了解進階搜捕結構描述Understand the advanced hunting schema

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

重要

一些資訊和有關搶鮮產品,可能會在正式發行之前大幅修改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.Microsoft makes no warranties, express or implied, with respect to the information provided here.

位搜尋 架構是由提供事件資訊或裝置、警示、身分身分和其他實體類型的多個資料表所建立。The advanced hunting schema is made up of multiple tables that provide either event information or information about devices, alerts, identities, and other entity types. 若要有效組建跨越多個表格的查詢,您需要了解進階搜捕結構描述中的表格和欄。To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.

在安全性中心中取得架構資訊Get schema information in the security center

在建構查詢時,使用內建的架構參照來快速取得架構中每個資料表的下列相關資訊:While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:

  • 資料表 描述 —資料表中包含的資料類型以及該資料的來源。Tables description—type of data contained in the table and the source of that data.
  • 資料 行 — 資料表中的所有資料行。Columns—all the columns in the table.
  • 動作類型—資料行 ActionType 中可能的值,代表資料表支援的事件種類。Action types—possible values in the ActionType column representing the event types supported by the table. 此資訊只會提供給包含事件資訊的資料表。This information is provided only for tables that contain event information.
  • 範例查詢-利用表格方式的範例查詢。Sample query—example queries that feature how the table can be utilized.

存取架構參照Access the schema reference

若要快速存取架構參照,請在架構表示法中選取資料表名稱旁邊的 View 參照動作。To quickly access the schema reference, select the View reference action next to the table name in the schema representation. 您也可以選取架構 參照 來搜尋資料表。You can also select Schema reference to search for a table.

顯示如何存取入口網站內架構參照的圖像Image showing how to access in-portal schema reference

瞭解架構資料表Learn the schema tables

以下參考列出結構描述中的所有表格。The following reference lists all the tables in the schema. 每個表格名稱都會連結到描述該表格之欄名稱的頁面。Each table name links to a page describing the column names for that table. 資料表與資料行名稱也會列在安全性中心,做為進位搜尋畫面中架構表示的一部分。Table and column names are also listed in the security center as part of the schema representation on the advanced hunting screen.

表格名稱Table name 描述Description
AlertEvidenceAlertEvidence 與警示相關聯的檔案、IP 位址、URL、使用者或裝置Files, IP addresses, URLs, users, or devices associated with alerts
AlertInfoAlertInfo 來自 Microsoft Defender for Endpoint、Microsoft Defender for Office 365、Microsoft Cloud App Security 和 Microsoft Defender 的身分識別通知,包括嚴重性資訊和威脅分類Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization
AppFileEventsAppFileEvents 雲端應用程式和服務中的檔案相關活動File-related activities in cloud apps and services
CloudAppEventsCloudAppEvents 涉及 Office 365 和其他雲端應用程式和服務中帳戶和物件的事件Events involving accounts and objects in Office 365 and other cloud apps and services
DeviceEventsDeviceEvents 多種事件種類,包括由安全性控制項觸發的事件,例如 Windows Defender 防毒軟體和惡意探索保護Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceFileCertificateInfoDeviceFileCertificateInfo 從端點上的憑證驗證事件取得之已簽署檔案的憑證資訊Certificate information of signed files obtained from certificate verification events on endpoints
DeviceFileEventsDeviceFileEvents 檔案建立、修改及其他檔案系統事件File creation, modification, and other file system events
DeviceImageLoadEventsDeviceImageLoadEvents DLL 載入事件DLL loading events
DeviceInfoDeviceInfo 電腦資訊,包括作業系統資訊Machine information, including OS information
DeviceLogonEventsDeviceLogonEvents 裝置上的登錄與其他驗證事件Sign-ins and other authentication events on devices
DeviceNetworkEventsDeviceNetworkEvents 網路連結與相關事件Network connection and related events
DeviceNetworkInfoDeviceNetworkInfo 裝置的網路內容,包括實體介面卡、IP 和 MAC 位址,以及已連接的網路和網域Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains
DeviceProcessEventsDeviceProcessEvents 程序建立與相關事件Process creation and related events
DeviceRegistryEventsDeviceRegistryEvents 登錄項目的建立及修改Creation and modification of registry entries
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessment 威脅與弱點管理評定事件,可表示裝置上的各種安全性設定狀態Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices
DeviceTvmSecureConfigurationAssessmentKBDeviceTvmSecureConfigurationAssessmentKB 由威脅與弱點管理所使用之各種安全性設定的知識庫來評定裝置,包含各種標準和效能評定的對應Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
DeviceTvmSoftwareInventoryVulnerabilitiesDeviceTvmSoftwareInventoryVulnerabilities 裝置上的軟體庫存和這些軟體產品的任何已知弱點Inventory of software on devices and any known vulnerabilities in these software products
DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilitiesKB 公開披露弱點的知識庫,包括是否公開提供惡意探索代碼Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available
EmailAttachmentInfoEmailAttachmentInfo 附加至電子郵件之檔案的資訊Information about files attached to emails
EmailEventsEmailEvents Microsoft 365 電子郵件事件,包括電子郵件傳遞和封鎖事件Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEventsEmailPostDeliveryEvents Microsoft 365 將電子郵件送達收件者的信箱之後,在傳送後發生的安全性事件Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfoEmailUrlInfo 電子郵件 URL 相關資訊Information about URLs on emails
IdentityDirectoryEventsIdentityDirectoryEvents 涉及內部部署網域控制站執行 Active Directory (AD) 。Events involving an on-premises domain controller running Active Directory (AD). 下表涵蓋網域控制站上的一系列身分識別相關事件及系統事件。This table covers a range of identity-related events and system events on the domain controller.
IdentityInfoIdentityInfo 各種來源的帳戶資訊,包括 Azure Active DirectoryAccount information from various sources, including Azure Active Directory
IdentityLogonEventsIdentityLogonEvents Active Directory 和 Microsoft 線上服務上的驗證事件Authentication events on Active Directory and Microsoft online services
IdentityQueryEventsIdentityQueryEvents Active Directory 物件的查詢,例如使用者、群組、裝置和網域Queries for Active Directory objects, such as users, groups, devices, and domains