在 Microsoft 365 Defender 中管理事件Manage incidents in Microsoft 365 Defender

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

管理事件對確保控制及解決威脅至關重要。Managing incidents is critical in ensuring that threats are contained and addressed. 在 Microsoft 365 Defender 中,您可以存取管理裝置、使用者和信箱上的事件。In Microsoft 365 Defender, you have access to managing incidents on devices, users, and mailboxes.

您可以從 [事件佇列] 選取事件來管理事件。You can manage incidents by selecting an incident from the Incidents queue.

您可以編輯事件名稱、解決事件、設定其分類及判斷。You can edit the name of an incident, resolve it, set its classification and determination. 您也可以將事件指派給自己、新增事件標籤和註解。You can also assign the incident to yourself, add incident tags and comments.

在調查時,若您要將警示從某事件移到另一個事件,也可以從 [警示] 索引標籤執行此動作,以建立包含所有相關警示的較大或較小事件。In cases where while investigating you would like to move alerts from one incident to another you can also do so from the Alerts tab, thus creating a larger or smaller incident that include all relevant alerts.

編輯事件名稱Edit incident name

事件會自動根據警示屬性指派名稱,例如受影響的端點數目、受影響的使用者、偵測來源或類別。Incidents are automatically assigned a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. 這可讓您快速瞭解事件的範圍。This allows you to quickly understand the scope of the incident.

例如: 多個來源報告之多個端點上的多階段事件。For example: Multi-stage incident on multiple endpoints reported by multiple sources.

您可以修改事件名稱,以更符合您偏好的命名慣例。You can modify the incident name to better align with your preferred naming convention.

注意

在推出自動事件命名功能之前存在的事件會保留其名稱。Incidents that existed prior the rollout of the automatic incident naming feature will retain their name.

指派事件Assign incidents

如果尚未指派事件,您可以選取 [指派給我] 將事件指派給自己。If an incident has not yet been assigned, you can select Assign to me to assign the incident to yourself. 這樣做不僅表示您承擔該事件的擁有權,還包括所有與該事件相關的警示。Doing so assumes ownership of not just the incident, but also all the alerts associated with it.

設定狀態和分類Set status and classification

事件狀態Incident status

您可以在調查進行的過程中變更事件的狀態來將事件分類 (例如:作用中已解決)。You can categorize incidents (as Active, or Resolved) by changing their status as your investigation progresses. 這可協助您組織及管理小組回應事件的方式。This helps you organize and manage how your team can respond to incidents.

例如,您的 SOC 分析師可檢閱當天的緊急 作用中 事件,並決定是否將該事件指派給自己進行調查。For example, your SOC analyst can review the urgent Active incidents for the day, and decide to assign them to herself for investigation.

如果事件已修補,您的 SOC 分析師可將事件設為 已解決Alternatively, your SOC analyst might set the incident as Resolved if the incident has been remediated. 解決事件將會自動關閉屬於該事件且仍開啟的所有警報。Resolving an incident will automatically close all alerts that are part of the incident and still open.

分類及判斷Classification and determination

您可以選擇不要設定分類,或決定將事件指定為 true 或 false。You can choose not to set a classification, or decide to specify whether an incident is true or false. 這樣做可協助小組查看模式及深入瞭解。Doing so helps the team see patterns and learn from them.

新增註解Add comments

您可以新增註解及檢視與事件相關的歷史活動,以查看先前所做的變更。You can add comments and view historical events about an incident to see previous changes made to it.

對警示進行變更或新增註解時,便會記錄在 [註解和記錄] 區段中。Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.

新增的註解會立即顯示在窗格中。Added comments instantly appear on the pane.

新增事件標籤Add incident tags

您可以為事件新增自訂標籤,例如使用常見特性來標記一組事件。You can add custom tags to an incident, for example to flag a group of incidents with a common characteristics. 您可以稍後篩選包含特定標籤的所有事件的事件佇列。You can later filter the incidents queue for all incidents that contain a specific tag.