Microsoft 365 Defender 中的事件Incidents in Microsoft 365 Defender

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

想要體驗 Microsoft 365 Defender 嗎?Want to experience Microsoft 365 Defender? 您可以在實驗室環境中評估在生產環境中執行試驗專案You can evaluate it in a lab environment or run your pilot project in production.

Microsoft 365 Defender 中的事件是組成攻擊之故事的相關警示和相關資料的集合。An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365 服務和應用程式會在偵測到可疑或惡意事件或活動時建立警示。Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. 個別警示可提供關於已完成或進行中攻擊的重要線索。Individual alerts provide valuable clues about a completed or ongoing attack. 不過,攻擊一般會針對不同類型的實體(例如裝置、使用者和信箱)採用各種技術。However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. 其結果是針對您租使用者中的多個實體的多個警示。The result is multiple alerts for multiple entities in your tenant.

因為 piecing 個別警示共同取得攻擊的方式可能會是挑戰性和費時,所以 Microsoft 365 Defender 會自動將警示及其相關資訊匯總到事件中。Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Microsoft 365 Defender 如何將實體中的事件與事件產生關聯

請在 Microsoft 365 Defender (4 分鐘) 中觀看事件的這一小段簡介。Watch this short overview of incidents in Microsoft 365 Defender (4 minutes).


將相關警示分組到事件中,可讓您全面瞭解攻擊。Grouping related alerts into an incident gives you a comprehensive view of an attack. 例如,您可以看到:For example, you can see:

  • 攻擊的開始位置。Where the attack started.
  • 使用的戰術。What tactics were used.
  • 攻擊進入您租使用者的距離。How far the attack has gone into your tenant.
  • 攻擊的範圍,例如影響的裝置、使用者和信箱數目。The scope of the attack, such as how many devices, users, and mailboxes were impacted.
  • 所有與攻擊相關聯的資料。All of the data associated with the attack.

啟用,Microsoft 365 Defender 可以透過自動化和人工智慧來自動調查和解決提醒。If enabled, Microsoft 365 Defender can automatically investigate and resolve alerts through automation and artificial intelligence. 您也可以執行其他修復步驟,以解決攻擊。You can also perform additional remediation steps to resolve the attack.

Microsoft 365 安全性中心的事件及警示Incidents and alerts in the Microsoft 365 security center

您可以在 Microsoft 365 安全性中心 (security.microsoft.com) 的快速啟動上,管理事件 & 警示 > 事件You manage incidents from Incidents & alerts > Incidents on the quick launch of the Microsoft 365 security center (security.microsoft.com). 以下為範例。Here's an example.

Microsoft 365 security center 中的 [事件] 頁面

選取 [事件名稱] 會顯示事件摘要,並可讓您存取具有其他資訊的索引標籤。Selecting an incident name displays a summary of the incident and provides access to tabs with additional information.

Microsoft 365 security center 中的事件摘要頁面範例

事件的其他索引標籤如下:The additional tabs for an incident are:

  • 警示Alerts

    與該事件相關的所有提醒,以及其資訊。All the alerts related to the incident and their information.

  • 裝置Devices

    已識別為屬於事件一部分或與其相關的所有裝置。All the devices that have been identified to be part of or related to the incident.

  • 使用者Users

    已識別為屬於該事件或與其相關的所有使用者。All the users that have been identified to be part of or related to the incident.

  • 信箱Mailboxes

    已識別為屬於事件一部分或與其相關的所有信箱。All the mailboxes that have been identified to be part of or related to the incident.

  • 調查Investigations

    事件中的警示所觸發的所有 自動調查All the automated investigations triggered by alerts in the incident.

  • 證據與回應Evidence and Response

    事件中警示中所有支援的事件及可疑的實體。All the supported events and suspicious entities in the alerts in the incident.

  • 預覽中 Graph () Graph (in preview)

    此圖顯示組織中受影響資產的警示連接。A figure showing the connection of alerts to the impacted assets in your organization.

以下是事件與其資料之間的關係,以及 Microsoft 365 security center 中事件的索引標籤。Here's the relationship between an incident and its data and the tabs of an incident in the Microsoft 365 security center.

在 Microsoft 365 安全中心的事件索引標籤上,事件及其資料的關聯性

Microsoft 365 Defender 的事件回應工作流程範例Example incident response workflow for Microsoft 365 Defender

以下是以「Microsoft 365 安全性中心」回應 Microsoft 365 中的事件的範例工作流程。Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft 365 security center.

Microsoft 365 的事件回應工作流程範例

在事件佇列中,針對分析和解決方式,識別最高優先順序的事件,讓他們可以進行回應。On an ongoing basis, identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. 這是下列專案的組合:This is a combination of:

  • 透過篩選和排序事件佇列來判斷最高優先順序事件的會審Triaging to determining the highest priority incidents through filtering and sorting of the incident queue.
  • 透過修改其標題、將其指派給分析員,以及新增標記和批註來管理事件。Managing incidents by modifying their title, assigning them to an analyst, and adding tags and comments.
  1. 針對每個事件,開始 攻擊及警示調查和分析For each incident, begin an attack and alert investigation and analysis:

    a.a. 請查看事件摘要,瞭解其範圍和嚴重性,以及會影響哪些實體 ([ 摘要 ] 索引標籤) 中。View the summary of the incident to understand it's scope and severity and what entities are affected (the Summary tab).

    b.b. 開始分析警示,以瞭解其來源、範圍和嚴重性 (警示 ] 索引標籤) 。Begin analyzing the alerts to understand their origin, scope, and severity (the Alerts tab).

    c.c. 如有需要,請在 [ 裝置]、[ 使用者] 和 [ 信箱 ] 索引標籤) (,收集受影響裝置、使用者和信箱的資訊。As needed, gather information on impacted devices, users, and mailboxes (the Devices, Users, and Mailboxes tabs).

    d.d. 請參閱「調查」索引標籤) 中 Microsoft 365 Defender 如何 自動解決某些警示 (。See how Microsoft 365 Defender has automatically resolved some alerts (the Investigations tab).

    e.e. 如有需要,請使用事件資料組中的資訊,以取得 (證據與回應 ] 索引標籤) 的詳細資訊。As needed, use information in the data set for the incident for more information (the Evidence and Response tab).

  2. 在分析之後或過程中執行包容,以減少攻擊和 eradication 安全性威脅的任何其他影響。After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat.

  3. 盡可能將租使用者資源還原為事件之前所用的狀態,從攻擊復原。As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.

  4. 解決 事件,並在進行事件後學習需要一些時間,以進行下列作業:Resolve the incident and take time for post-incident learning to:

    • 瞭解攻擊的類型及其影響。Understand the type of the attack and its impact.
    • 調查 威脅分析 中的攻擊,以及安全性攻擊趨勢的安全性社區。Research the attack in Threat Analytics and the security community for a security attack trend.
    • 召回您用來解決事件的工作流程,並視需要更新您的標準工作流程、流程、原則及行動行動。Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed.
    • 決定是否需要在安全性設定中進行變更,並加以實施。Determine whether changes in your security configuration are needed and implement them.

如果您是新的安全性分析,請參閱 回應第一個事件的簡介 以取得其他資訊,並逐步執行範例事件。If you are new to security analysis, see the introduction to responding to your first incident for additional information and to step through an example incident.

Microsoft 365 Defender 的安全性操作範例Example security operations for Microsoft 365 Defender

以下是 Microsoft 365 Defender 的安全性運作範例。Here's an example of security operations for Microsoft 365 Defender.

Microsoft 365 Defender 的安全性運作範例

每個任務可以包含:Daily tasks can include:

每月任務可以包含:Monthly tasks can include:

每個季度的工作可以包含向首席資訊安全性監察官 (CISO) 中的安全性結果的報告及簡報。Quarterly tasks can include a report and briefing of security results to the Chief Information Security Officer (CISO).

每年的工作可以包含執行重大事件或破壞練習,以測試您的員工、系統和程式。Annual tasks can include conducting a major incident or breach exercise to test your staff, systems, and processes.

您可以使用每日、每月、每季及每年的工作來更新或修改程式、原則及安全性設定。Daily, monthly, quarterly, and annual tasks can be used to update or refine processes, policies, and security configurations.

後續步驟Next steps

如果您是新的 安全性分析和事件回應:If you are new to security analysis and incident response:

  • 請參閱您的第一個 incident 演練,以取得一般分析、修正及事件後檢查的指導教程,並在 Microsoft 365 的安全性中心使用攻擊的範例。See the Respond to your first incident walkthrough to get a guided tour of a typical process of analysis, remediation, and post-incident review in the Microsoft 365 security center with an example of an attack.

如果您已體驗 安全性分析和事件回應:If you have experience with security analysis and incident response:

  • 從 Microsoft 365 security center 的 [事件] 頁面開始使用事件佇列。Get started with the incident queue from the Incidents page of the Microsoft 365 security center. 您可以在這裡執行下列動作:From here, you can:

    • 根據嚴重性及其他因素,查看應 優先 考慮哪些事件。See which incidents should be prioritized based on severity and other factors.

    • 管理事件,包括重新命名、指派、分類,以及根據您的事件管理工作流程新增標記和批註。Manage incidents, which includes renaming, assignment, classifying, and adding tags and comments based on your incident management workflow.

    • 進行事件 調查Perform investigations of incidents.

  • 請參閱這些 事件回應行動手冊 ,以取得網路釣魚、密碼噴塗和應用程式同意授與攻擊的詳細指導。See these incident response playbooks for detailed guidance for phishing, password spray, and app consent grant attacks.