创建和管理自定义检测规则Create and manage custom detections rules
2021/4/2
本文内容
重要
The improved Microsoft 365 security center is now available in public preview. 此新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全团队现可管理所有终结点、电子邮件和跨产品调查、配置和修正,而无需导航到单独的产品门户。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals.
适用于:Applies to:
Microsoft 365 DefenderMicrosoft 365 Defender
自定义检测规则是可以使用高级搜寻查询设计和 调整 的规则。Custom detection rules are rules you can design and tweak using advanced hunting queries. 通过这些规则,您可以主动监视各种事件和系统状态,包括可疑的泄露活动和错误配置的终结点。These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. 你可以将它们设置为定期运行,从而在有匹配项时生成警报并执行响应操作。You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
管理自定义检测所需的权限Required permissions for managing custom detections
若要管理自定义检测,需要分配有以下角色之一:To manage custom detections, you need to be assigned one of these roles:
安全管理员- 具有 此 Azure Active Directory 角色的用户可以在 Microsoft 365 安全中心和其他门户和服务中管理安全设置。Security administrator—Users with this Azure Active Directory role can manage security settings in Microsoft 365 security center and other portals and services.
安全操作员- 具有 此 Azure Active Directory 角色的用户可以管理警报,并且对安全相关功能(包括 Microsoft 365 安全中心内的所有信息)具有全局只读访问权限。Security operator—Users with this Azure Active Directory role can manage alerts and have global read-only access to security-related features, including all information in Microsoft 365 security center. 只有在 Microsoft Defender for Endpoint 中关闭基于角色的访问控制 (RBAC) ,此角色才足以管理自定义检测。This role is sufficient for managing custom detections only if role-based access control (RBAC) is turned off in Microsoft Defender for Endpoint. 如果已配置 RBAC,则还需要 Defender for Endpoint 的 "管理安全设置"权限。If you have RBAC configured, you also need the manage security settings permission for Defender for Endpoint.
若要管理所需的权限,全局 管理员可以 :To manage required permissions, a global administrator can:
在 Microsoft 365管理中心中,在角色安全管理员 下分配安全管理员 或 > 安全操作员角色。Assign the security administrator or security operator role in Microsoft 365 admin center under Roles > Security admin.
在"设置权限角色"下,在 Microsoft Defender安全中心中检查适用于终结点的 Microsoft Defender 的 RBAC > > 设置。Check RBAC settings for Microsoft Defender for Endpoint in Microsoft Defender Security Center under Settings > Permissions > Roles. 选择相应的角色以分配 管理安全设置 权限。Select the corresponding role to assign the manage security settings permission.
备注
若要管理自定义检测,如果 RBAC 已打开,安全操作员将需要 Microsoft Defender for Endpoint 中的管理安全设置权限。To manage custom detections, security operators will need the manage security settings permission in Microsoft Defender for Endpoint if RBAC is turned on.
创建自定义检测规则Create a custom detection rule
1。准备查询。1. Prepare the query.
在 Microsoft 365 安全中心,转到高级 搜寻 并选择现有查询或创建新查询。In Microsoft 365 security center, go to Advanced hunting and select an existing query or create a new query. 使用新查询时,运行查询以标识错误并了解可能的结果。When using a new query, run the query to identify errors and understand possible results.
重要
为了防止服务返回太多警报,每个规则都限制为每次运行时仅生成 100 个警报。To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. 创建规则之前,请调整查询以避免提醒正常、日常活动。Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
查询结果中的必需列Required columns in the query results
若要创建自定义检测规则,查询必须返回以下列:To create a custom detection rule, the query must return the following columns:
Timestamp用于设置生成的警报的时间戳Timestamp—used to set the timestamp for generated alerts
ReportId— 启用对原始记录的查找ReportId—enables lookups for the original records
标识特定设备、用户或邮箱的以下列之一:One of the following columns that identify specific devices, users, or mailboxes:
DeviceId
DeviceName
RemoteDeviceName
RecipientEmailAddress
SenderFromAddress (信封发件人或Return-Path地址)SenderFromAddress (envelope sender or Return-Path address)
SenderMailFromAddress (客户端邮箱显示发件人)SenderMailFromAddress (sender address displayed by email client)
RecipientObjectId
AccountObjectId
AccountSid
AccountUpn
InitiatingProcessAccountSid
InitiatingProcessAccountUpn
InitiatingProcessAccountObjectId
备注
将新表添加到高级搜寻架构时,将添加对其他 实体的支持。Support for additional entities will be added as new tables are added to the advanced hunting schema.
简单查询(例如不使用 or 运算符自定义或聚合结果的查询) project summarize 通常返回这些常用列。Simple queries, such as those that don't use the project or summarize operator to customize or aggregate results, typically return these common columns.
有各种方法可以确保更复杂的查询返回这些列。There are various ways to ensure more complex queries return these columns. 例如,如果你更希望按列下的实体(如 )进行聚合和计数,你仍然可以返回 ,并且通过从涉及每个唯一的 的最新事件获取 DeviceId Timestamp ReportId DeviceId 它。For example, if you prefer to aggregate and count by entity under a column such as DeviceId, you can still return Timestamp and ReportId by getting it from the most recent event involving each unique DeviceId.
下面的示例查询计算使用防病毒检测 () 的唯一设备数,并使用此计数仅查找检测次数超过 DeviceId 五的设备。The sample query below counts the number of unique devices (DeviceId) with antivirus detections and uses this count to find only the devices with more than five detections. 若要返回最新 Timestamp 和相应的 ReportId ,它将 summarize 运算符与 arg_max 函数一同使用。To return the latest Timestamp and the corresponding ReportId, it uses the summarize operator with the arg_max function.
DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "AntivirusDetection"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| where count_ > 5
提示
为了提升查询性能,请设置一个与规则预期运行频率相匹配的时间筛选器。For better query performance, set a time filter that matches your intended run frequency for the rule. 由于运行频率最低,每 24 小时 一次,因此对过去一天的筛选将覆盖所有新数据。Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
2. 创建新规则并提供警报详细信息。2. Create new rule and provide alert details.
使用查询编辑器中的查询,选择 "创建检测规则 "并指定以下警报详细信息:With the query in the query editor, select Create detection rule and specify the following alert details:
检测名称— 检测规则的名称Detection name—name of the detection rule
Frequency— 运行查询和采取措施的时间间隔。Frequency—interval for running the query and taking action. 请参阅下面的其他指南See additional guidance below
警报标题- 显示的标题与规则触发的警报一起显示Alert title—title displayed with alerts triggered by the rule
严重性- 规则标识的组件或活动的潜在风险Severity—potential risk of the component or activity identified by the rule
类别— 规则标识的威胁组件或活动Category—threat component or activity identified by the rule
MITRE ATT&CK 技术 - 一种或多种攻击技术,由 MITRE ATT和 CK 框架中记录的规则&攻击技术。MITRE ATT&CK techniques—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. 本部分对某些警报类别(包括恶意软件、勒索软件、可疑活动和不需要的软件)隐藏This section is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software
说明-有关规则标识的组件或活动详细信息Description—more information about the component or activity identified by the rule
建议的操作- 响应者为响应警报可能执行的其他操作Recommended actions—additional actions that responders might take in response to an alert
规则频率Rule frequency
保存新规则时,它将运行并检查过去 30 天的数据中的匹配。When you save a new rule, it runs and checks for matches from the past 30 days of data. 然后,该规则以固定间隔再次运行,并基于你选择的频率应用回看持续时间:The rule then runs again at fixed intervals, applying a lookback duration based on the frequency you choose:
每 24 小时 运行一次 ,每 24 小时运行一次,检查过去 30 天的数据Every 24 hours—runs every 24 hours, checking data from the past 30 days
每 12 小时 运行一次,每 12 小时运行一次,检查过去 24 小时内的数据Every 12 hours—runs every 12 hours, checking data from the past 24 hours
每 3 小时 运行一次,每 3 小时运行一次,检查过去 6 小时的数据Every 3 hours—runs every 3 hours, checking data from the past 6 hours
每小时 运行一次,每小时运行一次,检查过去 2 小时的数据Every hour—runs hourly, checking data from the past 2 hours
编辑规则时,它将在计划的下一个运行时中根据设置的频率运行应用的更改。When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set.
提示
将查询中的时间筛选器与回看持续时间相匹配。Match the time filters in your query with the lookback duration. 将忽略超出回视持续时间的结果。Results outside of the lookback duration are ignored.
选择与要监视检测的频率相匹配的频率。Select the frequency that matches how closely you want to monitor detections. 考虑组织响应警报的能力。Consider your organization's capacity to respond to the alerts.
3. 选择影响的实体。3. Choose the impacted entities.
确定查询结果中预期要查找主要受影响或受影响的实体的列。Identify the columns in your query results where you expect to find the main affected or impacted entity. 例如,查询可能会返回发件人 (SenderFromAddress 或) SenderMailFromAddress 收件人 () RecipientEmailAddress 地址。For example, a query might return sender (SenderFromAddress or SenderMailFromAddress) and recipient (RecipientEmailAddress) addresses. 确定哪些列表示主要影响的实体,可帮助服务聚合相关警报、关联事件和目标响应操作。Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
只能为邮箱、用户或设备 (每个实体类型选择一) 。You can select only one column for each entity type (mailbox, user, or device). 无法选择查询未返回的列。Columns that are not returned by your query can't be selected.
4. 指定操作。4. Specify actions.
自定义检测规则可以自动对查询返回的设备、文件或用户执行操作。Your custom detection rule can automatically take actions on devices, files, or users that are returned by the query.
对设备的操作Actions on devices
这些操作适用于查询结果 DeviceId 列中的设备:These actions are applied to devices in the DeviceId column of the query results:
隔离设备— 使用 Microsoft Defender for Endpoint 应用完全网络隔离,阻止设备连接到任何应用程序或服务。Isolate device—uses Microsoft Defender for Endpoint to apply full network isolation, preventing the device from connecting to any application or service. 了解有关适用于终结点计算机隔离的 Microsoft Defender 有关详细信息Learn more about Microsoft Defender for Endpoint machine isolation
运行防病毒扫描- 在Windows Defender执行完全防病毒扫描Run antivirus scan—performs a full Windows Defender Antivirus scan on the device
启动调查— 在 设备上 启动自动调查Initiate investigation—initiates an automated investigation on the device
限制应用 执行 — 在设备上设置限制,以仅允许使用 Microsoft 颁发的证书签名的文件运行。Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run. 详细了解 Microsoft Defender for Endpoint 的应用限制Learn more about app restrictions with Microsoft Defender for Endpoint
对文件的操作Actions on files
选中后,您可以选择对查询结果的、 、 或 列中 SHA1 的文件应用隔离 InitiatingProcessSHA1 SHA256 InitiatingProcessSHA256 文件操作。When selected, you can choose to apply the Quarantine file action on files in the SHA1, InitiatingProcessSHA1, SHA256, or InitiatingProcessSHA256 column of the query results. 此操作将文件从当前位置删除,并隔离副本。This action deletes the file from its current location and places a copy in quarantine.
用户操作Actions on users
选中后 ,将针对 查询结果的 、 或 列中的用户执行"将用户标记为已泄露 AccountObjectId InitiatingProcessAccountObjectId RecipientObjectId "操作。When selected, the Mark user as compromised action is taken on users in the AccountObjectId, InitiatingProcessAccountObjectId, or RecipientObjectId column of the query results. 此操作将 Azure Active Directory 中的用户风险级别设置为"高",从而触发相应的 标识保护策略。This action sets the users risk level to "high" in Azure Active Directory, triggering corresponding identity protection policies.
备注
Microsoft 365 Defender 当前不支持自定义检测规则的允许或阻止操作。The allow or block action for custom detection rules is currently not supported on Microsoft 365 Defender.
5. 设置规则范围。5. Set the rule scope.
设置范围以指定规则涵盖的设备。Set the scope to specify which devices are covered by the rule. 作用域影响检查设备的规则,而不影响仅检查邮箱和用户帐户或标识的规则。The scope influences rules that check devices and doesn't affect rules that check only mailboxes and user accounts or identities.
设置范围时,可以选择:When setting the scope, you can select:
所有设备All devices
特定设备组Specific device groups
将仅查询作用域中设备的数据。Only data from devices in scope will be queried. 此外,将仅在这些设备上执行操作。Also, actions will be taken only on those devices.
6. 查看并启用规则。6. Review and turn on the rule.
查看规则后,选择" 创建" 以保存它。After reviewing the rule, select Create to save it. 自定义检测规则会立即运行。The custom detection rule immediately runs. 它根据配置的频率再次运行,以检查匹配项、生成警报以及执行响应操作。It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
重要
应定期检查自定义检测的效率和有效性。Custom detections should be regularly reviewed for efficiency and effectiveness. 若要确保创建触发真实警报的检测,请花时间按照管理现有自定义检测规则中的步骤检查现有的 自定义检测。To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules.
您可以保持对自定义检测的广泛性和特定性的控制,以便由自定义检测生成的任何假警报可能表示需要修改规则的某些参数。You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.
管理现有自定义检测规则Manage existing custom detection rules
可以查看现有自定义检测规则的列表,检查其之前的运行,并查看已触发的警报。You can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. 您还可以按需运行规则并对其进行修改。You can also run a rule on demand and modify it.
查看现有规则View existing rules
若要查看所有现有的自定义检测规则,请导航到"搜寻 > 自定义检测"。To view all existing custom detection rules, navigate to Hunting > Custom detections. 该页列出了包含以下运行信息的所有规则:The page lists all the rules with the following run information:
上次运行- 上次运行规则以检查查询匹配并生成警报时Last run—when a rule was last run to check for query matches and generate alerts
上次运行状态— 规则是否成功运行Last run status—whether a rule ran successfully
下一 次运行 - 下一个计划运行Next run—the next scheduled run
状态— 规则是已打开还是关闭Status—whether a rule has been turned on or off
查看规则详细信息、修改规则并运行规则View rule details, modify rule, and run rule
若要查看有关自定义检测规则的综合信息,请转到"搜寻 > 自定义检测",然后选择规则的名称。To view comprehensive information about a custom detection rule, go to Hunting > Custom detections and then select the name of rule. 然后,您可以查看有关规则的常规信息,包括其运行状态和范围的信息。You can then view general information about the rule, including information its run status and scope. 该页面还提供触发的警报和操作列表。The page also provides the list of triggered alerts and actions.
自定义检测规则详细信息Custom detection rule details
您还可以从此页对规则执行以下操作:You can also take the following actions on the rule from this page:
运行 立即运行规则。Run—run the rule immediately. 这还会重置下次运行的间隔。This also resets the interval for the next run.
编辑 在不更改查询的情况下修改规则Edit—modify the rule without changing the query
修改查询— 在高级搜寻中编辑查询Modify query—edit the query in advanced hunting
打开 / 关闭- 启用规则或阻止其运行Turn on / Turn off—enable the rule or stop it from running
删除- 关闭并删除规则Delete—turn off the rule and remove it
查看和管理触发的警报View and manage triggered alerts
在规则详细信息屏幕中 (搜索自定义检测 > > [规则名称]) ,转到触发的警报 ,其中列出了规则匹配项生成的警报。In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered alerts, which lists the alerts generated by matches to the rule. 选择警报以查看有关它的详细信息,并执行以下操作:Select an alert to view detailed information about it and take the following actions:
通过将警报的状态和分类设置为 true 或 false (来管理警报)Manage the alert by setting its status and classification (true or false alert)
将警报链接到事件Link the alert to an incident
运行触发高级搜寻警报的查询Run the query that triggered the alert on advanced hunting
查看操作Review actions
在规则详细信息屏幕中 (搜索自定义检测 > > [规则名称]) ,转到触发的操作,其中列出了基于规则匹配项采取的操作。In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered actions, which lists the actions taken based on matches to the rule.
提示
若要快速查看信息并针对表中的项目采取操作,请使用表格左侧的选择列 [✓] 。To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
另请参阅See also
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
