Microsoft 365 Defender 中的事件概觀Incidents overview in Microsoft 365 Defender


已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

想要體驗 Microsoft 365 Defender 嗎?Want to experience Microsoft 365 Defender? 您可以在實驗室 環境中進行評估, 或在生產 環境中執行試驗專案You can evaluate it in a lab environment or run your pilot project in production.

事件是根據相關的警示。Incidents are based on related alerts. 當在您的網路上發現惡意事件或活動時,系統會產生警示。Alerts are created when a malicious event or activity is seen on your network. 個別警示可提供有關進行中攻擊的寶貴線索。Individual alerts provide valuable clues about an on-going attack. 不過,攻擊通常會使用各種向量和技巧以執行外泄。However, attacks typically employ various vectors and techniques to carry out a breach. 將個別的線索放在一起可能相當困難且耗時。Piecing individual clues together can be challenging and time-consuming.

這段短片提供 Microsoft 365 Defender 中事件概觀。This short video gives an overview of incidents in Microsoft 365 Defender.

事件是一組相關警示集合,這些警示會指出攻擊事件。An incident is a collection of correlated alerts that make up the story of an attack. 在網路的不同裝置、使用者和信箱實體中發現惡意和可疑事件時,Microsoft 365 Defender 會自動匯總。Malicious and suspicious events that are found in different device, user, and mailbox entities in the network are automatically aggregated by Microsoft 365 Defender. 將相關警示分組到事件後,安全性維護者可全面查看攻擊。Grouping related alerts into an incident gives security defenders a comprehensive view of an attack.

例如,安全性保護人員可以看到攻擊的開始位置、使用的策略,以及攻擊已進入網路多遠。For instance, security defenders can see where the attack started, what tactics were used, and how far the attack has gone into the network. 他們也可以查看攻擊的範圍,例如受攻擊的裝置數量、使用者和信箱數量、影響的範圍,以及受影響實體的其他詳細資料。They can also see the scope of the attack, like how many devices, users, and mailboxes were impacted, how severe the impact was, and other details about affected entities.

如果啟用,Microsoft 365 Defender 可透過自動化和人工智慧自動調查並解決個別警示。If enabled, Microsoft 365 Defender can automatically investigate and resolve the individual alerts through automation and artificial intelligence. 安全性保護者也可以執行額外的修復步驟,直接從事件檢視中解決攻擊。Security defenders can also perform additional remediation steps to resolve the attack straight from the incidents view.

過去 30 天的事件會顯示在事件佇列中。Incidents from the last 30 days are shown in the incident queue. 從這裡,安全性維護者可以看到哪些事件應該根據風險等級及其他因素來排列優先順序。From here, security defenders can see which incidents should be prioritized based on risk level and other factors.

安全性保護者也可以重新命名事件、將事件指派給個別分析師、將事件分類,以及新增標記到事件,以提供更好的自訂事件管理體驗。Security defenders can also rename incidents, assign them to individual analysts, classify, and add tags to incidents for a better and more customized incident management experience.

另請參閱See also