连续导出安全中心数据Continuously export Security Center data

Azure 安全中心会生成详细的安全警报和建议。Azure Security Center generates detailed security alerts and recommendations. 可以通过门户或编程工具查看它们。You can view them in the portal or through programmatic tools. 你可能还需要部分或全部导出此信息,以使用环境中的其他监视工具进行跟踪。You might also need to export some or all of this information for tracking with other monitoring tools in your environment.

“连续导出”使你可以完全自定义将要导出的内容,以及要导出到的位置 。Continuous export lets you fully customize what will be exported, and where it will go. 例如,可以对其进行配置,以便:For example, you can configure it so that:

  • 将所有高严重性警报发送到 Azure 事件中心All high severity alerts are sent to an Azure Event Hub
  • 将 SQL 服务器的漏洞评估扫描中的所有中等或较高严重性结果发送到特定的 Log Analytics 工作区All medium or higher severity findings from vulnerability assessment scans of your SQL servers are sent to a specific Log Analytics workspace
  • 将生成的特定建议即时传递到事件中心或 Log Analytics 工作区Specific recommendations are delivered to an Event Hub or Log Analytics workspace whenever they're generated
  • 每当控件的分数变化 0.01 或更大时,订阅的安全分数就会发送到 Log Analytics 工作区The secure score for a subscription is sent to a Log Analytics workspace whenever the score for a control changes by 0.01 or more

即使此功能称为“连续”,也可以选择每周导出一次安全分数或合规性数据的快照。Even though the feature is called continuous, there's also an option to export weekly snapshots of secure score or regulatory compliance data.

本文介绍如何配置到 Log Analytics 工作区或 Azure 事件中心的连续导出。This article describes how to configure continuous export to Log Analytics workspaces or Azure Event Hubs.

备注

如果需要将安全中心与 SIEM 集成,请参阅将警报流式传输到 SIEM、SOAR 或 IT 服务管理解决方案If you need to integrate Security Center with a SIEM, see Stream alerts to a SIEM, SOAR, or IT Service Management solution.

提示

安全中心还提供了用于执行一次性手动导出到 CSV 的选项。Security Center also offers the option to perform a one-time, manual export to CSV. 手动一次性导出警报和建议中了解详细信息。Learn more in Manual one-time export of alerts and recommendations.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布版 (GA)General Availability (GA)
定价:Pricing: 免费Free
所需角色和权限:Required roles and permissions:
  • 资源组的安全管理员或所有者 Security admin or Owner on the resource group
  • 对目标资源的写入权限Write permissions for the target resource
  • 如果使用的是下面所述的 Azure Policy“DeployIfNotExist”策略,则还需要分配策略的权限If you're using the Azure Policy 'DeployIfNotExist' policies described below you'll also need permissions for assigning policies
云:Clouds: 中国云China cloud

可以导出哪些数据类型?What data types can be exported?

连续导出可以在以下数据类型发生更改时导出它们:Continuous export can export the following data types whenever they change:

  • 安全警报Security alerts
  • 安全建议Security recommendations
  • 可以视为“子”建议的安全发现,例如漏洞评估扫描程序或特定系统更新的发现。Security findings which can be thought of as 'sub' recommendations like findings from vulnerability assessment scanners or specific system updates. 可以选择将它们包括在其“父”建议中,例如“应在计算机上安装系统更新”。You can select to include them with their 'parent' recommendations such as "System updates should be installed on your machines".
  • 安全评分(按订阅或按控制)Secure score (per subscription or per control)
  • 合规性数据Regulatory compliance data

备注

导出安全分数和合规性数据是一项预览功能。The exporting of secure score and regulatory compliance data is a preview feature.

设置连续导出Set up a continuous export

可以通过安全中心 REST API 在 Azure 门户的“安全中心”页中配置连续导出,或使用提供的 Azure Policy 模板进行大规模配置。You can configure continuous export from the Security Center pages in Azure portal, via the Security Center REST API, or at scale using the supplied Azure Policy templates. 选择下面相应的选项卡,以获取每项的详细信息。Select the appropriate tab below for details of each.

在 Azure 门户的“安全中心”页中配置连续导出Configure continuous export from the Security Center pages in Azure portal

无论是设置连续导出到 Log Analytics 工作区的操作还是连续导出到 Azure 事件中心的操作,都需要执行以下步骤。The steps below are necessary whether you're setting up a continuous export to Log Analytics workspace or Azure Event Hubs.

  1. 从安全中心的侧栏中,选择“定价和设置”。From Security Center's sidebar, select Pricing & settings.

  2. 选择要为其配置数据导出的特定订阅。Select the specific subscription for which you want to configure the data export.

  3. 从该订阅的设置页的侧栏中,选择“连续导出”。From the sidebar of the settings page for that subscription, select Continuous Export.

    Azure 安全中心内的导出选项

    可以在这里看到导出选项。Here you see the export options. 每个可用的导出目标有一个选项卡。There's a tab for each available export target.

  4. 选择要导出的数据类型,并从每种类型的筛选器中进行选择(例如,仅导出严重程度高的警报)。Select the data type you'd like to export and choose from the filters on each type (for example, export only high severity alerts).

  5. 选择适当的导出频率:Select the appropriate export frequency:

    • 流式处理 - 更新资源的运行状况状态时,将实时发送评估(如果没有进行更新,则不会发送任何数据)。Streaming - assessments will be sent in real-time when a resource�s health state is updated (if no updates occur, no data will be sent).
    • 快照 - 每周将发送所有合规性评估的当前状态的快照(这是面向安全分数和合规性数据每周快照的一项预览功能)。Snapshots - a snapshot of the current state of all regulatory compliance assessments will be sent every week (this is a preview feature for weekly snapshots of secure scores and regulatory compliance data).
  6. (可选)如果你的选择包含这些建议中的一个,可以将漏洞评估结果与它们包括在一起:Optionally, if your selection includes one of these recommendations, you can include the vulnerability assessment findings together with them:

    • 应修正关于 SQL 数据库的漏洞评估结果Vulnerability Assessment findings on your SQL databases should be remediated
    • 应修正关于计算机上的 SQL 服务器的漏洞评估结果(预览版)Vulnerability Assessment findings on your SQL servers on machines should be remediated (Preview)
    • 应修正 Azure 容器注册表映像中的漏洞(由 Qualys 提供技术支持)Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)
    • 应修正虚拟机中的漏洞Vulnerabilities in your virtual machines should be remediated
    • 应在计算机上安装系统更新System updates should be installed on your machines

    若要将结果与这些建议包括在一起,请启用“包括安全结果”选项。To include the findings with these recommendations, enable the include security findings option.

    在连续导出配置中包括安全结果开关

  7. 从“导出目标”区域中,选择要将数据保存到其中的位置。From the "Export target" area, choose where you'd like the data saved. 数据可以保存在不同订阅的目标中(例如,保存在中央事件中心实例或中央 Log Analytics 工作区中)。Data can be saved in a target on a different subscription (for example on a Central Event Hub instance or a central Log Analytics workspace).

  8. 选择“保存”。Select Save.

有关导出到 Log Analytics 工作区的信息Information about exporting to a Log Analytics workspace

如果要分析 Log Analytics 工作区中的 Azure 安全中心数据,或将 Azure 警报与安全中心警报一起使用,请设置连续导出到 Log Analytics 工作区。If you want to analyze Azure Security Center data inside a Log Analytics workspace or use Azure alerts together with Security Center alerts, set up continuous export to your Log Analytics workspace.

Log Analytics 表和架构Log Analytics tables and schemas

安全警报和建议将分别存储在 SecurityAlert 和 SecurityRecommendation 表中 。Security alerts and recommendations are stored in the SecurityAlert and SecurityRecommendation tables respectively.

包含这些表的 Log Analytics 解决方案的名称取决于是否启用了 Azure Defender:Security(“安全和审核”)或 SecurityCenterFree。The name of the Log Analytics solution containing these tables depends on whether you have Azure Defender enabled: Security ('Security and Audit') or SecurityCenterFree.

提示

若要查看目标工作区中的数据,必须启用解决方案“安全和审核”或“SecurityCenterFree”中的一个 。To see the data on the destination workspace, you must enable one of these solutions Security and Audit or SecurityCenterFree.

Log Analytics 中的“SecurityAlert”表

若要查看导出的数据类型的事件架构,请访问 Log Analytics 表架构To view the event schemas of the exported data types, visit the Log Analytics table schemas.

在 Azure Monitor 中查看导出的警报和建议View exported alerts and recommendations in Azure Monitor

还可以选择在 Azure Monitor 中查看导出的安全警报和/或建议。You might also choose to view exported Security Alerts and/or recommendations in Azure Monitor.

Azure Monitor 为各种 Azure 警报(包括诊断日志、指标警报以及基于 Log Analytics 工作区查询的自定义警报)提供统一的警报体验。Azure Monitor provides a unified alerting experience for a variety of Azure alerts including Diagnostic Log, Metric alerts, and custom alerts based on Log Analytics workspace queries.

若要在 Azure Monitor 中查看来自安全中心的警报和建议,请根据 Log Analytics 查询(日志警报)配置警报规则:To view alerts and recommendations from Security Center in Azure Monitor, configure an Alert rule based on Log Analytics queries (Log Alert):

  1. 从 Azure Monitor 的“警报”页上,选择“新建警报规则” 。From Azure Monitor's Alerts page, select New alert rule.

    Azure Monitor 的“警报”页

  2. 在“创建规则”页中,配置新规则(与在 Azure Monitor 中配置日志警报规则的方式相同):In the create rule page, configure your new rule (in the same way you'd configure a log alert rule in Azure Monitor):

    • 对于“资源”,请选择要向其中导出安全警报和建议的 Log Analytics 工作区。For Resource, select the Log Analytics workspace to which you exported security alerts and recommendations.

    • 对于“条件”,请选择“自定义日志搜索” 。For Condition, select Custom log search. 在出现的页中,配置查询、回溯周期和频率周期。In the page that appears, configure the query, lookback period, and frequency period. 在搜索查询中,可以键入 SecurityAlert 或 SecurityRecommendation 以查询在启用“连续导出到 Log Analytics”功能时安全中心持续导出的数据类型 。In the search query, you can type SecurityAlert or SecurityRecommendation to query the data types that Security Center continuously exports to as you enable the Continuous export to Log Analytics feature.

    • (可选)配置要触发的操作组Optionally, configure the Action Group that you'd like to trigger. 操作组可以触发电子邮件发送、ITSM 票证、Webhook 等。Action groups can trigger email sending, ITSM tickets, WebHooks, and more. Azure Monitor 警报规则Azure Monitor alert rule

现将在 Azure Monitor 警报中看到新的 Azure 安全中心警报或建议(取决于所配置的连续导出规则和在 Azure Monitor 警报规则中定义的条件),并自动触发操作组(如果已提供)。You'll now see new Azure Security Center alerts or recommendations (depending on your configured continuous export rules and the condition you defined in your Azure Monitor alert rule) in Azure Monitor alerts, with automatic triggering of an action group (if provided).

手动一次性导出警报和建议Manual one-time export of alerts and recommendations

若要下载警报或建议的 CSV 报表,请打开“安全警报”或“建议”页,然后选择“下载 CSV 报表”按钮。To download a CSV report for alerts or recommendations, open the Security alerts or Recommendations page and select the Download CSV report button.

将警报数据下载为 CSV 文件

备注

这些报表包含当前所选订阅中的资源的警报和建议。These reports contain alerts and recommendations for resources from the currently selected subscriptions.

常见问题解答 - 连续导出FAQ - Continuous export

导出数据时涉及哪些费用?What are the costs involved in exporting data?

启用连续导出不会产生费用。There is no cost for enabling a continuous export. 在 Log Analytics 工作区中引入和保留数据可能会产生费用,具体取决于你的配置。Costs might be incurred for ingestion and retention of data in your Log Analytics workspace, depending on your configuration there.

详细了解 Log Analytics 工作区定价Learn more about Log Analytics workspace pricing.

详细了解 Azure 事件中心定价Learn more about Azure Event Hub pricing.

导出是否包含所有资源的当前状态数据?Does the export include data about the current state of all resources?

错误。No. 连续导出用于流式传输事件:Continuous export is built for streaming of events:

  • 不会导出在启用导出之前收到的警报。Alerts received before you enabled export won't be exported.
  • 当资源的合规性状态发生更改时就会发送建议。Recommendations are sent whenever a resource's compliance state changes. 例如,当某个资源的状态从正常变为不正常时。For example, when a resource turns from healthy to unhealthy. 因此,与警报一样,将不会导出针对自启用导出以来未更改状态的资源的建议。Therefore, as with alerts, recommendations for resources that haven't changed state since you enabled export won't be exported.
  • 每个安全控制或订阅的安全分数(预览版)在一个安全控制的分数变化 0.01 或更大时发送。Secure score (preview) per security control or subscription is sent when a security control's score changes by 0.01 or more.
  • 合规性状态(预览版)在资源的合规性状态更改时发送。Regulatory compliance status (preview) is sent when the status of the resource's compliance changes.

为什么建议以不同的时间间隔发送?Why are recommendations sent at different intervals?

不同的建议有不同的合规性评估时间间隔,从几分钟到几天不等。Different recommendations have different compliance evaluation intervals, which can vary from a few minutes to every few days. 因此,建议出现在导出中所需的时间会有所不同。Consequently, recommendations will differ in the amount of time it takes for them to appear in your exports.

连续导出是否支持所有业务连续性或灾难恢复 (BCDR) 场景?Does continuous export support any business continuity or disaster recovery (BCDR) scenarios?

针对目标资源正遇到故障或其他灾难的 BCDR 场景准备环境时,组织应负责根据 Azure 事件中心、Log Analytics 工作区和逻辑应用中的指南建立备份,防止数据丢失。When preparing your environment for BCDR scenarios, where the target resource is experiencing an outage or other disaster, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic App.

Azure 安全中心是否可以免费使用连续导出?Is continuous export available with Azure Security Center free?

是!Yes! 请注意,许多安全中心警报只有在启用了 Azure Defender 之后才会提供。Note that many Security Center alerts are only provided when you've enabled Azure Defender. 预览将在导出数据中获取的警报的一种好方法是,查看 Azure 门户的“安全中心”页中显示的警报。A good way to preview the alerts you'll get in your exported data is to see the alerts shown in Security Center's pages in the Azure portal.

后续步骤Next steps

本文介绍了如何配置建议和警报的连续导出。In this article, you learned how to configure continuous exports of your recommendations and alerts. 另外还介绍了如何将警报数据下载为 CSV 文件。You also learned how to download your alerts data as a CSV file.

如需相关资料,请参阅以下文档:For related material, see the following documentation: