Microsoft 365 中自動調查的詳細資料和結果Details and results of an automated investigation in Microsoft 365

適用於Applies to

Office 365 的 Microsoft Defender中進行自動調查時,在自動化調查程式期間和之後都會提供該調查的詳細資料。When an automated investigation occurs in Microsoft Defender for Office 365, details about that investigation are available during and after the automated investigation process. 如果您有必要的許可權,您可以在 Microsoft 365 安全中心中查看這些詳細資料。If you have the necessary permissions, you can view those details in the Microsoft 365 security center. 調查詳細資料可提供您最新的狀態,以及核准任何擱置中動作的功能。Investigation details provide you with up-to-date status, and the ability to approve any pending actions.

提示

請參閱 Microsoft 365 security center 中新的整合調查頁面。Check out the new, unified investigation page in the Microsoft 365 security center. 若要深入瞭解,請參閱 [ (NEW! ) 整合調查] 頁面](../defender/m365d-autoir-results.md#new-unified-investigation-page)。To learn more, see (NEW!) Unified investigation page.

調查狀態Investigation status

調查狀態會指出分析和動作的進度。The investigation status indicates the progress of the analysis and actions. 調查執行時,會變更狀態,以指出是否發現威脅,以及是否已核准動作。As the investigation runs, status changes to indicate whether threats were found, and whether actions have been approved.

狀態Status 描述Description
啟動中Starting 調查已觸發並等候開始執行。The investigation has been triggered and waiting to start running.
正在執行Running 調查過程已開始且正在進行中。The investigation process has started and is underway. 待定的動作 獲得批准時,也會發生此狀態。This state also occurs when pending actions are approved.
找不到威脅No Threats Found 調查已完成,但找不到任何威脅 (使用者帳戶、電子郵件訊息、URL 或檔案) 皆已識別。The investigation has finished and no threats (user account, email message, URL, or file) were identified.

提示:如果您懷疑某項尚未錯過 (例如誤報) ,您可以使用 威脅 Explorer採取動作。TIP: If you suspect something was missed (such as a false negative), you can take action using Threat Explorer.

發現威脅Threats Found 自動調查發現問題,但沒有任何特定的修正動作可解決這些問題。The automated investigation found issues, but there are no specific remediation actions to resolve those issues.

發現某些類型的使用者活動時,可能會發生 威脅已發現 狀態,但沒有清除動作可供使用。The Threats Found status can occur when some type of user activity was identified but no cleanup actions are available. 範例包括下列任何使用者活動:Examples include any of the following user activities:
- (DLP) 事件的資料遺失防護- A data loss prevention (DLP) event
-傳送反常的電子郵件- An email sending anomaly
-傳送惡意程式碼- Sent malware
-傳送網路釣魚- Sent phish

調查發現沒有惡意的 URLs、檔案或電子郵件訊息要修正,而且沒有要修正的信箱活動,例如關閉轉移規則或委派。The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation.

提示:如果您懷疑某項尚未錯過 (例如誤報) ,您可以使用 威脅 Explorer來調查和採取動作。TIP: If you suspect something was missed (such as a false negative), you can investigate and take action using Threat Explorer.

由系統終止Terminated By System 調查已停止。The investigation stopped. 調查可能會因下列幾點原因而停止:An investigation can stop for several reasons:
-調查的擱置中動作已過期。- The investigation's pending actions expired. 等候一周的核准,待處理的動作超時。Pending actions time out after awaiting approval for one week.
-動作太多。- There are too many actions. 例如,如果有太多使用者點擊惡意的 URLs,它可能會超出調查的執行所有分析器的能力,所以調查會暫停。For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation halts.

提示:如果調查在採取動作之前暫停,請嘗試使用 威脅瀏覽器 來尋找並處理威脅。TIP: If an investigation halts before actions were taken, try using Threat Explorer to find and address threats.

擱置的動作Pending Action 調查發現威脅,例如惡意電子郵件、惡意 URL 或風險信箱設定,以及修正威脅 等候核准的動作。The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox setting, and an action to remediate that threat is awaiting approval.

當找到具有對應動作的任何威脅時,就會觸發 擱置的動作 狀態。The Pending Action state is triggered when any threat with a corresponding action is found. 不過,擱置中的動作清單會隨著調查的執行而增加。However, the list of pending actions can increase as an investigation runs. 查看調查詳細資料以查看其他專案是否仍待完成。View investigation details to see if other items are still pending completion.

修復Remediated 調查已完成,且所有修正動作都已獲核准 (會注明為完全修正) 。The investigation finished and all remediation actions were approved (noted as fully remediated).

附注:核准的修復動作可能會有錯誤,導致無法採取動作。NOTE: Approved remediation actions can have errors that prevent the actions from being taken. 不論是否成功完成修正動作,調查狀態不會變更。Regardless of whether remediation actions are successfully completed, the investigation status does not change. 查看調查詳細資料。View investigation details.

部分修正Partially Remediated 調查產生修正動作,有些已經過核准和完成。The investigation resulted in remediation actions, and some were approved and completed. 其他動作仍 有待處理Other actions are still pending.
已失敗Failed 至少有一個調查分析器遇到問題,導致無法正確完成。At least one investigation analyzer ran into a problem where it could not complete properly.

附注:如果在已核准修正動作後,調查失敗,修正動作可能仍然會成功。NOTE: If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. 查看調查詳細資料。View the investigation details.

依節流佇列Queued By Throttling 在佇列中保存調查。An investigation is being held in a queue. 當其他調查完成時,佇列調查便會開始。When other investigations complete, queued investigations begin. 節流可協助避免服務效能不良。Throttling helps avoid poor service performance.

提示:擱置的動作可能會限制可執行檔新調查數目。TIP: Pending actions can limit how many new investigations can run. 請務必 核准 (或拒絕) 擱置的動作Make sure to approve (or reject) pending actions.

由節流終止Terminated By Throttling 如果佇列中的調查保持過長,它就會停止。If an investigation is held in the queue too long, it stops.

提示:您可以 從威脅瀏覽器開始調查TIP: You can start an investigation from Threat Explorer.

檢視調查的詳細資料View details of an investigation

  1. 請移至 Microsoft 365 security center (https://security.microsoft.com) 並登入。Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.
  2. 在功能窗格中,選取 [ 動作中心]。In the navigation pane, select Action center.
  3. 在 [ 擱置 ] 或 [歷程 記錄 ] 索引標籤上,選取動作。On either the Pending or History tabs, select an action. 其快顯視窗隨即開啟。Its flyout pane opens.
  4. 在彈出窗格中,選取 [ 開啟調查] 頁面In the flyout pane, select Open investigation page.
  5. 使用各個索引標籤深入了解調查。Use the various tabs to learn more about the investigation.

某些類型的警示會觸發 Microsoft 365 中的自動調查。Certain kinds of alerts trigger automated investigation in Microsoft 365. 若要深入瞭解,請參閱 觸發自動調查的警示原則To learn more, see alert policies that trigger automated investigations.

  1. 請移至 Microsoft 365 security center (https://security.microsoft.com) 並登入。Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.
  2. 在功能窗格中,選取 [ 動作中心]。In the navigation pane, select Action center.
  3. 在 [ 擱置 ] 或 [歷程 記錄 ] 索引標籤上,選取動作。On either the Pending or History tabs, select an action. 其快顯視窗隨即開啟。Its flyout pane opens.
  4. 在彈出窗格中,選取 [ 開啟調查] 頁面In the flyout pane, select Open investigation page.
  5. 選取 [ 警示 ] 索引標籤,以查看與該調查相關的所有警示清單。Select the Alerts tab to view a list of all of the alerts associated with that investigation.
  6. 選取清單中的專案,以開啟其彈出窗格。Select an item in the list to open its flyout pane. 您可以在這裡查看有關警示的詳細資訊。There, you can view more information about the alert.

請記住下列幾點Keep the following points in mind

  • 電子郵件計數會在調查時進行計算,當您根據基礎查詢) 開啟調查 flyouts (時,會重新計算部分計數。Email counts are calculated at the time of the investigation, and some counts are recalculated when you open investigation flyouts (based on an underlying query).

  • 針對 [ 電子郵件 ] 索引標籤上的電子郵件聚簇,以及在 [叢集] 浮出控制項上顯示的電子郵件數量詞,會在調查時進行計算,而且不會變更。The email counts shown for the email clusters on the Email tab and the email quantity value shown on cluster flyout are calculated at the time of investigation, and do not change.

  • 電子郵件 的 [電子郵件] 索引 標籤底部顯示的電子郵件計數,以及 Explorer 中所顯示之電子郵件的計數,會反映在調查的初始分析之後所收到的電子郵件。The email count shown at the bottom of the Email tab of the email cluster flyout and the count of email messages shown in Explorer reflect email messages received after the investigation's initial analysis.

    因此,顯示原始數量10封電子郵件的電子郵件叢集會顯示超過15個電子郵件的電子郵件清單。在調查分析階段和系統管理員檢查調查時,會有五封以上的電子郵件訊息到貨。Thus, an email cluster that shows an original quantity of 10 email messages would show an email list total of 15 when five more email messages arrive between the investigation analysis phase and when the admin reviews the investigation. 同樣地,舊調查可能會開始顯示比 Explorer 查詢更高的計數,因為 Microsoft Defender for Office 365 方案2中的資料會在試用7天后到期,並且在30天后取得收費授權。Likewise, old investigations might start showing higher counts than Explorer queries show, because data in Microsoft Defender for Office 365 Plan 2 expires after seven days for trials and after 30 days for paid licenses.

    在不同的視圖中顯示計數歷史和目前的計數,都是為了指出調查時的電子郵件影響,以及目前的影響,直到執行補救的時間為止。Showing both count historical and current counts in different views is done to indicate the email impact at the time of investigation and the current impact up until the time that remediation is run.

  • 在電子郵件的內容中,您可能會在調查過程中看到大量的反常威脅曲面。In the context of email, you might see a volume anomaly threat surface as part of the investigation. 大量的事件會指出調查事件時間與較舊的時程表之間的類似電子郵件訊息中的波峰。A volume anomaly indicates a spike in similar email messages around the investigation event time compared to earlier timeframes. 電子郵件流量中的波峰和某些特性 (例如,主旨和寄件者網域、內文相似性和寄件者 IP) 一般是電子郵件宣傳活動或攻擊的開始。A spike in email traffic together with certain characteristics (for example, subject and sender domain, body similarity, and sender IP) is typical of the start of email campaigns or attacks. 不過,大量、垃圾郵件和合法的電子郵件活動通常會共用這些特性。However, bulk, spam, and legitimate email campaigns commonly share these characteristics.

  • 大量的情況代表潛在威脅,因此與使用防病毒引擎、引爆或惡意信譽所識別的惡意程式碼或網路釣魚威脅相比,其可能會較低的危險。Volume anomalies represent a potential threat, and accordingly could be less severe compared to malware or phish threats that are identified using anti-virus engines, detonation, or malicious reputation.

  • 您不需要核准每個動作。You do not have to approve every action. 如果您不同意建議的動作,或您的組織未選擇某些類型的動作,您可以選擇 拒絕 動作或完全忽略動作,不採取任何動作。If you do not agree with the recommended action or your organization does not choose certain types of actions, then you can choose to Reject the actions or simply ignore them and take no action.

  • 核准和/或拒絕所有動作可讓調查完全關閉 (狀態會變成修正) ,但保留某些動作不完全會導致調查狀態變更為部分修正狀態。Approving and/or rejecting all actions lets the investigation fully close (status becomes remediated), while leaving some actions incomplete results in the investigation status changing to a partially remediated state.

後續步驟Next steps