organization's capacity to respond to the alerts.

3. 選擇受影響的實體。3. Choose the impacted entities.

在查詢結果中識別欄,以找出主要受影響或受影響的實體。Identify the columns in your query results where you expect to find the main affected or impacted entity. 例如,查詢可能會傳回寄件者 (SenderFromAddressSenderMailFromAddress) 和收件者 (RecipientEmailAddress) 位址。For example, a query might return sender (SenderFromAddress or SenderMailFromAddress) and recipient (RecipientEmailAddress) addresses. 識別哪些欄位代表主要受影響的實體,可協助服務匯總相關的警示、關聯事件,以及目標回應動作。Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.

您只能為每個實體類型 (信箱、使用者或裝置) 選取一個資料行。You can select only one column for each entity type (mailbox, user, or device). 無法選取查詢未傳回的資料行。Columns that are not returned by your query can't be selected.

4. 指定動作。4. Specify actions.

您的自訂偵測規則可在查詢所傳回的裝置、檔案或使用者上自動採取動作。Your custom detection rule can automatically take actions on devices, files, or users that are returned by the query.

裝置上的動作Actions on devices

這些動作會套用至 DeviceId 查詢結果欄中的裝置:These actions are applied to devices in the DeviceId column of the query results:

檔上的動作Actions on files

選取此選項時,您可以選擇對查詢結果的、、或欄中的檔案套用 隔離檔 動作 SHA1 InitiatingProcessSHA1 SHA256 InitiatingProcessSHA256When selected, you can choose to apply the Quarantine file action on files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. 此巨集指令會從目前的位置刪除檔案,並將複本放入隔離區。This action deletes the file from its current location and places a copy in quarantine.

使用者的動作Actions on users

選取此選項時,會對使用者于、或欄中的查詢結果,對使用者採取「將 使用者標示為受損 」動作 AccountObjectId InitiatingProcessAccountObjectId RecipientObjectIdWhen selected, the Mark user as compromised action is taken on users in the AccountObjectId, InitiatingProcessAccountObjectId, or RecipientObjectId column of the query results. 此巨集指令會在 Azure Active Directory 中,觸發對應的身分識別保護原則,將使用者風險層級設定為「高」。This action sets the users risk level to "high" in Azure Active Directory, triggering corresponding identity protection policies.


Microsoft 365 Defender 上目前不支援自訂偵測規則的 allow 或 block 動作。The allow or block action for custom detection rules is currently not supported on Microsoft 365 Defender.

5. 設定規則範圍。5. Set the rule scope.

設定範圍以指定規則涵蓋哪些裝置。Set the scope to specify which devices are covered by the rule. 此範圍會影響檢查裝置的規則,而不會影響僅檢查信箱和使用者帳戶或身分識別的規則。The scope influences rules that check devices and doesn't affect rules that check only mailboxes and user accounts or identities.

當您設定範圍時,您可以選取:When setting the scope, you can select:

  • 所有裝置All devices
  • 特定裝置群組Specific device groups

只會查詢範圍中裝置的資料。Only data from devices in scope will be queried. 此外,只會對那些裝置採取動作。Also, actions will be taken only on those devices.

6. 檢查並開啟規則。6. Review and turn on the rule.

檢查規則之後,請選取 [ 建立 ] 以儲存該規則。After reviewing the rule, select Create to save it. 自訂偵測規則會立即執行。The custom detection rule immediately runs. 它會以檢查相符專案的設定頻率重新執行,並產生警示和採取回應動作。It runs again based on configured frequency to check for matches, generate alerts, and take response actions.


應該定期檢查自訂偵測,以取得效能和效能。Custom detections should be regularly reviewed for efficiency and effectiveness. 若要確定您建立的偵測會觸發 true 警示,請遵循 管理現有自訂偵測規則中的步驟,以複查現有的自訂偵測。To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules.

您可以維持對自訂偵測的 broadness 或明確程度的控制權,因此自訂偵測產生的任何 false 警示,都可能表示需要修改規則的特定參數。You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.

管理現有的自訂偵測規則Manage existing custom detection rules

您可以查看現有的自訂偵測規則清單,檢查其先前的執行,並查看其觸發的警示。You can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. 您也可以根據需要執行規則,並加以修改。You can also run a rule on demand and modify it.


自訂偵測所引發的警示會透過警示和事件 APIs 獲得。Alerts raised by custom detections are available over alerts and incident APIs. 如需詳細資訊,請參閱支援的 Microsoft 365 Defender APIsFor more information, see Supported Microsoft 365 Defender APIs.

查看現有規則View existing rules

若要查看所有現有的自訂偵測規則,請流覽至 搜尋 > 自訂 偵測。To view all existing custom detection rules, navigate to Hunting > Custom detections. 頁面會列出具有下列執行資訊的所有規則:The page lists all the rules with the following run information:

  • 上次執行 時間-最後一次執行規則以檢查查詢符合專案並產生警示Last run—when a rule was last run to check for query matches and generate alerts
  • 上次執行狀態—是否已成功執行規則Last run status—whether a rule ran successfully
  • 下一次執行(下一個排程的執行)Next run—the next scheduled run
  • 狀態—是否已開啟或關閉規則Status—whether a rule has been turned on or off

View rule details、modify rule 及 run ruleView rule details, modify rule, and run rule

若要查看有關自訂偵測規則的完整資訊,請移至 搜尋 > 自訂 偵測,然後選取規則的名稱。To view comprehensive information about a custom detection rule, go to Hunting > Custom detections and then select the name of rule. 然後您就可以查看規則的一般資訊,包括資訊的執行狀態和範圍。You can then view general information about the rule, including information its run status and scope. 此頁面也會提供觸發警示和動作的清單。The page also provides the list of triggered alerts and actions.

自訂偵測規則詳細資料頁面Custom detection rule details page
自訂偵測規則詳細資料Custom detection rule details

您也可以在此頁面上對規則採取下列動作:You can also take the following actions on the rule from this page:

  • Run-立即執行規則。Run—run the rule immediately. 這也會重設下一個執行的間隔。This also resets the interval for the next run.
  • 編輯—修改規則但不變更查詢Edit—modify the rule without changing the query
  • 修改查詢-在高級搜尋中編輯查詢Modify query—edit the query in advanced hunting
  • 開啟 / 關閉—啟用規則或停止執行Turn on / Turn off—enable the rule or stop it from running
  • 刪除—關閉規則並加以移除Delete—turn off the rule and remove it

查看及管理觸發的警示View and manage triggered alerts

在 [規則詳細資料] 畫面中 (搜尋 > 自訂 偵測 > [規則名稱]) 中,移至 [觸發警示],其中會列出與規則相符所產生的警示。In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered alerts, which lists the alerts generated by matches to the rule. 選取警示以查看與其相關的詳細資訊,並採取下列動作:Select an alert to view detailed information about it and take the following actions:

  • 透過設定其狀態和分類 (true 或 false 警示來管理提醒) Manage the alert by setting its status and classification (true or false alert)
  • 將警示連結到事件Link the alert to an incident
  • 在高級搜尋中執行觸發警示的查詢Run the query that triggered the alert on advanced hunting

審閱動作Review actions

在 [規則詳細資料] 畫面中 (搜尋 > 自訂 偵測 > [規則名稱]) 中,移至 [觸發的動作],其中會根據符合規則的相符,列出所採取的動作。In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered actions, which lists the actions taken based on matches to the rule.


若要快速查看資訊,並對表格中的專案採取動作,請使用表格左邊的選取範圍欄 [✓]。To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.


本文中的部分欄可能無法在 Microsoft Defender for Endpoint 中使用。Some columns in this article might not be available in Microsoft Defender for Endpoint. 使用更多資料來源開啟 Microsoft 365 Defender以搜尋威脅。Turn on Microsoft 365 Defender to hunt for threats using more data sources. 您可以遵循從 microsoft defender for endpoint 遷移高級搜尋查詢中的步驟,將您的高級搜尋工作流程從 microsoft defender for endpoint 移至 Microsoft 365 Defender。You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.

另請參閱See also