從 Microsoft Defender for Endpoint 遷移高級搜尋查詢Migrate advanced hunting queries from Microsoft Defender for Endpoint

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

從 Microsoft Defender for Endpoint 移動您的高級搜尋工作流程,以使用更多資料集主動搜尋威脅。Move your advanced hunting workflows from Microsoft Defender for Endpoint to proactively hunt for threats using a broader set of data. 在 Microsoft 365 Defender 中,您可以從其他 Microsoft 365 安全性解決方案中取得資料的存取權,包括:In Microsoft 365 Defender, you get access to data from other Microsoft 365 security solutions, including:

  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint
  • 適用於 Office 365 的 Microsoft DefenderMicrosoft Defender for Office 365
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security
  • 適用於身分識別的 Microsoft DefenderMicrosoft Defender for Identity

注意

大多數 Microsoft Defender for Endpoint 客戶可以 使用不含額外授權的 microsoft 365 DefenderMost Microsoft Defender for Endpoint customers can use Microsoft 365 Defender without additional licenses. 若要開始從 Endpoint for Endpoint 轉換您的高級搜尋工作流程,請 開啟 Microsoft 365 DefenderTo start transitioning your advanced hunting workflows from Defender for Endpoint, turn on Microsoft 365 Defender.

您可以轉換,而不會影響現有的端點工作流程。You can transition without affecting your existing Defender for Endpoint workflows. 儲存的查詢會保持不變,而且自訂偵測規則會繼續執行並產生警示。Saved queries remain intact, and custom detection rules continue to run and generate alerts. 不過,它們會顯示在 Microsoft 365 Defender 中。They will, however, be visible in Microsoft 365 Defender.

僅限 Microsoft 365 Defender 中的架構表格Schema tables in Microsoft 365 Defender only

Microsoft 365 Defender advanced 搜尋架構提供額外的資料表,其中包含各種 Microsoft 365 安全性解決方案中的資料。The Microsoft 365 Defender advanced hunting schema provides additional tables containing data from various Microsoft 365 security solutions. 下清單格僅適用于 Microsoft 365 Defender:The following tables are available only in Microsoft 365 Defender:

表格名稱Table name 描述Description
AlertEvidenceAlertEvidence 與警示相關聯的檔案、IP 位址、URLs、使用者或裝置Files, IP addresses, URLs, users, or devices associated with alerts
AlertInfoAlertInfo Microsoft Defender for Endpoint、microsoft Defender for Office 365、Microsoft Cloud App Security 及 Microsoft Defender for Identity 的警示,包括嚴重性資訊和威脅類別Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categories
AppFileEventsAppFileEvents 雲端應用程式和服務中的檔相關活動File-related activities in cloud apps and services
EmailAttachmentInfoEmailAttachmentInfo 附加至電子郵件之檔案的相關資訊Information about files attached to emails
EmailEventsEmailEvents Microsoft 365 電子郵件事件,包括電子郵件傳遞和封鎖事件Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEventsEmailPostDeliveryEvents Microsoft 365 將電子郵件傳遞至收件者信箱之後,進行傳遞後的安全性事件Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfoEmailUrlInfo 有關電子郵件 URLs 的資訊Information about URLs on emails
IdentityDirectoryEventsIdentityDirectoryEvents 與執行 Active Directory (AD) 的內部部署網域控制站相關的事件。Events involving an on-premises domain controller running Active Directory (AD). 此表格涵蓋網域控制站上的身分識別相關事件和系統事件範圍。This table covers a range of identity-related events and system events on the domain controller.
IdentityInfoIdentityInfo 各來源的帳戶資訊,包括 Azure Active DirectoryAccount information from various sources, including Azure Active Directory
IdentityLogonEventsIdentityLogonEvents Active Directory 和 Microsoft online services 上的驗證事件Authentication events on Active Directory and Microsoft online services
IdentityQueryEventsIdentityQueryEvents 使用 Active Directory 物件的查詢,例如使用者、群組、裝置和網域Queries for Active Directory objects, such as users, groups, devices, and domains

Map DeviceAlertEvents 表格Map DeviceAlertEvents table

AlertInfoAlertEvidence 表格會取代 DeviceAlertEvents Microsoft Defender for Endpoint 架構中的表格。The AlertInfo and AlertEvidence tables replace the DeviceAlertEvents table in the Microsoft Defender for Endpoint schema. 除了裝置警示的資料之外,這兩個表格也包含有關身分識別、應用程式及電子郵件警示的資料。In addition to data about device alerts, these two tables include data about alerts for identities, apps, and emails.

請使用下表來檢查資料 DeviceAlertEvents 行對應至 [表格] 中欄的方式 AlertInfo AlertEvidenceUse the following table to check how DeviceAlertEvents columns map to columns in the AlertInfo and AlertEvidence tables.

提示

除了下表所列的資料行以外,此 AlertEvidence 表格還包含許多其他的欄,可提供來自各種來源之更整體的警示。In addition to the columns the following table, the AlertEvidence table includes many other columns that provide a more holistic picture of alerts from various sources. 查看所有 AlertEvidence 欄See all AlertEvidence columns

DeviceAlertEvents 欄DeviceAlertEvents column 在 Microsoft 365 Defender 中尋找相同資料的位置Where to find the same data in Microsoft 365 Defender
AlertId AlertInfoAlertEvidence 表格AlertInfo and AlertEvidence tables
Timestamp AlertInfoAlertEvidence 表格AlertInfo and AlertEvidence tables
DeviceId AlertEvidenceAlertEvidence table
DeviceName AlertEvidenceAlertEvidence table
Severity AlertInfoAlertInfo table
Category AlertInfoAlertInfo table
Title AlertInfoAlertInfo table
FileName AlertEvidenceAlertEvidence table
SHA1 AlertEvidenceAlertEvidence table
RemoteUrl AlertEvidenceAlertEvidence table
RemoteIP AlertEvidenceAlertEvidence table
AttackTechniques AlertInfoAlertInfo table
ReportId 此欄通常用在 Microsoft Defender for Endpoint 中,以尋找其他資料表中的相關記錄。This column is typically used in Microsoft Defender for Endpoint to locate related records in other tables. 在 Microsoft 365 Defender 中,您可以直接從資料表取得相關資料 AlertEvidenceIn Microsoft 365 Defender, you can get related data directly from the AlertEvidence table.
Table 此欄通常用於 Microsoft Defender for Endpoint 中其他資料表中的其他事件資訊。This column is typically used in Microsoft Defender for Endpoint for additional event information in other tables. 在 Microsoft 365 Defender 中,您可以直接從資料表取得相關資料 AlertEvidenceIn Microsoft 365 Defender, you can get related data directly from the AlertEvidence table.

調整現有的 Microsoft Defender for Endpoint 查詢Adjust existing Microsoft Defender for Endpoint queries

Microsoft Defender for Endpoint 查詢會以-為單位運作,除非他們參考 DeviceAlertEvents 該表。Microsoft Defender for Endpoint queries will work as-is unless they reference the DeviceAlertEvents table. 若要在 Microsoft 365 Defender 中使用這些查詢,請套用下列變更:To use these queries in Microsoft 365 Defender, apply these changes:

  • 取代 DeviceAlertEvents AlertInfoReplace DeviceAlertEvents with AlertInfo.
  • 加入 AlertInfo 和上的 AlertEvidence 資料表, AlertId 以取得對等資料。Join the AlertInfo and the AlertEvidence tables on AlertId to get equivalent data.

原始查詢Original query

下列查詢會 DeviceAlertEvents 在 Microsoft Defender For Endpoint 中使用,以取得涉及 powershell.exe 的警示:The following query uses DeviceAlertEvents in Microsoft Defender for Endpoint to get the alerts that involve powershell.exe:

DeviceAlertEvents
| where Timestamp > ago(7d) 
| where AttackTechniques has "PowerShell (T1086)" and FileName == "powershell.exe"

修改的查詢Modified query

下列查詢已調整為用於 Microsoft 365 Defender。The following query has been adjusted for use in Microsoft 365 Defender. DeviceAlertEvents它會加入 AlertEvidence 並檢查該表中的檔案名,而不是直接檢查檔案名。Instead of checking the file name directly from DeviceAlertEvents, it joins AlertEvidence and checks for the file name in that table.

AlertInfo 
| where Timestamp > ago(7d) 
| where AttackTechniques has "PowerShell (T1086)" 
| join AlertEvidence on AlertId
| where FileName == "powershell.exe"

另請參閱See also