在 Office 365 中複查及管理修正動作Review and manage remediation actions in Office 365

隨著電子郵件的自動調查 & 共同作業會導致 verdicts (例如 惡意可疑)建立某些修正動作。As automated investigations on email & collaboration content result in verdicts, such as Malicious or Suspicious, certain remediation actions are created. 在 Microsoft Defender for Office 365 中,修正動作可包含:In Microsoft Defender for Office 365, remediation actions can include:

  • 封鎖 URL (按時) Blocking a URL (time-of-click)
  • 虛刪除電子郵件訊息或聚簇Soft deleting email messages or clusters
  • 隔離電子郵件或電子郵件附件Quarantining email or email attachments
  • 關閉外部郵件轉發Turning off external mail forwarding

除非安全運作小組批准,否則不會採取這些修復動作。These remediation actions are not taken unless and until your security operations team approves them. 我們建議您儘快檢查及核准任何擱置的動作,以便您的自動化調查能夠及時完成。We recommend reviewing and approving any pending actions as soon as possible so that your automated investigations complete in a timely manner. 在某些情況下,您可以復原修復動作。In some cases, you can undo a remediation action.

適用於Applies to

核准 (或拒絕) 擱置的動作Approve (or reject) pending actions

  1. 請移至 Microsoft 365 security center (https://security.microsoft.com) 並登入。Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.
  2. 在功能窗格中,選取 [ 動作中心]。In the navigation pane, select Action center.
  3. 在 [ 止] 索引標籤上,查看等候核准的動作清單。On the Pending tab, review the list of actions that are awaiting approval.
  4. 選取清單中的項目。Select an item in the list. 其快顯視窗隨即開啟。Its flyout pane opens.
  5. 查看彈出窗格中的資訊,然後執行下列其中一個步驟:Review the information in the flyout pane, and then take one of the following steps:
    • 選取 [ 開啟調查] 頁面 ,以查看有關調查的詳細資料。Select Open investigation page to view more details about the investigation.
    • 選取 [ 核准 ] 以啟動暫止的動作。Select Approve to initiate a pending action.
    • 選取 [ 拒絕 ] 以避免採取暫止的動作。Select Reject to prevent a pending action from being taken.

復原一個修正動作Undo one remediation action

  1. 請移至「行動中心」 (https://security.microsoft.com/action-center) 並登入。Go to the Action center (https://security.microsoft.com/action-center) and sign in.
  2. 在 [ 記錄 ] 索引標籤上,選取您要復原的動作。On the History tab, select an action that you want to undo.
  3. 在螢幕右側的窗格中,選取 [ 復原]。In the pane on the right side of the screen, select Undo.

復原多項修復動作Undo multiple remediation actions

  1. 請移至「行動中心」 (https://security.microsoft.com/action-center) 並登入。Go to the Action center (https://security.microsoft.com/action-center) and sign in.
  2. 在 [ 記錄 ] 索引標籤上,選取您要復原的動作。On the History tab, select the actions that you want to undo. 請務必選取具有相同動作類型的專案。Make sure to select items that have the same Action type. 隨即開啟彈出窗格。A flyout pane opens.
  3. 在快顯視窗中,選取 [復原]。In the flyout pane, select Undo.

在多個裝置間移除隔離檔To remove a file from quarantine across multiple devices

  1. 請移至「行動中心」 (https://security.microsoft.com/action-center) 並登入。Go to the Action center (https://security.microsoft.com/action-center) and sign in.
  2. 在 [ 記錄 ] 索引標籤上,選取具有 [ 隔離 檔] 動作類型的檔案。On the History tab, select a file that has the Action type Quarantine file.
  3. 在螢幕右側的窗格中,選取 [套用至此檔案 的 X 個實例],然後選取 [ 復原]。In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.

後續步驟Next steps

另請參閱See also