在 Microsoft 365 Defender 中排列事件的優先順序Prioritize incidents in Microsoft 365 Defender

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

Microsoft 365 Defender 會進行相關分析,並匯總不同產品的所有相關警示與調查到單一事件。Microsoft 365 Defender applies correlation analytics and aggregates all related alerts and investigations from different products into one incident. Microsoft 365 Defender 也會觸發唯一警示,指出只有 Microsoft 365 Defender 具有跨整個財產和產品套件的端對端可見度,才能識別活動為惡意。Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility that Microsoft 365 Defender has across the entire estate and suite of products. 此視圖可賦予您的安全性作業分析師更大的攻擊案例,協助他們進一理解並處理整個組織的複雜威脅。This view gives your security operations analyst the broader attack story, which helps them better understand and deal with complex threats across the organization.

事件佇列 顯示由各裝置、使用者和信箱標示的事件集合。The Incidents queue shows a collection of incidents that were flagged from across devices, users, and mailboxes. 可協助您設定事件優先順序及制定明智的網路安全回應決策。It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.

事件佇列的影像

根據預設,Microsoft 365 資訊安全中心的佇列會顯示過去 30 天內發生的事件。By default, the queue in the Microsoft 365 security center displays incidents seen in the last 30 days. 最新的事件位於清單頂端,因此您可以先看到它。The most recent incident is at the top of the list so you can see it first.

事件佇列公開可自訂的欄,提供您事件或包含實體的不同特性的可見度。The incident queue exposes customizable columns that give you visibility into different characteristics of the incident or the contained entities. 這可協助針對要處理之事件的優先順序,做出明智的決策。This helps you make an informed decision regarding prioritization of incidents to handle.

為了一目了然,自動事件命名功能會依據警示屬性產生事件名稱,例如受影響的端點數目、受影響的使用者、偵測來源或類別。For additional visibility at a glance, automatic incident naming generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. 這可讓您快速瞭解事件的範圍。This allows you to quickly understand the scope of the incident.

例如: 多個來源報告之多個端點上的多階段事件。For example: Multi-stage incident on multiple endpoints reported by multiple sources.

注意

在推出自動事件命名之前存在的事件不會變更其名稱。Incidents that existed prior the rollout of automatic incident naming will not have their name changed.

事件佇列也會公開多個篩選選項,當篩選選項適用時,您可以對環境中所有現有的事件執行廣泛的整理,或決定專注于特定案例或威脅。The incident queue also exposes multiple filtering options, that when applied, enable you to perform a broad sweep of all existing incidents in your environment, or decide to focus on a specific scenario or threat. 在事件佇列套用篩選可協助判斷哪個事件需要立即處理。Applying filters on the incident queue can help determine which incident requires immediate attention.

可用的篩選Available filters

指派給Assigned to

您可以選擇顯示指派給您的提醒或由自動化處理者。You can choose to show alerts that are assigned to you or those handled by automation.

類別Categories

選擇類別以專注于特定的策略、技巧或攻擊元件。Choose categories to focus on specific tactics, techniques, or attack components seen.

分類Classification

根據相關警示的設定分類來篩選事件。Filter incidents based on the set classifications of the related alerts. 這些值包括真正的警示、誤報或未設定。The values include true alerts, false alerts, or not set.

資料敏感度Data sensitivity

某些攻擊鎖定外洩機密敏感性資料或重要資料。Some attacks focus on targeting to exfiltrate sensitive or valuable data. 透過套用篩選來查看事件是否涉及敏感性資料,您可以快速判斷敏感性資訊是否已遭入侵,並優先處理這些事件。By applying a filter to see if sensitive data is involved in the incident, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents.

注意

只有在開啟 Microsoft 資訊保護時才適用。Only applicable if Microsoft Information Protection is turned on.

裝置群組Device group

根據定義的裝置群組篩選。Filter by defined device groups.

調查狀態Investigation state

根據自動化調查的狀態來篩選事件。Filter incidents by the status of automated investigation.

多個類別Multiple categories

您可以選擇只查看已對應到多個類別的事件,因此可能導致更多損害。You can choose to see only incidents that have mapped to multiple categories and can thus potentially cause more damage.

多個服務來源Multiple service sources

篩選以只查看含有不同來源警示的事件 (Microsoft Defender for Endpoint、Microsoft Cloud App Security、Microsoft Defender for Identity、Microsoft Defender for Office 365) 。Filter to only see incidents that contain alerts from different sources (Microsoft Defender for Endpoint, Microsoft Cloud App Security, Microsoft Defender for Identity, Microsoft Defender for Office 365).

作業系統平臺OS platform

根據作業系統限制事件佇列視圖。Limit the incident queue view by operating system.

服務來源Service sources

透過選擇特定來源,便可專注於包含來自至少一個所選來源警示的事件。By choosing a specific source, you can focus on incidents that contain at least one alert from that chosen source.

嚴重性Severity

事件的嚴重性取決於事件會對您的資產造成的影響。The severity of an incident is indicative of the impact it can have on your assets. 嚴重性越高,影響越大,通常需要最即時的注意。The higher the severity, the bigger the impact and typically requires the most immediate attention.

狀態Status

您可以根據事件狀態來限制顯示的事件清單,以查看哪些事件為作用中或已解決。You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.

後續步驟Next steps

決定優先順序最高的事件後,便可繼續進行事件的調查工作。After you've determined which incident requires the highest priority, you can proceed to do further investigative work on an incident.

另請參閱See also