規劃您的試驗 Microsoft 365 Defender 專案Planning your pilot Microsoft 365 Defender project

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
規劃
規劃Planning
準備Prepare
製備Preparation
類比攻擊Simulate attack
類比攻擊Simulate attack
結束和摘要Close and summarize
結束和摘要Close and summarize
您目前在這裡!You are here!

您目前正在規劃階段。You're currently in the planning phase.

為了確保您的試驗專案成功,您一開始必須徹底規劃並取得專案關係人核准。To ensure that your pilot project is a success, it is essential to plan thoroughly with and get approvals from your stakeholders in the beginning. 規劃的元素包括識別範圍、使用案例、需求及成功準則。Elements of planning include identifying scope, use cases, requirements, and success criteria.

本指南會逐步引導您逐步瞭解如何規劃試驗專案。This guide walks you through how to plan your pilot project.

重要

為獲得最佳結果,請盡可能遵循試驗指示。For optimum results, follow the pilot instructions as closely as possible.

範圍Scope

試驗範圍會根據您的環境和可接受的測試方法判斷測試範圍。The scope of the pilot will determine how broad the test will be, based on your environment and acceptable testing methods. 以下是一些要考慮的範例範圍:Here are some example scopes to consider:

  • 開發或測試環境,包括端點、伺服器、網網域控制站。Development or test environment which includes endpoints, servers, domain controllers.
  • 使用 Microsoft 365、Azure、Active Directory 服務、端點和伺服器的生產環境Production environment with Microsoft 365, Azure, Active Directory services, endpoints, and servers

注意

如果您還沒有完整的授權,您可以取得試用授權來評估 Microsoft 365 Defender - 規劃、準備、設定、設定及執行試驗專案。If you don’t have the full licenses yet, you can get trial licenses to evaluate Microsoft 365 Defender – plan, prepare, setup, configure, and run your pilot project. 您的專案關係人將扮演重要角色,協助從開始到完成整個程式。Your stakeholders will play a big role in helping facilitate the process from start to finish.

要評估的作業系統類型也應該根據組織架構來定義。The types of operating systems to be evaluated should also be defined based on the organizational makeup. 這可能包括下列各項:Mac 端點、Linux 伺服器、Windows 10端點、Windows Server 2016。This may include the following: Mac endpoints, Linux Servers, Windows 10 endpoints, Windows Server 2016.

使用案例Use cases

使用案例代表測試控管如何供其預定使用者使用的語句。Use cases represent statements of how the tool being tested is meant to be consumed by its intended users. 這些可以從特定人員的觀點來視為使用者案例,例如 SOC 分析師。These can be formulated as user stories from the point of view of a particular persona, such as a SOC analyst. 例如:For example:

  • 我是 SOC 分析師,我需要查看、關聯、評估和管理各裝置、使用者和網路中信箱的警示和事件。As a SOC analyst, I need to view, correlate, assess and manage alerts and events across devices, users, and mailboxes in my network. [事件管理][Incident management]
  • 我是 SOC 分析師,必須擁有能自動調查及回應網路惡意事件的工具與程式。As a SOC analyst, I must have the tool and process to automatically investigate and respond to malicious events in my network. [自動 IR][Auto IR]
  • 我是 SOC 分析師,我必須搜尋我環境的資料,以尋找已知和潛在威脅,以及可疑的活動。As a SOC analyst, I must search data from my environment to find known and potential threats, and suspicious activities. [進位搜尋][Advanced Hunting]

請記住,這些使用案例應在已定義範圍的參數內建立。Keep in mind that these use cases should be created within the parameters of the defined scope. 例如,如果測試範圍不包含 Microsoft Cloud App 安全性等工具評估,則不應該建立以此功能為資料來源的使用案例。If, for example, the scope of testing does not include an evaluation of tools such as Microsoft Cloud App Security, then use cases that rely on this as a data source should not be created.

需求Requirements

從使用案例清單中,您可以開始建立需求。From the list of use cases, you can start to create requirements. 需求包括工具必須符合使用案例的功能。Requirements include features a tool must have to satisfy the use cases. 這些需求可以細分為類別,例如組式與維護、整合支援,以及搜尋能力及建立自訂警示等功能特定需求。These requirements can be broken down into categories such as configuration and maintenance, support for integrations, and feature-specific requirements like hunting ability and the ability to build custom alerts.

測試計劃Test plan

視需求不同,可能適合使用不同的測試方法。Depending on the requirements, different methods of testing may be appropriate. 例如,如果要求要評估自動化補救的效益,測試計劃必須包含步驟來產生行為 (s) ,以觸發 Microsoft 365 Defender 內的自動化補救動作。For instance, if the requirement is to evaluate the efficacy of Automated Remediation, the test plan needs to include steps to generate the behavior(s) that would trigger an automated remediation action within Microsoft 365 Defender. 如果需求是偵測特定行為或攻擊,則測試可能會涉及更多步驟。If the requirement is to detect a particular behavior or attack, then the test may involve more steps. 重點就是制定計畫,以正確測試您的需求。The point is to have a plan in place to accurately test against your requirements.

成功準則Success criteria

成功準則最終還是會設定成標準,以根據您測試的結果來進行評估。Success criteria is ultimately the bar set to measure against what you are testing. 無論您是要針對其他工具或本身測試 Microsoft 365 Defender (或其他任何相關技術) ,都必須有一些可量化的準則來判斷工具提供的值。Whether you are testing Microsoft 365 Defender (or any other technology for that matter) against other tools or by itself, there must be some quantifiable criteria to determine the value the tool provides. 根據範圍、需求和測試計劃,成功準則會決定如何為測試打分數。Based on the scope, requirements, and testing plan, the success criteria will determine how to score the test. 這應該不會是通過或失敗,而應根據您的需求而更重計算加權分數。This should be less of a pass or fail and more of a weighted scoring based on your needs. 例如,為了成功,工具可能需要在所識別的某些重要區域打到 80% 以上。For example, to be successful, a tool may need to score above 80% in certain critical areas you identify.

計分 卡Scorecard

將計畫的所有元素彙集在一起的方法之一,就是建立計分卡。One way to bring all elements of your plan together can be to create a scorecard. 請參閱下方的範例計分卡:See a sample scorecard below:

使用案例Use case 需求Requirements 組配置需求Configuration requirements 測試計劃Test plan 預期的結果Expected outcome 測試狀態Test status 分數Score 注意事項Notes
事件管理Incident management - Microsoft 365 Defender- Microsoft 365 Defender
- Microsoft Defender for Identity- Microsoft Defender for Identity

- Microsoft Defender 端點- Microsoft Defender for Endpoint

- Microsoft Cloud App 安全性 (選擇性) - Microsoft Cloud App Security (optional)
請參閱 準備 、設定及設定的先決條件,以瞭解詳細資料See the prerequisites for preparation, set-up, and configuration for details 類比攻擊Simulate attack
調查事件Investigate the incident
使用者可以瞭解事件的範圍和影響,並管理事件Investigators can understand the scope and impact of the incident and manage the incident
AutoIRAutoIR - Microsoft 365 Defender- Microsoft 365 Defender
- Microsoft Defender for Identity- Microsoft Defender for Identity

- Microsoft Defender 端點- Microsoft Defender for Endpoint
請參閱 準備 、設定及設定的先決條件,以瞭解詳細資料See the prerequisites for preparation, set-up, and configuration for details
啟用 AutoIREnable AutoIR
類比攻擊Simulate attack
自動化調查Automated investigation
Microsoft 365 Defender 會自動修復警示和事件Alerts and incidents are automatically remediated by Microsoft 365 Defender
進階搜捕Advanced hunting - Microsoft 365 Defender- Microsoft 365 Defender
- Microsoft Defender for Endpoint- Microsoft Defender for Endpoint

-Microsoft Defender for Office 365-Microsoft Defender for Office 365
請參閱 準備 、設定及設定的先決條件,以瞭解詳細資料See the prerequisites for preparation, set-up, and configuration for details 進位搜尋案例Advanced hunting scenario 小動物可以透過進一步搜尋、樞紐分析受影響實體,以及建立自訂偵測來尋找資料Investigators can find data through advanced hunting, pivoting to impacted entities, and by creating custom detections

下一步Next step

準備階段Preparation phase
準備階段Preparation phase
準備您的 Microsoft 365 Defender 試驗環境Prepare your Microsoft 365 Defender pilot environment