管理 Microsoft 365 Defender 中的事件Manage incidents in Microsoft 365 Defender

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

事件管理對於確保威脅已包含並加以解決非常重要。Incident management is critical in ensuring that threats are contained and addressed.

您可以在 Microsoft 365 安全性中心 (security.microsoft.com) 的快速啟動上,管理事件 & 警示 > 事件You manage incidents from Incidents & alerts > Incidents on the quick launch of the Microsoft 365 security center (security.microsoft.com). 以下為範例。Here's an example.

事件佇列的範例

您可以透過下列方式管理您的事件:Here are the ways you can manage your incidents:

您可以從「 管理事件 」窗格中管理事件的事件。You can manage incidents from the Manage incident pane for an incident. 以下為範例。Here's an example.

事件的管理事件窗格範例

您可以從下列專案上的 管理事件 連結,顯示此窗格:You can display this pane from the Manage incident link on the:

  • 事件佇列中事件的屬性窗格。Properties pane of an incident in the incident queue.
  • 事件的 摘要 頁面。Summary page of an incident.

當您想要將警示從某個事件移動到另一個事件時,您也可以從 [ 警示 ] 索引標籤,建立一個包含所有相關警示的較大或較小的事件。In cases where you want to move alerts from one incident to another, you can also do so from the Alerts tab, thus creating a larger or smaller incident that includes all relevant alerts.

編輯事件名稱Edit the incident name

Microsoft 365Defender 會根據警示屬性(如受影響的端點數目、受影響的使用者、偵測來源或類別)自動指派名稱。Microsoft 365 Defender automatically assigns a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. 這可讓您快速瞭解事件的範圍。This allows you to quickly understand the scope of the incident. 例如:多 個來源所報告之多個端點上的多階段事件。For example: Multi-stage incident on multiple endpoints reported by multiple sources.

您可以在 [管理事件] 窗格上的 [事件名稱] 欄位中編輯事件名稱。You can edit the incident name from the Incident name field on the Manage incident pane.

注意

在自動事件命名功能的展示中所發生的事件,會保留其名稱。Incidents that existed before the rollout of the automatic incident naming feature will retain their name.

新增事件標籤Add incident tags

您可以將自訂標記新增至事件,例如標示具有共同特性的事件群組。You can add custom tags to an incident, for example to flag a group of incidents with a common characteristic. 您可以稍後針對所有包含特定標記的事件,篩選事件佇列。You can later filter the incident queue for all incidents that contain a specific tag.

當您開始輸入時,您可以選擇從選取的標記清單中進行選取。When you start typing, you have the option to select from a list of selected tags.

指派事件Assign incidents

若要指派事件,請選取 [ 指派給我]。To assign an incident, select Assign to me. 這樣做會將事件的擁有權及與其相關聯的所有警示指派給您的使用者帳戶。Doing so assigns ownership of the incident and all the alerts associated with it to your user account.

您可以篩選事件佇列,以取得指派給您的事件清單。You can get a list of incidents assigned to you by filtering the incident queue.

  1. 在 [事件] 佇列中,選取 [ 篩選]。From the incident queue, select Filters.
  2. 在 [ 事件指派 ] 區段中,清除 [ 全選 ],然後選取 [ 指派給我]。in the Incident assignment section, clear Select all and select Assigned to me.
  3. 選取 [ 套用],然後關閉 [ 篩選 ] 窗格。Select Apply, and then close the Filters pane.

然後您可以將瀏覽器中產生的 URL 儲存為書簽,以快速查看指派給您的事件清單。You can then save the resulting URL in your browser as a bookmark to quickly see the list of incidents assigned to you.

解決事件Resolve an incident

如果事件已經修正,請選取 [ 解決事件 ],將切換移至右邊。If the incident has been remediated, select Resolve incident to move the toggle to the right. 請注意,解決事件也會解決與該事件相關的所有連結和主動警示。Note that resolving an incident also resolves all the linked and active alerts related to the incident.

未解析的事件會顯示為作用 中。An incident that is not resolved displays as Active.

設定分類和決定Set the classification and determination

「事件分類」是指從 [ 分類 ] 欄位設定的是 true 警示或假警示。The incident classification is whether it was a true alert or a false alert, which you configure from the Classification field.

如果是真正的警示,您也應該指定其 判斷 欄位所使用的威脅類型。If it was a true alert, you should also specify what type of threat it was with the Determination field. 指定威脅類型可協助安全小組看到威脅模式,並採取行動以保護組織。Specifying the threat type helps your security team see threat patterns and act to defend your organization from them.

新增註解Add comments

您可以使用 [ 批註 ] 欄位,將多個批註新增至事件。You can add multiple comments to an incident with the Comment field. 每個評論都會新增至事件的歷史事件。Each comment gets added to the historical events of the incident. 您可以在 [摘要] 頁面上,看到 [批註和記錄] 連結中的事件批註和記錄。You can see the comments and history of an incident from the Comments and history link on the Summary page.

後續步驟Next steps

針對新的事件,開始進行 調查For new incidents, begin your investigation.

若為處理中的事件,請繼續進行 調查For in-process incidents, continue your investigation.

若為解決的事件,請執行 事件後檢查For resolved incidents, perform a post-incident review.

另請參閱See also