为 Azure Active Directory 域服务启用安全审核Enable security audits for Azure Active Directory Domain Services

Azure Active Directory 域服务 (Azure AD DS) 安全审核允许 Azure 将安全事件流式传输到目标资源。Azure Active Directory Domain Services (Azure AD DS) security audits lets Azure stream security events to targeted resources. 这些资源包括 Azure 存储、Azure Log Analytics 工作区或 Azure 事件中心。These resources include Azure Storage, Azure Log Analytics workspaces, or Azure Event Hub. 启用安全审核事件后,Azure AD DS 会将所选类别的所有已审核事件发送到目标资源。After you enable security audit events, Azure AD DS sends all the audited events for the selected category to the targeted resource.

可以使用 Azure 事件中心将事件存档到 Azure 存储中,并将事件流式传输到安全信息和事件管理 (SIEM) 软件(或等效软件),也可以从 Azure 门户使用 Azure Log Analytics 工作区执行自己的分析。You can archive events into Azure storage and stream events into security information and event management (SIEM) software (or equivalent) using Azure Event Hubs, or do your own analysis and using Azure Log Analytics workspaces from the Azure portal.

重要

Azure AD DS 安全审核仅适用于基于 Azure 资源管理器的托管域。Azure AD DS security audits are only available for Azure Resource Manager-based managed domains. 有关如何迁移的信息,请参阅将 Azure AD DS 从经典虚拟网络模型迁移到资源管理器For information on how to migrate, see Migrate Azure AD DS from the Classic virtual network model to Resource Manager.

安全审核目标Security audit destinations

可以使用 Azure 存储、Azure 事件中心或 Azure Log Analytics 工作区作为 Azure AD DS 安全审核的目标资源。You can use Azure Storage, Azure Event Hubs, or Azure Log Analytics workspaces as a target resource for Azure AD DS security audits. 这些目标可以组合在一起。These destinations can be combined. 例如,可以使用 Azure 存储来存档安全审核事件,而使用 Azure Log Analytics 工作区来分析和报告短期内的信息。For example, you could use Azure Storage for archiving security audit events, but an Azure Log Analytics workspace to analyze and report on the information in the short term.

下表概述了每种目标资源类型的场景。The following table outlines scenarios for each destination resource type.

重要

在启用 Azure AD DS 安全审核之前,需要创建目标资源。You need to create the target resource before you enable Azure AD DS security audits. 可以使用 Azure 门户、Azure PowerShell 或 Azure CLI 创建这些资源。You can create these resources using the Azure portal, Azure PowerShell, or the Azure CLI.

目标资源Target Resource 方案Scenario
Azure 存储Azure Storage 如果你的主要需求是出于存档目的存储安全审核事件,则应使用此目标。This target should be used when your primary need is to store security audit events for archival purposes. 其他目标可用于存档目的,但是这些目标提供的功能超出了存档的主要需求。Other targets can be used for archival purposes, however those targets provide capabilities beyond the primary need of archiving.

在启用 Azure AD DS 安全审核事件之前,首先创建 Azure 存储帐户Before you enable Azure AD DS security audit events, first Create an Azure Storage account.
Azure 事件中心Azure Event Hubs 当主要需求是与其他软件(如数据分析软件或安全信息和事件管理 (SIEM) 软件)共享安全审核事件时,应使用此目标。This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.

在启用 Azure AD DS 安全审核事件之前,使用 Azure 门户创建事件中心Before you enable Azure AD DS security audit events, Create an event hub using Azure portal
Azure Log Analytics 工作区Azure Log Analytics Workspace 当你的主要需求是直接从 Azure 门户分析和查看安全审核时,应使用此目标。This target should be used when your primary need is to analyze and review secure audits from the Azure portal directly.

在启用 Azure AD DS 安全审核事件之前,在 Azure 门户中创建 Log Analytics 工作区Before you enable Azure AD DS security audit events, Create a Log Analytics workspace in the Azure portal.

使用 Azure 门户启用安全审核事件Enable security audit events using the Azure portal

若要使用 Azure 门户启用 Azure AD DS 安全审核事件,请完成以下步骤。To enable Azure AD DS security audit events using the Azure portal, complete the following steps.

重要

Azure AD DS 安全审核不可追溯。Azure AD DS security audits aren't retroactive. 无法检索或重播过去的事件。You can't retrieve or replay events from the past. Azure AD DS 只能发送启用安全审核之后发生的事件。Azure AD DS can only send events that occur after security audits are enabled.

  1. 通过 https://portal.azure.cn 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.

  2. 在 Azure 门户的顶部,搜索并选择“Azure AD 域服务”。At the top of the Azure portal, search for and select Azure AD Domain Services. 选择你的托管域,例如 aaddscontoso.comChoose your managed domain, such as aaddscontoso.com.

  3. 在 Azure AD DS 窗口中,选择左侧的“诊断设置”。In the Azure AD DS window, select Diagnostic settings on the left-hand side.

  4. 默认情况下未配置任何诊断。No diagnostics are configured by default. 若要开始,请选择“添加诊断设置”。To get started, select Add diagnostic setting.

    为 Azure AD 域服务添加诊断设置

  5. 输入诊断配置的名称,如 aadds-auditing。Enter a name for the diagnostic configuration, such as aadds-auditing.

    选中所需的安全审核目标框。Check the box for the security audit destination you want. 你可以从 Azure 存储帐户、Azure 事件中心或 Log Analytics 工作区中进行选择。You can choose from an Azure Storage account, an Azure event hub, or a Log Analytics workspace. 这些目标资源必须已存在于你的 Azure 订阅中。These destination resources must already exist in your Azure subscription. 不能在此向导中创建目标资源。You can't create the destination resources in this wizard.

    启用所需的目标和审核事件类型以进行捕获

    • Azure 存储Azure storage
      • 选择“存档到存储帐户”,然后选择“配置” 。Select Archive to a storage account, then choose Configure.
      • 选择要用于存档安全审核事件的“订阅”和“存储帐户” 。Select the Subscription and the Storage account you want to use to archive security audit events.
      • 准备就绪后,选择“确定”。When ready, choose OK.
    • Azure 事件中心Azure event hubs
      • 选择“流式传输到事件中心”,然后选择“配置” 。Select Stream to an event hub, then choose Configure.
      • 选择“订阅”和“事件中心命名空间” 。Select the Subscription and the Event hub namespace. 如果需要,还可以选择“事件中心名称”和“事件中心策略名称” 。If needed, also choose an Event hub name and then Event hub policy name.
      • 准备就绪后,选择“确定”。When ready, choose OK.
    • Azure Log Analytic 工作区Azure Log Analytic workspaces
      • 选择“发送到 Log Analytics”,然后选择要用于存储安全审核事件的“订阅”和“Log Analytics 工作区” 。Select Send to Log Analytics, then choose the Subscription and Log Analytics Workspace you want to use to store security audit events.
  6. 选择要为特定目标资源包含的日志类别。Select the log categories you want included for the particular target resource. 如果将审核事件发送到 Azure 存储帐户,还可以配置保留策略来定义保留数据的天数。If you send the audit events to an Azure Storage account, you can also configure a retention policy that defines the number of days to retain data. 默认设置为 0,指示保留所有数据,并且不会在一段时间后轮替事件。A default setting of 0 retains all data and doesn't rotate events after a period of time.

    可以在单个配置中为每个目标资源选择不同的日志类别。You can select different log categories for each targeted resource within a single configuration. 例如,此功能允许你选择要为 Log Analytics 保留的日志类别以及要存档的日志类别。This ability lets you choose which logs categories you want to keep for Log Analytics and which logs categories your want to archive, for example.

  7. 完成后,选择“保存”以提交更改。When done, select Save to commit your changes. 在保存配置后,目标资源会立即开始接收 Azure AD DS 安全审核事件。The target resources start to receive Azure AD DS security audit events soon after the configuration is saved.

使用 Azure PowerShell 启用安全审核事件Enable security audit events using Azure PowerShell

若要使用 Azure PowerShell 启用 Azure AD DS 安全审核事件,请完成以下步骤。To enable Azure AD DS security audit events using Azure PowerShell, complete the following steps. 如果需要,请先安装 Azure PowerShell 模块并连接到 Azure 订阅If needed, first install the Azure PowerShell module and connect to your Azure subscription.

重要

Azure AD DS 安全审核不可追溯。Azure AD DS security audits aren't retroactive. 无法检索或重播过去的事件。You can't retrieve or replay events from the past. Azure AD DS 只能发送启用安全审核之后发生的事件。Azure AD DS can only send events that occur after security audits are enabled.

  1. 使用 Connect-AzAccount cmdlet 对 Azure 订阅进行身份验证。Authenticate to your Azure subscription using the Connect-AzAccount cmdlet. 在系统提示时输入帐户凭据。When prompted, enter your account credentials.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 创建安全审核事件的目标资源。Create the target resource for the security audit events.

  3. 使用 Get-AzResource cmdlet 获取 Azure AD DS 托管域的资源 ID。Get the resource ID for your Azure AD DS managed domain using the Get-AzResource cmdlet. 创建名为 $aadds.ResourceId 的变量来保存值:Create a variable named $aadds.ResourceId to hold the value:

    $aadds = Get-AzResource -name aaddsDomainName
    
  4. 使用 Set-AzDiagnosticSetting cmdlet 配置 Azure 诊断设置,以使用 Azure AD 域服务安全审核事件的目标资源。Configure the Azure Diagnostic settings using the Set-AzDiagnosticSetting cmdlet to use the target resource for Azure AD Domain Services security audit events. 在下面的示例中,变量 $aadds.ResourceId 从上一步开始使用。In the following examples, the variable $aadds.ResourceId is used from the previous step.

    • Azure 存储 - 将 storageAccountId 替换为你的存储帐户名称:Azure storage - Replace storageAccountId with your storage account name:

      Set-AzDiagnosticSetting `
          -ResourceId $aadds.ResourceId `
          -StorageAccountId storageAccountId `
          -Enabled $true
      
    • Azure 事件中心 - 将 eventHubName 替换为事件中心的名称,并将 eventHubRuleId 替换为授权规则 ID :Azure event hubs - Replace eventHubName with the name of your event hub and eventHubRuleId with your authorization rule ID:

      Set-AzDiagnosticSetting -ResourceId $aadds.ResourceId `
          -EventHubName eventHubName `
          -EventHubAuthorizationRuleId eventHubRuleId `
          -Enabled $true
      
    • Azure Log Analytics 工作区 - 将 workspaceId 替换为 Log Analytics 工作区的 ID:Azure Log Analytic workspaces - Replace workspaceId with the ID of the Log Analytics workspace:

      Set-AzureRmDiagnosticSetting -ResourceId $aadds.ResourceId `
          -WorkspaceID workspaceId `
          -Enabled $true
      

使用 Azure Monitor 查询和查看安全审核事件Query and view security audit events using Azure Monitor

Log Analytic 工作区使你可以使用 Azure Monitor 和 Kusto 查询语言来查看和分析安全审核事件。Log Analytic workspaces let you view and analyze the security audit events using Azure Monitor and the Kusto query language. 此查询语言专为只读使用而设计,它具有强大的分析功能和易于阅读的语法。This query language is designed for read-only use that boasts power analytic capabilities with an easy-to-read syntax. 有关 Kusto 查询语言入门的详细信息,请参阅以下文章:For more information to get started with Kusto query languages, see the following articles:

下面的示例查询可用于从 Azure AD DS 开始分析安全审核事件。The following sample queries can be used to start analyzing security audit events from Azure AD DS.

示例查询 1Sample query 1

查看过去 7 天的所有帐户锁定事件:View all the account lockout events for the last seven days:

AADDomainServicesAccountManagement
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"

示例查询 2Sample query 2

查看 2020 年 6 月 3 日上午 9 点至 2020 年 6 月 10 日午夜View all the account lockout events (4740) between June 3, 2020 at 9 a.m. 期间的所有帐户锁定事件 (4740),按日期和时间升序排序:and June 10, 2020 midnight, sorted ascending by the date and time:

AADDomainServicesAccountManagement
| where TimeGenerated >= datetime(2020-06-03 09:00) and TimeGenerated <= datetime(2020-06-10)
| where OperationName has "4740"
| sort by TimeGenerated asc

示例查询 3Sample query 3

查看名为 user 的帐户七天前(从现在算起)的登录事件:View account sign-in events seven days ago (from now) for the account named user:

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "user" == tolower(extract("Logon Account:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))

示例查询 4Sample query 4

查看尝试使用错误的密码登录的名为 user 的帐户七天前(从现在算起)的登录事件 (0xC0000006a):View account sign-in events seven days ago from now for the account named user that attempted to sign in using a bad password (0xC0000006a):

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "user" == tolower(extract("Logon Account:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))
| where "0xc000006a" == tolower(extract("Error Code:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))

示例查询 5Sample query 5

查看在帐户锁定时尝试登录的名为 user 的帐户七天前(从现在算起)的登录事件 (0xC0000234):View account sign-in events seven days ago from now for the account named user that attempted to sign in while the account was locked out (0xC0000234):

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "user" == tolower(extract("Logon Account:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))
| where "0xc0000234" == tolower(extract("Error Code:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))

示例查询 6Sample query 6

查看所有锁定用户七天前(从现在算起)发生的所有登录尝试的帐户登录事件数:View the number of account sign-in events seven days ago from now for all sign-in attempts that occurred for all locked out users:

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "0xc0000234" == tolower(extract("Error Code:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))
| summarize count()

审核事件类别Audit event categories

Azure AD DS 安全审核与传统 AD DS 域控制器的传统审核一致。Azure AD DS security audits align with traditional auditing for traditional AD DS domain controllers. 在混合环境中,你可以重复使用现有审核模式,以便在分析事件时可以使用相同的逻辑。In hybrid environments, you can reuse existing audit patterns so the same logic may be used when analyzing the events. 根据要进行故障排除或分析的场景,需要定向不同的审核事件类别。Depending on the scenario you need to troubleshoot or analyze, the different audit event categories need to be targeted.

可以使用以下审核事件类别:The following audit event categories are available:

审核类别名称Audit Category Name 说明Description
帐户登录Account Logon 审核对域控制器或本地安全帐户管理器 (SAM) 上的帐户数据进行身份验证的尝试。Audits attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM).

登录和注销策略设置和事件可跟踪访问特定计算机的尝试。Logon and Logoff policy settings and events track attempts to access a particular computer. 此类别中的设置和事件侧重于所使用的帐户数据库。Settings and events in this category focus on the account database that is used. 此类别包括以下子类别:This category includes the following subcategories:
帐户管理Account Management 审核对用户和计算机帐户和组所做的更改。Audits changes to user and computer accounts and groups. 此类别包括以下子类别:This category includes the following subcategories:
详细信息跟踪Detail Tracking 审核该计算机上的单个应用程序和用户的活动,并了解计算机的使用方式。Audits activities of individual applications and users on that computer, and to understand how a computer is being used. 此类别包括以下子类别:This category includes the following subcategories:
目录服务访问Directory Services Access 审核访问和修改 Active Directory 域服务 (AD DS) 中的对象的尝试。Audits attempts to access and modify objects in Active Directory Domain Services (AD DS). 这些审核事件只记录在域控制器上。These audit events are logged only on domain controllers. 此类别包括以下子类别:This category includes the following subcategories:
登录-注销Logon-Logoff 审核以交互方式或通过网络登录到计算机的尝试。Audits attempts to log on to a computer interactively or over a network. 这些事件对于跟踪用户活动和识别对网络资源的潜在攻击很有用。These events are useful for tracking user activity and identifying potential attacks on network resources. 此类别包括以下子类别:This category includes the following subcategories:
对象访问Object Access 审核访问网络或计算机上的特定对象或对象类型的尝试。Audits attempts to access specific objects or types of objects on a network or computer. 此类别包括以下子类别:This category includes the following subcategories:
策略更改Policy Change 审核对本地系统或网络上重要安全策略的更改。Audits changes to important security policies on a local system or network. 策略通常由管理员建立,以帮助保护网络资源。Policies are typically established by administrators to help secure network resources. 监视对这些策略的更改或监视更改这些策略的尝试可能是网络安全管理的一个重要方面。Monitoring changes or attempts to change these policies can be an important aspect of security management for a network. 此类别包括以下子类别:This category includes the following subcategories:
特权使用Privilege Use 审核一个或多个系统上某些特权的使用。Audits the use of certain permissions on one or more systems. 此类别包括以下子类别:This category includes the following subcategories:
系统System 审核对未包括在其他类别中且可能带来潜在安全隐患的计算机所做的系统级更改。Audits system-level changes to a computer not included in other categories and that have potential security implications. 此类别包括以下子类别:This category includes the following subcategories:

每个类别的事件 IDEvent IDs per category

Azure AD DS 安全审核在特定操作触发可审核事件时记录以下事件 ID:Azure AD DS security audits record the following event IDs when the specific action triggers an auditable event:

事件类别名称Event Category Name 事件 IDEvent IDs
帐户登录安全性Account Logon security 4767、4774、4775、4776、47774767, 4774, 4775, 4776, 4777
帐户管理安全性Account Management security 4720、4722、4723、4724、4725、4726、4727、4728、4729、4730、4731、4732、4733、4734、4735、4737、4738、4740、4741、4742、4743、4754、4755、4756、4757、4758、4764、4765、4766、4780、4781、4782、4793、4798、4799、5376、53774720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4765, 4766, 4780, 4781, 4782, 4793, 4798, 4799, 5376, 5377
详细信息跟踪安全性Detail Tracking security None
DS 访问安全性DS Access security 5136、5137、5138、5139、51415136, 5137, 5138, 5139, 5141
登录-注销安全性Logon-Logoff security 4624、4625、4634、4647、4648、4672、4675、49644624, 4625, 4634, 4647, 4648, 4672, 4675, 4964
对象访问安全性Object Access security None
策略更改安全性Policy Change security 4670、4703、4704、4705、4706、4707、4713、4715、4716、4717、4718、4719、4739、4864、4865、4866、4867、4904、4906、4911、49124670, 4703, 4704, 4705, 4706, 4707, 4713, 4715, 4716, 4717, 4718, 4719, 4739, 4864, 4865, 4866, 4867, 4904, 4906, 4911, 4912
特权使用安全性Privilege Use security 49854985
系统安全性System security 4612、46214612, 4621