威脅調查及回應Threat investigation and response

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於Applies To

Microsoft Defender For Office 365中的威脅調查和回應功能可協助安全性分析程式和系統管理員保護組織的 microsoft 365 for business 使用者:Threat investigation and response capabilities in Microsoft Defender for Office 365 help security analysts and administrators protect their organization's Microsoft 365 for business users by:

  • 讓您輕鬆識別、監視和瞭解 cyberattacksMaking it easy to identify, monitor, and understand cyberattacks
  • 協助快速解決 Exchange Online 中的威脅、SharePoint 線上、商務和 Microsoft 小組 OneDriveHelping to quickly address threats in Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams
  • 提供真知灼見和知識以協助安全性作業,以防止 cyberattacks 對其組織Providing insights and knowledge to help security operations prevent cyberattacks against their organization
  • 針對重要的電子郵件威脅,採用Office 365 中的自動化調查和回應Employing automated investigation and response in Office 365 for critical email-based threats

威脅調查和回應功能可讓您深入瞭解安全性 & 規範中心提供的威脅和相關回應動作。Threat investigation and response capabilities provide insights into threats and related response actions that are available in the Security & Compliance Center. 這些洞察力可協助貴組織的安全小組保護使用者免受電子郵件或檔案型的攻擊。These insights can help your organization's security team protect users from email- or file-based attacks. 這些功能可協助監控信號,並從多個來源收集資料,例如使用者活動、驗證、電子郵件、受損的電腦及安全性事件。The capabilities help monitor signals and gather data from multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents. 業務決策者和您的安全作業小組可以使用此資訊來瞭解及回應組織的威脅,並保護您的智慧財產權。Business decision makers and your security operations team can use this information to understand and respond to threats against your organization and protect your intellectual property.

熟悉威脅調查和回應工具Get acquainted with threat investigation and response tools

安全性 & 規範中心的威脅調查和回應功能,做為一組工具和回應工作流程,包括下列專案:Threat investigation and response capabilities surface in the Security & Compliance Center, as a set of tools and response workflows, including the following:

威脅儀表板Threat dashboard

使用 [威脅儀表板] (這也稱為 安全性儀表板) 以快速查看已解決的威脅,以及向業務決策決策者報告 Microsoft 365 服務如何保護您的業務的視覺方式。Use the Threat dashboard (this is also referred to as the Security dashboard) to quickly see what threats have been addressed, and as a visual way to report to business decision makers how Microsoft 365 services are securing your business.

威脅儀表板

若要查看和使用此儀表板,請在安全性 & 合規性中心,移至 [ 威脅管理] > 儀表板To view and use this dashboard, in the Security & Compliance Center, go to Threat management > Dashboard.

威脅總管Threat Explorer

使用 威脅瀏覽器 (和即時偵測) 來分析威脅、查看一段時間的攻擊量,以及依威脅系列、攻擊者基礎結構等來分析資料。Use Threat Explorer (and real-time detections) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. 威脅瀏覽器 (也稱為 Explorer) 是任何安全分析員調查工作流程的開始位置。Threat Explorer (also referred to as Explorer) is the starting place for any security analyst's investigation workflow.

威脅總管

若要查看和使用此報告,請在安全性 & 規範中心內,移至 [ 威脅管理 > 瀏覽器]。To view and use this report, in the Security & Compliance Center, go to Threat management > Explorer.

事件Incidents

使用事件清單 (這也稱為「調查」) ,以查看航班安全性事件的清單。Use the Incidents list (this is also called Investigations) to see a list of in flight security incidents. 事件用於追蹤可疑的電子郵件訊息,以及進行進一步調查和修正等威脅。Incidents are used to track threats such as suspicious email messages, and to conduct further investigation and remediation.

Office 365 中的目前威脅事件清單

若要查看組織目前的事件清單,請在安全性 & 合規性中心,移至 威脅管理 > 回顧 > 事件To view the list of current incidents for your organization, in the Security & Compliance Center, go to Threat management > Review > Incidents.

在 [安全性 & 規範中心] 中,選擇 [威脅管理 > 檢查]

攻擊模擬器Attack Simulator

使用攻擊模擬器,在您的組織中設定及執行實際的 cyberattacks,並在實際 cyberattack 影響您的公司之前識別有漏洞的人員。Use Attack Simulator to set up and run realistic cyberattacks in your organization, and identify vulnerable people before a real cyberattack affects your business. 若要深入瞭解,請參閱 Office 365 中的攻擊模擬器To learn more, see Attack Simulator in Office 365.

自動調查及回應Automated investigation and response

使用自動調查和回應 (AIR) 功能,以儲存組織中威脅帶來的時間與精力,以關聯內容、裝置和人員。Use automated investigation and response (AIR) capabilities to save time and effort correlating content, devices, and people at risk from threats in your organization. 每當觸發特定警示時,或是當您的安全性作業小組開始時,就可以開始空氣處理常式。AIR processes can begin whenever certain alerts are triggered, or when started by your security operations team. 若要深入瞭解,請參閱 Office 365 中的自動化調查和回應To learn more, see automated investigation and response in Office 365.

威脅智慧小元件Threat intelligence widgets

在 Microsoft Defender for Office 365 方案2中,安全分析員可以查看已知威脅的詳細資料。As part of the Microsoft Defender for Office 365 Plan 2 offering, security analysts can review details about a known threat. 這有助於判斷是否有其他預防措施/步驟可讓使用者保持安全。This is useful to determine whether there are additional preventative measures/steps that can be taken to keep users safe.

顯示最近威脅相關資訊的安全性趨勢

如何取得這些功能?How do we get these capabilities?

Microsoft 365 威脅調查和回應功能包含在 Microsoft Defender for Office 365 方案2中,該方案包含在企業版 E5 中,或在某些訂閱中為附加元件。Microsoft 365 threat investigation and response capabilities are included in Microsoft Defender for Office 365 Plan 2, which is included in Enterprise E5 or as an add-on to certain subscriptions. 若要深入瞭解,請參閱 Office 365 的 Defender (方案1)和方案 2To learn more, see Defender for Office 365 Plan 1 and Plan 2.

必要角色和權限Required roles and permissions

Microsoft Defender for Office 365 使用以角色為基礎的存取控制。Microsoft Defender for Office 365 uses role-based access control. 許可權是透過 Azure Active Directory、Microsoft 365 系統管理中心或安全性 & 規範中心中的特定角色進行指派。Permissions are assigned through certain roles in Azure Active Directory, the Microsoft 365 admin center, or the Security & Compliance Center.

提示

雖然在安全性 & 規範中心可以指派某些角色(如安全性管理員),但是請改為考慮使用 Microsoft 365 系統管理中心或 Azure Active Directory。Although some roles, such as Security Administrator, can be assigned in the Security & Compliance Center, consider using either the Microsoft 365 admin center or Azure Active Directory instead. 如需角色、角色群組和許可權的相關資訊,請參閱下列資源:For information about roles, role groups, and permissions, see the following resources:


活動Activity 角色及權限Roles and permissions
使用威脅儀表板 (或新的 安全性儀表板) Use the Threat dashboard (or the new Security dashboard)

查看最近或目前威脅的相關資訊View information about recent or current threats

下列其中之一:One of the following:
  • 全域管理員Global Administrator
  • 安全性系統管理員Security Administrator
  • 安全性讀取者Security Reader

您可以在 Azure Active Directory (https://portal.azure.com) 或 Microsoft 365 系統管理中心 () 中指派這些角色 https://admin.microsoft.comThese roles can be assigned in either Azure Active Directory (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com).

使用 威脅瀏覽器 (和即時偵測) 來分析威脅Use Threat Explorer (and real-time detections) to analyze threats 下列其中之一:One of the following:
  • 全域管理員Global Administrator
  • 安全性系統管理員Security Administrator
  • 安全性讀取者Security Reader

您可以在 Azure Active Directory (https://portal.azure.com) 或 Microsoft 365 系統管理中心 () 中指派這些角色 https://admin.microsoft.comThese roles can be assigned in either Azure Active Directory (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com).

View 事件 (也稱為「調查」) View Incidents (also referred to as Investigations)

將電子郵件新增至事件Add email messages to an incident

下列其中之一:One of the following:
  • 全域管理員Global Administrator
  • 安全性系統管理員Security Administrator
  • 安全性讀取者Security Reader

您可以在 Azure Active Directory (https://portal.azure.com) 或 Microsoft 365 系統管理中心 () 中指派這些角色 https://admin.microsoft.comThese roles can be assigned in either Azure Active Directory (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com).

觸發事件中的電子郵件動作Trigger email actions in an incident

尋找和刪除可疑的電子郵件Find and delete suspicious email messages

下列其中之一:One of the following:
  • 全域管理員Global Administrator
  • 安全性管理員搜尋及清除 角色Security Administrator plus the Search and Purge role

全域管理員安全性管理員 角色可以在 Azure Active Directory (https://portal.azure.com) 或 Microsoft 365 系統管理中心 () 中指派 https://admin.microsoft.comThe Global Administrator and Security Administrator roles can be assigned in either Azure Active Directory (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com).

您必須在安全性 & 規範中心 () 中指派 搜尋和清除 角色 https://protection.office.comThe Search and Purge role must be assigned in the Security & Compliance Center (https://protection.office.com).

整合 Microsoft Defender for Office 365 方案2與 Microsoft Defender for EndpointIntegrate Microsoft Defender for Office 365 Plan 2 with Microsoft Defender for Endpoint

整合 Microsoft Defender for Office 365 Plan 2 與 SIEM serverIntegrate Microsoft Defender for Office 365 Plan 2 with a SIEM server

在任何 Azure Active Directory (中所指派的 全域系統管理員安全性管理員 角色 https://portal.azure.com) 或 Microsoft 365 系統管理中心 (https://admin.microsoft.com) 。Either the Global Administrator or the Security Administrator role assigned in either Azure Active Directory (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com).

--- --- --- plus ---

在其他應用程式中指派的適當角色 (例如 Microsoft Defender Security Center 或您的 SIEM server) 。An appropriate role assigned in additional applications (such as Microsoft Defender Security Center or your SIEM server).

後續步驟Next steps