利用自動調查和回應來處理已遭破壞的使用者帳戶Address compromised user accounts with automated investigation and response

重要

改良的 Microsoft 365 安全性中心現在可供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這個新的體驗將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心裡面。This new experience brings Defender for Endpoint, Defender for Office, 365 Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new. 本主題僅適合適用於 Office 365 的 Microsoft Defender 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 請參閱 [適用於] 區段,並且尋找此文章中可能有所不同的特定圖說文字。Refer to the Applies To section and look for specific call outs in this article where there might be differences.

適用於Applies to

Microsoft Defender For Office 365 方案 2 包含強大的 自動化調查和回應 (AIR) 功能。Microsoft Defender for Office 365 Plan 2 includes powerful automated investigation and response (AIR) capabilities. 這類功能可讓您的安全性運作小組儲存大量的時間和精力處理威脅。Such capabilities can save your security operations team a lot of time and effort dealing with threats. Microsoft 繼續加強安全性功能。Microsoft continues to improve security capabilities. 最近,AIR 功能已增強,可在目前預覽) 中包含已遭破壞的使用者安全性行動手冊 (。Recently, AIR capabilities were enhanced to include a compromised user security playbook (currently in preview). 請閱讀本文以深入瞭解已遭破壞的使用者安全性行動手冊。Read this article to learn more about the compromised user security playbook. 使用 Microsoft Defender For Office 365,查看並回應使用者洩密和限制損等範圍的博客文章,以取得其他詳細資料。And see the blog post Speed up time to detect and respond to user compromise and limit breach scope with Microsoft Defender for Office 365 for additional details.

針對已遭破壞的使用者進行自動調查

「已遭破壞的使用者安全性行動手冊」可讓貴組織的安全性小組進行下列作業:The compromised user security playbook enables your organization's security team to:

  • 加速偵測到的使用者帳戶的偵測;Speed up detection of compromised user accounts;

  • 在帳戶被攻破時限制遭到破壞的範圍;和Limit the scope of a breach when an account is compromised; and

  • 更有效率地回應遭到破壞的使用者。Respond to compromised users more effectively and efficiently.

遭到破壞的使用者警示Compromised user alerts

當使用者帳戶受損時,會發生反常或反常的行為。When a user account is compromised, atypical or anomalous behaviors occur. 例如,網路釣魚和垃圾郵件可能會從受信任的使用者帳戶內部傳送。For example, phishing and spam messages might be sent internally from a trusted user account. 適用于 office 365 的 Defender (適用于 office 365 中的電子郵件模式和共同作業活動中)可以偵測到。Defender for Office 365 can detect such anomalies in email patterns and collaboration activity within Office 365. 發生這種情況時,就會觸發警示,威脅緩解程式會開始進行。When this happens, alerts are triggered, and the threat mitigation process begins.

例如,以下是由於可疑電子郵件傳送而觸發的警示:For example, here's an alert that was triggered because of suspicious email sending:

因可疑電子郵件傳送而觸發的警示

以下是當使用者達到傳送限制時所觸發的警示的範例:And here's an example of an alert that was triggered when a sending limit was reached for a user:

因傳送限制已達到所觸發的警示

調查和回應已遭破壞的使用者Investigate and respond to a compromised user

當使用者帳戶遭到攻破時,會觸發警示。When a user account is compromised, alerts are triggered. 在某些情況下,此使用者帳戶會遭到封鎖,並避免傳送任何後續的電子郵件訊息,直到您組織的安全作業小組解決問題為止。And in some cases, that user account is blocked and prevented from sending any further email messages until the issue is resolved by your organization's security operations team. 在其他情況下,自動調查會開始,這可能會導致您的安全小組應採取建議的動作。In other cases, an automated investigation begins which can result in recommended actions that your security team should take.

重要

您必須具有適當的許可權,才能執行下列工作。You must have appropriate permissions to perform the following tasks. 請參閱 使用 AIR 功能所需的許可權See Required permissions to use AIR capabilities.

查看和調查限制的使用者View and investigate restricted users

您有幾個選項可供您流覽至限制的使用者清單。You have a few options for navigating to a list of restricted users. 例如,在安全性 & 規範中心,您可以前往「 威脅管理」 > 查看 > 限制的使用者For example, in the Security & Compliance Center, you can go to Threat management > Review > Restricted Users. 下列程式說明如何使用「 警示 」儀表板進行流覽,這是查看可能已觸發的各種警示的好方法。The following procedure describes navigation using the Alerts dashboard, which is a good way to see various kinds of alerts that might have been triggered.

  1. 移至 https://protection.office.com 並登入。Go to https://protection.office.com and sign in.

  2. 在功能窗格中,選擇 [ 警示 > 儀表板]。In the navigation pane, choose Alerts > Dashboard.

  3. 在 [ 其他警示 ] 小工具中,選擇 [ 受限制的使用者]。In the Other alerts widget, choose Restricted Users.

    其他提醒小工具

    這會開啟受限制的使用者清單。This opens the list of restricted users.

    Office 365 中的受限使用者

  4. 選取清單中的使用者帳戶,以查看詳細資料並採取動作,例如 發行受限制的使用者Select a user account in the list to view details and take action, such as releasing the restricted user.

查看有關自動化調查的詳細資料View details about automated investigations

當自動調查開始時,您可以在安全性 & 規範中心中查看其詳細資料和結果。When an automated investigation has begun, you can see its details and results in the Security & Compliance Center. 移至 威脅管理 > 調查,然後選取調查以查看其詳細資料。Go to Threat management > Investigations, and then select an investigation to view its details.

若要深入瞭解,請參閱 查看調查的詳細資料To learn more, see View details of an investigation.

請記住下列幾點Keep the following points in mind

  • 停留在提醒 上。Stay on top of your alerts. 如您所知,入侵的可能性越長,您的組織、客戶及協力廠商的潛在影響程度越大,成本也越大。As you know, the longer a compromise goes undetected, the larger the potential for widespread impact and cost to your organization, customers, and partners. 及早偵測和及時回應對於緩解威脅很重要,尤其是在使用者的帳戶遭到破壞時。Early detection and timely response are critical to mitigate threats, and especially when a user's account is compromised.

  • 自動化」協助(但不取代)您的安全性運作小組Automation assists, but does not replace, your security operations team. 自動化調查和回應功能可在初期偵測到遭到損害的使用者,但是您的安全性作業小組可能需要接洽並進行一些調查和修復。Automated investigation and response capabilities can detect a compromised user early on, but your security operations team will likely need to engage and do some investigation and remediation. 需要一些協助嗎?Need some help with this? 請參閱 複查和核准動作See Review and approve actions.

  • 不要依賴可疑的登入警示做為您唯一的指示器Don't rely on a suspicious login alert as your only indicator. 當使用者帳戶遭到攻破時,可能會或不會觸發可疑的登入警示。When a user account is compromised, it might or might not trigger a suspicious login alert. 有時候,它是一系列的活動,會在帳戶遭到洩漏後觸發警示。Sometimes it's the series of activities that occur after an account is compromised that triggers an alert. 想要瞭解更多關於提醒的資訊嗎?Want to know more about alerts? 請參閱 警示原則See Alert policies.

後續步驟Next steps