抑制来自 Azure 安全中心威胁防护服务的警报Suppress alerts from Azure Security Center's threat protection

此页说明如何使用警报抑制规则在 Azure 安全中心中取消显示误报或其他不需要的安全警报。This page explains how you can use alerts suppression rules to suppress false positives or other unwanted security alerts in Azure Security Center.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 预览Preview
定价:Pricing: 免费层Free tier
(大多数安全警报仅适用于标准层)(Most security alerts are only for standard tier)
所需角色和权限:Required roles and permissions: “安全管理员”和“所有者”可以创建/删除规则 。Security admin and Owner can create/delete rules.
“安全读取者”和“读取者”可以查看规则 。Security reader and Reader can view rules.
云:Clouds: 是 商业云Commercial clouds
是 国家/主权(US Gov、中国 Gov、其他 Gov)National/Sovereign (US Gov, China Gov, Other Gov)

什么是抑制规则?What are suppression rules?

Azure 安全中心的威胁防护组件检测环境中任何区域的威胁并生成安全警报。The threat protection components of Azure Security Center detect threats in any area of your environment and generate security alerts.

当单个警报不感兴趣或不相关时,可以手动关闭它。When a single alert isn't interesting or relevant, you can manually dismiss it. 或者,使用抑制规则功能在将来自动关闭类似警报。Alternatively, use the suppression rules feature to automatically dismiss similar alerts in the future. 通常,将使用抑制规则来执行以下操作:Typically, you'd use a suppression rule to:

  • 抑制已标识为“误报”的警报Suppress alerts that you've identified as false positives

  • 抑制过于频繁地触发而失去作用的警报Suppress alerts that are being triggered too often to be useful

抑制规则定义了自动取消警报所应遵循的条件。Your suppression rules define the criteria for which alerts should be automatically dismissed.

注意

取消安全警报会降低安全中心的威胁防护。Suppressing security alerts reduces the threat protection of Security Center. 应仔细检查任何抑制规则的潜在影响,并在一段时间内对其进行监视。You should carefully check the potential impact of any suppression rule, and monitor it over time.

创建警报抑制规则

创建抑制规则Create a suppression rule

有几种方法可以创建规则以取消不需要的安全警报:There are a few ways you can create rules to suppress unwanted security alerts:

  • 若要在管理组级别取消警报,请使用 Azure PolicyTo suppress alerts at the management group level, use Azure Policy

  • 若要在订阅级别取消警报,可以使用 Azure 门户或 REST API,如下所述To suppress alerts at the subscription level, you can use the Azure portal or the REST API as explained below

抑制规则只能关闭已在选定订阅上触发的警报。Suppression rules can only dismiss alerts that have already been triggered on the selected subscriptions.

直接在 Azure 门户中创建规则:To create a rule directly in the Azure portal:

  1. 从安全中心的“安全警报”页:From Security Center's security alerts page:

    • 找到你不想再查看的特定警报,然后从该警报的省略号菜单 (...) 中,选择“创建抑制规则”:Locate the specific alert you don't want to see anymore, and from the ellipsis menu (...) for the alert, select Create suppression rule:

      创建抑制规则 选项Create suppression rule option

    • 或者,选择页面顶部的“抑制规则”链接,然后从“抑制规则”页面中选择“创建新的抑制规则” :Or, select the suppression rules link at the top of the page, and from the suppression rules page select Create new suppression rule:

      创建新的抑制规则** 按钮

  2. 在“新建抑制规则”窗格中,输入新规则的详细信息。In the new suppression rule pane, enter the details of your new rule.

    • 你的规则可以消除对“所有资源”的警报,因此以后就不会收到类似于此的警报。Your rule can dismiss the alert on all resources so you don't get any alerts like this one in the future.

    • 你的规则可以消除“特定条件下的”警报,当它与特定的 IP 地址、进程名、用户帐户、Azure 资源或位置相关时。Your rule can dismiss the alert on specific criteria - when it relates to a specific IP address, process name, user account, Azure resource, or location.

    提示

    如果从特定警报打开“新规则”页,则将在新规则中自动配置警报和订阅。If you opened the new rule page from a specific alert, the alert and subscription will be automatically configured in your new rule. 如果使用“创建新的抑制规则”链接,则所选订阅将与门户中的当前筛选器匹配。If you used the Create new suppression rule link, the selected subscriptions will match the current filter in the portal.

    抑制规则创建窗格Suppression rule creation pane

  3. 输入规则的详细信息:Enter details of the rule:

    • 名称 - 输入规则的名称。Name - A name for the rule. 规则名称必须以字母或数字开头,介于 2 到 50 个字符之间,并且不包含除破折号 (-) 或下划线 () 以外的任何符号。Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores ().
    • 状态 - 已启用或已禁用。State - Enabled or disabled.
    • 原因 - 选择其中一个内置原因,如果不能满足你的需求,则选择“其他”。Reason - Select one of the built-in reasons or 'other' if they don't meet your needs.
    • 到期日期 - 规则的结束日期和时间。Expiration date - An end date and time for the rule. 规则最多可运行六个月。Rules can run for up to six months.
  4. (可选)使用“模拟”按钮测试规则,以查看如果此规则处于活动状态,将关闭的警报数。Optionally, test the rule using the Simulate button to see how many alerts would have been dismissed if this rule had been active.

  5. 保存规则。Save the rule.

编辑抑制规则Edit a suppression rules

若要编辑已创建的规则,请使用“抑制规则”页。To edit a rules you've created, use the suppression rules page.

  1. 从安全中心的“安全警报”页面中,选择页面顶部的“抑制规则”链接。From Security Center's security alerts page, select the suppression rules link at the top of the page.

  2. 此时将打开“抑制规则”页,其中包含选定订阅的所有规则。The suppression rules page opens with all the rules for the selected subscriptions.

    抑制规则列表Suppression rules list

  3. 若要编辑单个规则,请打开该规则的省略号菜单 (...) 并选择“编辑”。To edit a single rule, open the ellipsis menu (...) for the rule and select Edit.

  4. 进行必要的更改并选择“应用”。Make the necessary changes and select Apply.

删除抑制规则Delete a suppression rule

若要删除已创建的一个或多个规则,请使用“抑制规则”页。To delete one or more rules you've created, use the suppression rules page.

  1. 从安全中心的“安全警报”页面中,选择页面顶部的“抑制规则”链接。From Security Center's security alerts page, select the suppression rules link at the top of the page.

  2. 此时将打开“抑制规则”页,其中包含选定订阅的所有规则。The suppression rules page opens with all the rules for the selected subscriptions.

  3. 若要删除单个规则,请打开该规则的省略号菜单 (...),然后选择“删除”。To delete a single rule, open the ellipsis menu (...) for the rule and select Delete.

  4. 若要删除多个规则,请选中要删除的规则的复选框,然后选择“删除”。To delete multiple rules, select the check boxes for the rules to be deleted and select Delete.

    删除一个或多个抑制规则

查看抑制的警报View suppressed alerts

仍将生成与你启用的抑制规则相匹配的警报,但它们的状态将设置为“已取消”。Alerts that match your enabled suppression rules will still be generated, but their state will be set to dismissed. 你可在 Azure 门户中查看状态,也可在安全中心查看安全警报。You can see the state in the Azure portal or however you access your Security Center security alerts.

使用安全中心的筛选器查看规则已消除的警报。Use Security Center's filter to view alerts that have been dismissed by your rules.

  • 从安全中心的“安全警报”页中,打开筛选器选项并选择“关闭”。From Security Center's security alerts page, open the filter options and select Dismissed.

    查看已消除的警报Viewing dismissed alerts

通过 API 创建和管理抑制规则Create and manage suppression rules with the API

可以通过安全中心的 REST API 创建、查看或删除警报抑制规则。You can create, view, or delete alert suppression rules via Security Center's REST API.

REST API 中抑制规则的相关 HTTP 方法是:The relevant HTTP methods for suppression rules in the REST API are:

  • PUT:创建或更新指定订阅中的抑制规则。PUT: To create or update a suppression rule in a specified subscription.

  • 获取GET:

    • 列出为指定订阅配置的所有规则。To list all rules configured for a specified subscription. 此方法返回适用规则的数组。This method returns an array of the applicable rules.

    • 获取指定订阅上特定规则的详细信息。To get the details of a specific rule on a specified subscription. 此方法返回一个抑制规则。This method returns one suppression rule.

    • 以模拟仍处于设计阶段的抑制规则的影响。To simulate the impact of a suppression rule still in the design phase. 此调用标识如果规则处于活动状态,将消除哪些现有警报。This call identifies which of your existing alerts would have been dismissed if the rule had been active.

  • DELETE:删除现有规则(但不会更改它已消除的警报的状态)。DELETE: Deletes an existing rule (but doesn't change the status of alerts already dismissed by it).

有关完整的详细信息和使用示例,请参阅 API 文档For full details and usage examples, see the API documentation.

后续步骤Next steps

本文介绍了 Azure 安全中心中自动取消不需要的警报的抑制规则。This article described the suppression rules in Azure Security Center that automatically dismiss unwanted alerts.

有关 Azure 安全中心中安全警报的详细信息,请参阅以下页面:For more information on security alerts in Azure Security Center, see the following pages: