Azure 安全中心的新增功能What's new in Azure Security Center?

Azure 安全中心正在积极开发中,并不断得到改进。Azure Security is in active development and receives improvements on an ongoing basis. 为及时了解最新开发成果,可在本页面查看下列相关信息:To stay up to date with the most recent developments, this page provides you with information about:

  • 新增功能New features
  • Bug 修复Bug fixes
  • 已弃用的功能Deprecated functionality

本页面会定期更新,请经常回来查看。This page is updated regularly, so revisit it often. 如果要查找 6 个月之前的项目,可查看 Azure 安全中心的新增功能存档If you're looking for items older than six months, you'll find them in the Archive for What's new in Azure Security Center.

2020 年 9 月September 2020

9 月的更新包括以下内容:Updates in September include:

连续导出中现提供漏洞评估结果Vulnerability assessment findings are now available in continuous export

使用连续导出将警报和建议实时流式传输到 Azure 事件中心、Log Analytics 工作区或 Azure Monitor。Use continuous export to stream your alerts and recommendations in real-time to Azure Event Hubs, Log Analytics workspaces, or Azure Monitor. 在那里,你可以将此数据与 SIEM(例如 Power BI、Azure 数据资源管理器等)集成。From there, you can integrate this data with SIEMs (such as Power BI, Azure Data Explorer, and more.

安全中心的集成漏洞评估工具返回资源结果,并将其作为“父”建议中的可操作建议(例如“应修正虚拟机中的漏洞”)。Security Center's integrated vulnerability assessment tools return findings about your resources as actionable recommendations within a 'parent' recommendation such as "Vulnerabilities in your virtual machines should be remediated".

现在选择建议并启用“包括安全性结果”选项时,可以通过连续导出来导出安全性结果。The security findings are now available for export through continuous export when you select recommendations and enable the include security findings option.

在连续导出配置中包括安全结果开关

相关页面:Related pages:

优化了网络安全组建议Network security group recommendations improved

以下与网络安全组相关的安全建议已得到优化,可减少误报。The following security recommendations related to network security groups have been improved to reduce some instances of false positives.

  • 应在与 VM 关联的 NSG 上限制所有网络端口All network ports should be restricted on NSG associated to your VM
  • 应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines
  • 面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with Network Security Groups
  • 子网应与网络安全组关联Subnets should be associated with a Network Security Group

弃用了预览 AKS 建议“应在 Kubernetes 服务上定义 Pod 安全策略”Deprecated preview AKS recommendation "Pod Security Policies should be defined on Kubernetes Services"

Azure Kubernetes 服务文档中所述,弃用了预览建议“应在 Kubernetes Services 上定义 Pod 安全策略”。The preview recommendation "Pod Security Policies should be defined on Kubernetes Services" is being deprecated as described in the Azure Kubernetes Service documentation.

Pod 安全策略(预览)功能已设置为弃用,在 2020 年 10 月 15 日之后将不再提供,以支持适用于 AKS 的 Azure Policy。The pod security policy (preview) feature, is set for deprecation and will no longer be available after October 15th, 2020 in favor of Azure Policy for AKS.

弃用 Pod 安全策略(预览版)之后,必须在使用已弃用功能的任何现有群集上禁用该功能,以执行将来的群集升级并保留在 Azure 支持范围内。After pod security policy (preview) is deprecated, you must disable the feature on any existing clusters using the deprecated feature to perform future cluster upgrades and stay within Azure support.

优化了 Azure 安全中心内的电子邮件通知Email notifications from Azure Security Center improved

电子邮件中与安全警报相关的以下部分已得到优化:The following areas of the emails regarding security alerts have been improved:

  • 添加了发送针对所有严重性级别的电子邮件警报通知的功能Added the ability to send email notifications about alerts for all severity levels
  • 添加了通知在订阅中具有不同 RBAC 角色的用户的功能Added the ability to notify users with different RBAC roles on the subscription
  • 默认情况下,我们会主动向订阅所有者通知高严重性警报(这些警报很可能表示真正的漏洞)We're proactively notifying subscription owners by default on high-severity alerts (which have a high-probability of being genuine breaches)
  • 我们已从电子邮件通知配置页面中删除了电话号码字段We've removed the phone number field from the email notifications configuration page

有关详细信息,请参阅设置安全警报的电子邮件通知Learn more in Set up email notifications for security alerts.

安全功能分数不包括预览建议Secure score doesn't include preview recommendations

安全中心会持续评估资源、订阅和组织的安全问题。Security Center continually assesses your resources, subscriptions, and organization for security issues. 然后,它将所有调查结果汇总成一个分数,让你可以一目了然地了解当前的安全状况:分数越高,识别出的风险级别就越低。It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.

发现新的威胁后,安全中心会通过提出新的建议来提供新的安全建议。As new threats are discovered, new security advice is made available in Security Center through new recommendations. 为避免安全功能分数出现意外变化,以及为了提供一个宽限期(可以在新建议影响分数之前在此宽限期内了解新建议),安全功能分数的计算中将不再包括标记为“预览”的建议。To avoid surprise changes your secure score, and to provide a grace period in which you can explore new recommendations before they impact your scores, recommendations flagged as Preview are no longer included in the calculations of your secure score. 但仍应尽可能按这些建议进行修正,这样在预览期结束时,它们会有助于提升分数。They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.

此外,“预览”建议不会使资源“运行不正常”。Also, Preview recommendations don't render a resource "Unhealthy".

预览建议示例如下:An example of a preview recommendation:

在连续导出配置中包括安全结果开关

详细了解安全功能分数Learn more about secure score.

建议现包含严重性指示器和刷新时间间隔Recommendations now include a severity indicator and the freshness interval

现在,建议的详细信息页面包括一个刷新时间间隔指示器(如相关),并且清楚显示了建议的严重性。The details page for recommendations now includes a freshness interval indicator (whenever relevant) and a clear display of the severity of the recommendation.

在连续导出配置中包括安全结果开关

2020 年 8 月August 2020

8 月的更新包括以下内容:Updates in August include:

添加了对 Azure Active Directory 安全默认值(适用于多重身份验证)的支持Added support for Azure Active Directory security defaults (for multi-factor authentication)

安全中心已添加对安全默认值(Microsoft 的免费标识安全保护)的全部支持。Security Center has added full support for security defaults, Microsoft’s free identity security protections.

安全默认值提供了预配置的标识安全设置,以保护组织免受与标识相关的常见攻击。Security defaults provide preconfigured identity security settings to defend your organization from common identity-related attacks. 安全默认值总计已保护了逾 500 万名租户;50,000 名租户也受安全中心的保护。Security defaults already protecting more than 5 million tenants overall; 50,000 tenants are also protected by Security Center.

现在,安全中心在识别出未启用安全默认值的 Azure 订阅时将提供安全建议。Security Center now provides a security recommendation whenever it identifies an Azure subscription without security defaults enabled. 到目前为止,安全中心建议使用条件访问启用多重身份验证,这是 Azure Active Directory (AD) 高级许可证的一部分。Until now, Security Center recommended enabling multi-factor authentication using conditional access, which is part of the Azure Active Directory (AD) premium license. 对于使用 Azure AD Free 的客户,我们现在建议启用安全默认值。For customers using Azure AD free, we now recommend enabling security defaults.

我们旨在鼓励更多客户使用 MFA 保护其云环境,并缓解对安全功能分数影响最大的最高风险。Our goal is to encourage more customers to secure their cloud environments with MFA, and mitigate one of the highest risks that is also the most impactful to your secure score.

详细了解安全默认值Learn more about security defaults.

添加了服务主体建议Service principals recommendation added

添加了一条新建议,该建议推荐使用管理证书来管理订阅的安全中心客户改用服务主体。A new recommendation has been added to recommend that Security Center customers using management certificates to manage their subscriptions switch to service principals.

“应使用服务主体而不是管理证书来保护订阅”这一建议推荐使用服务主体或 Azure 资源管理器,以更安全地管理订阅。The recommendation, Service principals should be used to protect your subscriptions instead of Management Certificates advises you to use Service Principals or Azure Resource Manager to more securely manage your subscriptions.

详细了解 Azure Active Directory 中的应用程序对象和服务主体对象Learn more about Application and service principal objects in Azure Active Directory.

VM 漏洞评估 - 合并了建议和策略Vulnerability assessment on VMs - recommendations and policies consolidated

安全中心检查 VM,以检测其是否正在运行漏洞评估解决方案。Security Center inspects your VMs to detect whether they're running a vulnerability assessment solution. 如果未找到漏洞评估解决方案,安全中心将建议简化部署。If no vulnerability assessment solution is found, Security Center provides a recommendation to simplify the deployment.

如果发现漏洞,安全中心将建议总结结果,以便必要时进行调查和修正。When vulnerabilities are found, Security Center provides a recommendation summarizing the findings for you to investigate and remediate as necessary.

无论用户使用哪些类型的扫描仪,为确保所有用户享受一致的体验,我们已将四条建议统一为以下两条:To ensure a consistent experience for all users, regardless of the scanner type they're using, we've unified four recommendations into the following two:

统一的建议Unified recommendation 更改描述Change description
应在虚拟机上启用漏洞评估解决方案A vulnerability assessment solution should be enabled on your virtual machines 替换以下两条建议:Replaces the following two recommendations:
• 在虚拟机上启用内置漏洞评估解决方案(由 Qualys 提供技术支持)(现已弃用)(仅标准层显示此建议) Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys (now deprecated) (Included with standard tier)
• 漏洞评估解决方案应安装在虚拟机上(现已弃用)(标准和免费层显示此建议) Vulnerability assessment solution should be installed on your virtual machines (now deprecated) (Standard and free tiers)
应修正虚拟机中的漏洞Vulnerabilities in your virtual machines should be remediated 替换以下两条建议:Replaces the following two recommendations:
• 修正虚拟机上发现的漏洞(由 Qualys 提供支持)(现已弃用) Remediate vulnerabilities found on your virtual machines (powered by Qualys) (now deprecated)
• 应通过漏洞评估解决方案修正漏洞(现已弃用) Vulnerabilities should be remediated by a Vulnerability Assessment solution (now deprecated)

现在可根据同一建议从 Qualys 或 Rapid7 等合作伙伴部署安全中心的漏洞评估扩展或专用许可解决方案(“BYOL”)。Now you'll use the same recommendation to deploy Security Center's vulnerability assessment extension or a privately licensed solution ("BYOL") from a partner such as Qualys or Rapid7.

此外,发现漏洞并报告到安全中心时,无论哪个漏洞评估解决方案标识了结果,都会有一条建议提醒你注意这些结果。Also, when vulnerabilities are found and reported to Security Center, a single recommendation will alert you to the findings regardless of the vulnerability assessment solution that identified them.

更新依赖项Updating dependencies

如果脚本、查询或自动化引用了先前的建议或策略密钥/名称,请使用下表更新引用:If you have scripts, queries, or automations referring to the previous recommendations or policy keys/names, use the tables below to update the references:

2020 年 8 月之前Before August 2020
建议Recommendation 范围Scope
在虚拟机上启用内置漏洞评估解决方案(由 Qualys 提供支持)Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)
注册表项:550e890b-e652-4d22-8274-60b3bdb24c63Key: 550e890b-e652-4d22-8274-60b3bdb24c63
内置Built-in
修正虚拟机上发现的漏洞(由 Qualys 提供支持)Remediate vulnerabilities found on your virtual machines (powered by Qualys)
注册表项:1195afff-c881-495e-9bc5-1486211ae03fKey: 1195afff-c881-495e-9bc5-1486211ae03f
内置Built-in
应在虚拟机上安装漏洞评估解决方案Vulnerability assessment solution should be installed on your virtual machines
注册表项:01b1ed4c-b733-4fee-b145-f23236e70cf3Key: 01b1ed4c-b733-4fee-b145-f23236e70cf3
BYOLBYOL
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution
注册表项:71992a2a-d168-42e0-b10e-6b45fa2ecddbKey: 71992a2a-d168-42e0-b10e-6b45fa2ecddb
BYOLBYOL
策略Policy 范围Scope
应对虚拟机启用漏洞评估Vulnerability assessment should be enabled on virtual machines
策略 ID:501541f7-f7e7-4cd6-868c-4190fdad3ac9Policy ID: 501541f7-f7e7-4cd6-868c-4190fdad3ac9
内置Built-in
应通过漏洞评估解决方案修正漏洞Vulnerabilities should be remediated by a vulnerability assessment solution
策略 ID:760a85ff-6162-42b3-8d70-698e268f648cPolicy ID: 760a85ff-6162-42b3-8d70-698e268f648c
BYOLBYOL
2020 年 8 月之后From August 2020
建议Recommendation 范围Scope
应在虚拟机上启用漏洞评估解决方案A vulnerability assessment solution should be enabled on your virtual machines
密钥:ffff0522-1e88-47fc-8382-2a80ba848f5dKey: ffff0522-1e88-47fc-8382-2a80ba848f5d
内置 + BYOLBuilt-in + BYOL
应修正虚拟机中的漏洞Vulnerabilities in your virtual machines should be remediated
注册表项:1195afff-c881-495e-9bc5-1486211ae03fKey: 1195afff-c881-495e-9bc5-1486211ae03f
内置 + BYOLBuilt-in + BYOL
策略Policy 范围Scope
应对虚拟机启用漏洞评估Vulnerability assessment should be enabled on virtual machines
策略 ID:501541f7-f7e7-4cd6-868c-4190fdad3ac9Policy ID: 501541f7-f7e7-4cd6-868c-4190fdad3ac9
内置 + BYOLBuilt-in + BYOL

新的 AKS 安全策略已添加到 ASC_default 计划 - 仅供个人预览版客户使用New AKS security policies added to ASC_default initiative - for use by private preview customers only

为确保默认情况下保护 Kubernetes 工作负载,安全中心正在添加 Kubernetes 级别的策略和强化建议,包括带有 Kubernetes 准入控制的强制执行选项。To ensure that Kubernetes workloads are secure by default, Security Center is adding Kubernetes level policies and hardening recommendations, including enforcement options with Kubernetes admission control.

早期阶段的此项目包括个人预览版,并增加了 ASC_default 计划的新策略(默认情况下禁用)。The early phase of this project includes a private preview and the addition of new (disabled by default) policies to the ASC_default initiative.

可以放心地忽略这些策略,这些策略不会对环境造成影响。You can safely ignore these policies and there will be no impact on your environment. 如果要启用他们,请在 https://aka.ms/SecurityPrP 中注册预览版,然后在以下选项中进行选择:If you'd like to enable them, sign up for the preview at https://aka.ms/SecurityPrP and select from the following options:

  1. 单一预览版 - 仅加入此个人预览版。Single Preview - To join only this private preview. 明确提及“ASC 连续扫描”作为要加入的预览版。Explicitly mention “ASC Continuous Scan” as the preview you would like to join.
  2. 正在进行的计划 - 将添加到此个人预览版和后续个人预览版。Ongoing Program - To be added to this and future private previews. 你将需要填写个人资料和隐私协议。You will need to complete a profile and privacy agreement.

2020 年 7 月July 2020

7 月的更新包括以下内容:Updates in July include:

Azure 存储的威胁防护已扩展到包括 Azure文件存储和 Azure Data Lake Storage Gen2(预览版)Threat protection for Azure Storage expanded to include Azure Files and Azure Data Lake Storage Gen2 (preview)

Azure 存储的威胁防护可检测 Azure 存储帐户上的潜在有害活动。Threat protection for Azure Storage detects potentially harmful activity on your Azure Storage accounts. 安全中心在检测到对存储帐户的访问或攻击尝试时会显示警报。Security Center displays alerts when it detects attempts to access or exploit your storage accounts.

无论数据是以 blob 容器、文件共享还是以数据湖形式存储,都可以得到保护。Your data can be protected whether it's stored as blob containers, file shares, or data lakes.

启用威胁防护功能的八条新建议Eight new recommendations to enable threat protection features

添加了八条新建议,简化了为以下资源类型启用 Azure 安全中心的威胁防护功能的过程:虚拟机、应用服务计划、Azure SQL 数据库服务器、计算机上的 SQL 服务器、Azure 存储帐户、Azure Kubernetes 服务群集、Azure 容器注册表注册表和 Azure Key Vault 保管库。Eight new recommendations have been added to provide a simple way to enable Azure Security Center's threat protection features for the following resource types: virtual machines, App Service plans, Azure SQL Database servers, SQL servers on machines, Azure Storage accounts, Azure Kubernetes Service clusters, Azure Container Registry registries, and Azure Key Vault vaults.

新建议如下所示:The new recommendations are:

  • 应在 Azure SQL 数据库服务器上启用高级数据安全Advanced data security should be enabled on Azure SQL Database servers
  • 应在计算机的 SQL 服务器上启用高级数据安全Advanced data security should be enabled on SQL servers on machines
  • 应在 Azure 应用服务计划上启用高级威胁防护Advanced threat protection should be enabled on Azure App Service plans
  • 应对 Azure 容器注册表的注册表启用高级威胁防护Advanced threat protection should be enabled on Azure Container Registry registries
  • 应对 Azure Key Vault 的保管库启用高级威胁防护Advanced threat protection should be enabled on Azure Key Vault vaults
  • 应对 Azure Kubernetes 服务的群集启用高级威胁防护Advanced threat protection should be enabled on Azure Kubernetes Service clusters
  • 应对 Azure 存储帐户启用高级威胁防护Advanced threat protection should be enabled on Azure Storage accounts
  • 应对虚拟机启用高级威胁防护Advanced threat protection should be enabled on virtual machines

这些新建议属于“启用高级威胁防护”安全控制。These new recommendations belong to the Enable Advanced Threat Protection security control.

建议还包括快速修复功能。The recommendations also include the quick fix capability.

重要

修正任一建议都将产生相关资源的保护费用。Remediating any of these recommendations will result in charges for protecting the relevant resources. 如果当前订阅中有相关资源,则立即开始计费。These charges will begin immediately if you have related resources in the current subscription. 或者以后在你添加资源时,开始计费。Or in the future, if you add them at a later date.

例如,如果订阅中没有任何 Azure Kubernetes 服务群集,并且启用了威胁防护,则不会产生任何费用。For example, if you don't have any Azure Kubernetes Service clusters in your subscription and you enable the threat protection, no charges will be incurred. 如果以后在同一订阅中添加了群集,它将自动受到保护,并从该时间点开始计费。If, in the future, you add a cluster on the same subscription, it will automatically be protected and charges will begin at that time.

有关上述各项的详细信息,请参阅安全建议参考页面Learn more about each of these in the security recommendations reference page.

详细了解 Azure 安全中心的威胁防护Learn more about threat protection in Azure Security Center.

容器安全性优化 - 注册表扫描和刷新文档速度更快Container security improvements - faster registry scanning and refreshed documentation

作为对容器安全领域的持续投资的一部分,我们很高兴分享安全中心对 Azure 容器注册表中存储的容器映像的动态扫描方面的显著性能优化。As part of the continuous investments in the container security domain, we are happy to share a significant performance improvement in Security Center's dynamic scans of container images stored in Azure Container Registry. 目前,扫描通常会在大约两分钟内完成。Scans now typically complete in approximately two minutes. 在某些情况下,可能最多需要 15 分钟。In some cases, they might take up to 15 minutes.

为更好地说明和指导 Azure 安全中心的容器安全功能,我们还更新了容器安全文档页面。To improve the clarity and guidance regarding Azure Security Center's container security capabilities, we've also refreshed the container security documentation pages.

若要详细了解安全中心的容器安全,请参阅以下文章:Learn more about Security Center's container security in the following articles:

更新了自适应应用程序控制,添加了新建议以及对路径规则中的通配符的支持Adaptive application controls updated with a new recommendation and support for wildcards in path rules

自适应应用程序控制功能已收到两个重要更新:The adaptive application controls feature has received two significant updates:

  • 一项新的建议指出以前不允许的可能合法的行为。A new recommendation identifies potentially legitimate behavior that hasn't previously been allowed. “应更新自适应应用程序控制策略中的允许列表规则”这一新建议提示向现有策略添加新规则,以减少自适应应用程序控制违规警报的误报数。The new recommendation, Allowlist rules in your adaptive application control policy should be updated, prompts you to add new rules to the existing policy to reduce the number of false positives in adaptive application controls violation alerts.

  • 路径规则现支持通配符。Path rules now support wildcards. 在此更新中,可以使用通配符配置允许的路径规则。From this update, you can configure allowed path rules using wildcards. 支持以下两种方案:There are two supported scenarios:

    • 在路径末尾使用通配符允许该文件夹和子文件夹中的所有可执行文件Using a wildcard at the end of a path to allow all executables within this folder and sub-folders

    • 在路径中间使用通配符来启用具有更改的文件夹名称的已知可执行文件名称(例如,包含已知可执行文件的个人用户文件夹,自动生成的文件夹名称等)。Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (e.g. personal user folders with an known executable, automatically generated folder names, etc.).

详细了解自适应应用程序控制Learn more about adaptive application controls.

已弃用六个 SQL 高级数据安全性策略Six policies for SQL advanced data security deprecated

即将弃用与 SQL 计算机的高级数据安全性相关的六个策略:Six policies related to advanced data security for SQL machines are being deprecated:

  • 应在 SQL 托管实例的“高级数据安全”设置中将“高级威胁保护类型”设置为“全部”Advanced threat protection types should be set to 'All' in SQL managed instance advanced data security settings
  • 应在 SQL Server 的高级数据安全设置中将“高级威胁防护类型”设置为“全部”Advanced threat protection types should be set to 'All' in SQL server advanced data security settings
  • SQL 托管实例的“高级数据安全性”设置应包含用于接收安全警报的电子邮件地址Advanced data security settings for SQL managed instance should contain an email address to receive security alerts
  • SQL 服务器的“高级数据安全性”设置应包含用于接收安全警报的电子邮件地址Advanced data security settings for SQL server should contain an email address to receive security alerts
  • 应在 SQL 托管实例高级数据安全设置中启用“向管理员和订阅所有者发送电子邮件通知”Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings
  • 应在 SQL 服务器高级数据安全设置中为管理员和订阅所有者启用电子邮件通知Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings

了解有关内置策略的详细信息。Learn more about built-in policies.

2020 年 6 月June 2020

6 月的更新包括以下内容:Updates in June include:

安全功能分数 API(预览)Secure score API (preview)

可以通过安全功能分数 API(当前处于预览阶段)立即访问分数。You can now access your score via the secure score API (currently in preview). 通过 API 方法,可灵活地查询数据,久而久之构建自己的安全功能分数报告机制。The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. 例如,可以使用安全功能分数 API 来获取特定订阅的分数。For example, you can use the Secure Scores API to get the score for a specific subscription. 此外,还可以使用安全功能分数控件 API 列出安全控件和订阅的当前分数。In addition, you can use the Secure Score Controls API to list the security controls and the current score of your subscriptions.

有关使用安全功能分数 API 实现的外部工具的示例,请参阅 GitHub 社区的安全功能分数区域For examples of external tools made possible with the secure score API, see the secure score area of our GitHub community.

详细了解 Azure 安全中心的安全功能分数和安全控制Learn more about secure score and security controls in Azure Security Center.

将 Log Analytics 代理部署到 Azure Arc 计算机的两条新建议(预览)Two new recommendations to deploy the Log Analytics agent to Azure Arc machines (preview)

添加了两条新建议,以帮助将 Log Analytics 代理部署到 Azure Arc 计算机,并确保其受 Azure 安全中心的保护:Two new recommendations have been added to help deploy the Log Analytics Agent to your Azure Arc machines and ensure they're protected by Azure Security Center:

  • Log Analytics 代理应安装在基于 Windows 的 Azure Arc 计算机上(预览)Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
  • Log Analytics 代理应安装在基于 Linux 的 Azure Arc 计算机上(预览)Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)

这些新建议将出现在“应在计算机上安装监视代理”这一现有(相关)建议所在的四个安全控制中:修正安全配置、应用自适应应用程序控制、应用系统更新,以及启用 Endpoint Protection。These new recommendations will appear in the same four security controls as the existing (related) recommendation, Monitoring agent should be installed on your machines: remediate security configurations, apply adaptive application control, apply system updates, and enable endpoint protection.

建议还包括快速修复功能,以帮助加快部署过程。The recommendations also include the Quick fix capability to help speed up the deployment process.

有关这两项新建议的详细信息,请参阅计算和应用建议Learn more about these two new recommendations in the Compute and app recommendations table.

若要详细了解 Azure 安全中心如何使用代理,请参阅什么是 Log Analytics 代理?Learn more about how Azure Security Center uses the agent in What is the Log Analytics agent?.

详细了解 Azure Arc 计算机的扩展Learn more about extensions for Azure Arc machines.

大规模创建连续导出和工作流自动化配置的新策略New policies to create continuous export and workflow automation configurations at scale

自动执行组织的监视和事件响应流程可以显著缩短调查和缓解安全事件所需的时间。Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

若要在整个组织中部署自动化配置,请使用以下内置的“DeployIfdNotExist”Azure 策略来创建和配置连续导出工作流自动化过程:To deploy your automation configurations across your organization, use these built-in 'DeployIfdNotExist' Azure policies to create and configure continuous export and workflow automation procedures:

可在 Azure 策略中找到这些策略:The policies can be found in Azure policy:

目标Goal 策略Policy 策略 IDPolicy ID
将内容连续导出到事件中心Continuous export to event hub 为 Azure 安全中心警报和建议部署“导出到事件中心”配置Deploy export to Event Hub for Azure Security Center alerts and recommendations cdfcce10-4578-4ecd-9703-530938e4abcbcdfcce10-4578-4ecd-9703-530938e4abcb
将内容连续导出到 Log Analytics 工作区Continuous export to Log Analytics workspace 为 Azure 安全中心警报和建议配置“导出到 Log Analytics 工作区”配置Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations ffb6f416-7bd2-4488-8828-56585fef2be9ffb6f416-7bd2-4488-8828-56585fef2be9
安全警报的工作流自动化Workflow automation for security alerts 为 Azure 安全中心警报部署工作流自动化Deploy Workflow Automation for Azure Security Center alerts f1525828-9a90-4fcf-be48-268cdd02361ef1525828-9a90-4fcf-be48-268cdd02361e
安全建议的工作流自动化Workflow automation for security recommendations 为 Azure 安全中心建议部署工作流自动化Deploy Workflow Automation for Azure Security Center recommendations 73d6ab6c-2475-4850-afd6-43795f3492ef73d6ab6c-2475-4850-afd6-43795f3492ef

开始使用工作流自动化模板Get started with workflow automation templates.

若要详细了解如何使用这两种导出策略,请参阅通过 Policy 连续导出 Azure 安全中心警报和建议Learn more about using the two export policies in Continuously Export Azure Security Center Alerts and Recommendations via Policy.

使用 NSG 保护非面向 Internet 的虚拟机的新建议New recommendation for using NSGs to protect non-internet-facing virtual machines

“实现安全最佳做法”安全控制现包括以下新建议:The "implement security best practices" security control now includes the following new recommendation:

  • 应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups

“应使用网络安全组保护面向 Internet 的虚拟机”这一现有建议不区分面向 Internet 的虚拟机和面向非 Internet 的虚拟机。An existing recommendation, Internet-facing virtual machines should be protected with network security groups, didn't distinguish between internet-facing and non-internet facing VMs. 对于这两种情况,如果未将 VM 分配给网络安全组,则会生成高严重性建议。For both, a high-severity recommendation was generated if a VM wasn't assigned to a network security group. 这一新建议将区分面向非 Internet 的计算机,以减少误报并避免出现不必要的高严重性警报。This new recommendation separates the non-internet-facing machines to reduce the false positives and avoid unnecessary high-severity alerts.

有关详细详细,请参阅网络建议表。Learn more in the Network recommendations table.

启用威胁防护和高级数据安全性的新策略New policies for enabling threat protection and advanced data security

以下新策略已添加到 ASC Default 计划,旨在帮助为相关资源类型启用威胁防护或高级数据安全性。The new policies below were added to the ASC Default initiative and are designed to assist with enabling threat protection or advanced data security for the relevant resource types.

可在 Azure 策略中找到这些策略:The policies can be found in Azure policy:

策略Policy 策略 IDPolicy ID
应在 Azure SQL 数据库服务器上启用高级数据安全Advanced data security should be enabled on Azure SQL Database servers 7fe3b40f-802b-4cdd-8bd4-fd799c948cc27fe3b40f-802b-4cdd-8bd4-fd799c948cc2
应在计算机的 SQL 服务器上启用高级数据安全Advanced data security should be enabled on SQL servers on machines 6581d072-105e-4418-827f-bd446d56421b6581d072-105e-4418-827f-bd446d56421b
应对 Azure 存储帐户启用高级威胁防护Advanced threat protection should be enabled on Azure Storage accounts 308fbb08-4ab8-4e67-9b29-592e93fb94fa308fbb08-4ab8-4e67-9b29-592e93fb94fa
应对 Azure Key Vault 的保管库启用高级威胁防护Advanced threat protection should be enabled on Azure Key Vault vaults 0e6763cc-5078-4e64-889d-ff4d9a8390470e6763cc-5078-4e64-889d-ff4d9a839047
应在 Azure 应用服务计划上启用高级威胁防护Advanced threat protection should be enabled on Azure App Service plans 2913021d-f2fd-4f3d-b958-22354e2bdbcb2913021d-f2fd-4f3d-b958-22354e2bdbcb
应对 Azure 容器注册表的注册表启用高级威胁防护Advanced threat protection should be enabled on Azure Container Registry registries c25d9a16-bc35-4e15-a7e5-9db606bf9ed4c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
应对 Azure Kubernetes 服务的群集启用高级威胁防护Advanced threat protection should be enabled on Azure Kubernetes Service clusters 523b5cd1-3e23-492f-a539-13118b6d1e3a523b5cd1-3e23-492f-a539-13118b6d1e3a
应在虚拟机上启用高级威胁防护Advanced threat protection should be enabled on Virtual Machines 4da35fc9-c9e7-4960-aec9-797fe7d9051d4da35fc9-c9e7-4960-aec9-797fe7d9051d

详细了解 Azure 安全中心的威胁防护Learn more about Threat protection in Azure Security Center.

2020 年 5 月May 2020

5 月的更新包括以下内容:Updates in May include:

警报抑制规则(预览版)Alert suppression rules (preview)

这项新功能目前为预览版,它可帮助缓解警报疲劳。This new feature (currently in preview) helps reduce alert fatigue. 可使用规则来自动隐藏已知无害或已知与你组织中的正常活动相关的警报。Use rules to automatically hide alerts that are known to be innocuous or related to normal activities in your organization. 这可让你专注于最相关的威胁。This lets you focus on the most relevant threats.

仍将生成与你启用的抑制规则相匹配的警报,但它们的状态将设置为“已取消”。Alerts that match your enabled suppression rules will still be generated, but their state will be set to dismissed. 你可在 Azure 门户中查看状态,也可在安全中心查看安全警报。You can see the state in the Azure portal or however you access your Security Center security alerts.

抑制规则定义了自动取消警报所应遵循的条件。Suppression rules define the criteria for which alerts should be automatically dismissed. 通常,使用抑制规则来:Typically, you'd use a suppression rule to:

  • 取消已标识为“误报”的警报suppress alerts that you've identified as false positives

  • 取消限制过于频繁地触发而失去作用的警报suppress alerts that are being triggered too often to be useful

详细了解如何取消来自 Azure 安全中心威胁防护服务的警报Learn more about suppressing alerts from Azure Security Center's threat protection.

对实时 (JIT) 虚拟机 (VM) 访问权限的更改Changes to just-in-time (JIT) virtual machine (VM) access

安全中心包含一项可选功能,可保护 VM 的管理端口。Security Center includes an optional feature to protect the management ports of your VMs. 这可抵御最常见形式的暴力攻击。This provides a defense against the most common form of brute force attacks.

本次更新就此功能进行了以下更改:This update brings the following changes to this feature:

  • 重命名了推荐你在 VM 上启用 JIT 的建议。The recommendation that advises you to enable JIT on a VM has been renamed. 之前称为“应在虚拟机上应用实时网络访问控制”,而现在叫做“应通过即时网络访问控制来保护虚拟机的管理端口”。Formerly, "Just-in-time network access control should be applied on virtual machines" it's now: "Management ports of virtual machines should be protected with just-in-time network access control".

  • 建议仅在有管理端口打开时才触发。The recommendation is triggered only if there are open management ports.

详细了解 JIT 访问功能Learn more about the JIT access feature.

自定义建议已移至单独的安全控件Custom recommendations have been moved to a separate security control

安全功能分数增强版引入的其中一个安全控制是“实现安全最佳做法”。One security control introduced with the enhanced secure score was "Implement security best practices". 为订阅创建的所有自定义建议已自动放入该控件中。Any custom recommendations created for your subscriptions were automatically placed in that control.

为便于查找自定义建议,我们已将这些建议移到一个名为“自定义建议”的专用安全控件中。To make it easier to find your custom recommendations, we've moved them into a dedicated security control, "Custom recommendations". 此控件不会影响你的安全功能分数。This control has no impact on your secure score.

要详细了解安全控件,请参阅 Azure 安全中心的安全功能分数增强版(预览版)Learn more about security controls in Enhanced secure score (preview) in Azure Security Center.

已添加开关,可在控件中显示建议或以简单列表的形式显示Toggle added to view recommendations in controls or as a flat list

安全控件是相关安全建议的逻辑组。Security controls are logical groups of related security recommendations. 它们反映了易受攻击的攻击面。They reflect your vulnerable attack surfaces. 控件是一组安全建议,附有帮助你实施这些建议的说明。A control is a set of security recommendations, with instructions that help you implement those recommendations.

若要立即查看组织对每个攻击面的保护情况,请查看每个安全控件的分数。To immediately see how well your organization is securing each individual attack surface, review the scores for each security control.

默认情况下,你的建议显示在安全控件中。By default, your recommendations are shown in the security controls. 通过本次更新,你还可以采用列表形式显示它们。From this update, you can also display them as a list. 若要以简单列表的形式查看它们,且列表按受影响的资源的运行状况排序,请使用新的“按控件分组”开关。To view them as simple list sorted by the health status of the affected resources, use the new toggle 'Group by controls'. 开关位于门户中列表的上面。The toggle is above the list in the portal.

安全控件及其开关是新的安全功能分数体验的一部分。The security controls - and this toggle - are part of the new secure score experience. 请记得在门户中提供反馈。Remember to send us your feedback from within the portal.

要详细了解安全控件,请参阅 Azure 安全中心的安全功能分数增强版(预览版)Learn more about security controls in Enhanced secure score (preview) in Azure Security Center.

建议的“按控制分组”开关

扩展了“实现安全最佳做法”这一安全控件Expanded security control "Implement security best practices"

安全功能分数增强版引入的其中一个安全控制是“实现安全最佳做法”。One security control introduced with the enhanced secure score is "Implement security best practices". 如果建议在此控件中显示,则不影响安全功能分数。When a recommendation is in this control, it doesn't impact the secure score.

通过本次更新,已将三项建议从它们原先所在的控件移动到这个最佳做法控件中。With this update, three recommendations have moved out of the controls in which they were originally placed, and into this best practices control. 我们采取此步骤的原因是我们判定这三项建议的风险比最初设想的要低。We've taken this step because we've determined that the risk of these three recommendations is lower than was initially thought.

此外,还引入了两项新建议,它们也添加到了此控件中。In addition, two new recommendations have been introduced and added to this control.

移动的三项建议如下:The three recommendations that moved are:

  • 应在对订阅拥有读取权限的帐户上启用 MFA(原先位于“启用 MFA”控件中)MFA should be enabled on accounts with read permissions on your subscription (originally in the "Enable MFA" control)
  • 应从订阅中删除具有读取权限的外部帐户(原先位于“管理访问和权限”控件中)External accounts with read permissions should be removed from your subscription (originally in the "Manage access and permissions" control)
  • 只多只为订阅指定 3 个所有者(原先位于“管理访问和权限”控件中)A maximum of 3 owners should be designated for your subscription (originally in the "Manage access and permissions" control)

添加到控件中的两项新建议如下:The two new recommendations added to the control are:

  • 应在 Windows 虚拟机上安装来宾配置扩展(预览版) - 如果使用 Azure Policy 来宾配置,则可在虚拟机中查看服务器和应用程序设置(仅限 Windows)。Guest configuration extension should be installed on Windows virtual machines (Preview) - Using Azure Policy Guest Configuration provides visibility inside virtual machines to server and application settings (Windows only).

  • 应在计算机上启用 Windows Defender 攻击防护(预览版) - Windows Defender 攻击防护采用 Azure Policy 来宾配置代理。Windows Defender Exploit Guard should be enabled on your machines (Preview) - Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. 攻击防护服务具有 4 个组件,旨在锁定设备来阻隔各种攻击途径,并阻止恶意软件攻击中常用的行为,同时让企业能够平衡其安全风险和生产力要求(仅限 Windows)。Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).

要详细了解 Windows Defender 攻击防护,可参阅创建和部署攻击防护策略Learn more about Windows Defender Exploit Guard in Create and deploy an Exploit Guard policy.

要详细了解安全控件,请参阅安全功能分数增强版(预览版)Learn more about security controls in Enhanced secure score (preview).

具有自定义元数据的自定义策略现已正式发布Custom policies with custom metadata are now generally available

自定义策略现显示在安全中心的建议体验、安全功能分数和法规符合性标准仪表板中。Custom policies are now part of the Security Center recommendations experience, secure score, and the regulatory compliance standards dashboard. 此功能现已正式发布,可用于在安全中心扩大你组织的安全评估范围。This feature is now generally available and allows you to extend your organization's security assessment coverage in Security Center.

在 Azure 策略中创建自定义计划,向该计划添加策略并将它加入 Azure 安全中心,然后将它作为建议直观呈现。Create a custom initiative in Azure policy, add policies to it and onboard it to Azure Security Center, and visualize it as recommendations.

现在,我们还添加了可编辑自定义建议元数据的选项。We've now also added the option to edit the custom recommendation metadata. 元数据选项中有严重级别、修正步骤和威胁信息等。Metadata options include severity, remediation steps, threats information, and more.

详细了解利用详细信息增强自定义建议Learn more about enhancing your custom recommendations with detailed information.

故障转储分析功能正在迁至无文件攻击检测中Crash dump analysis capabilities migrating to fileless attack detection

我们正在将 Windows 故障转储分析 (CDA) 检测功能集成到无文件攻击检测中。We are integrating the Windows crash dump analysis (CDA) detection capabilities into fileless attack detection. 无文件攻击检测分析改进了 Windows 计算机的以下安全警报:“发现代码注入”、“检测到伪装 Windows 模块”、“发现 Shellcode”和“检测到可疑的代码段”。Fileless attack detection analytics brings improved versions of the following security alerts for Windows machines: Code injection discovered, Masquerading Windows Module Detected, Shellcode discovered, and Suspicious code segment detected.

该转换的一些优势如下:Some of the benefits of this transition:

  • 主动及时检测恶意软件 - 使用 CDA 方法时,会等到故障发生后再运行分析来查找恶意项目。Proactive and timely malware detection - The CDA approach involved waiting for a crash to occur and then running analysis to find malicious artifacts. 使用无文件攻击检测后,可在内存中威胁正在运行时主动识别它们。Using fileless attack detection brings proactive identification of in-memory threats while they are running.

  • 警报信息更丰富 - 来自无文件攻击检测的安全警报包含 CDA 中不提供的丰富信息,例如有效网络连接信息。Enriched alerts - The security alerts from fileless attack detection include enrichments that aren't available from CDA, such as the active network connections information.

  • 警报聚合 - CDA 在一个故障转储中检测到多个攻击模式时,会触发多个安全警报。Alert aggregation - When CDA detected multiple attack patterns within a single crash dump, it triggered multiple security alerts. 而无文件攻击检测将从同一进程中确定的所有攻击模式组合到一个警报中,免去了关联多个警报的必要性。Fileless attack detection combines all of the identified attack patterns from the same process into a single alert, removing the need to correlate multiple alerts.

  • 降低了对 Log Analytics 工作区的要求 - 包含潜在敏感数据的故障转储将无法上传到 Log Analytics 工作区。Reduced requirements on your Log Analytics workspace - Crash dumps containing potentially sensitive data will no longer be uploaded to your Log Analytics workspace.

2020 年 4 月April 2020

4 月的更新包括以下内容:Updates in April include:

标识建议现包含在 Azure 安全中心的免费层中Identity recommendations now included in Azure Security Center free tier

Azure 安全中心免费层中针对标识和访问的安全建议现已正式发布。Security recommendations for identity and access on the Azure Security Center free tier are now generally available. 这是我们努力使云安全状态管理 (CSPM) 功能免费而取得的成果之一。This is part of the effort to make the cloud security posture management (CSPM) features free. 截至目前,这些建议仅在标准定价层中提供。Until now, these recommendations were only available on the standard pricing tier.

标识和访问建议的示例包括:Examples of identity and access recommendations include:

  • “应在对订阅拥有所有者权限的帐户上启用多重身份验证。”"Multifactor authentication should be enabled on accounts with owner permissions on your subscription."
  • “最多只能为订阅指定 3 个所有者。”"A maximum of three owners should be designated for your subscription."
  • “应从订阅中删除弃用的帐户。”"Deprecated accounts should be removed from your subscription."

如果你有订阅在免费定价层,则此更改将影响它们的安全功能分数,因为它们之前从未接受过标识和访问安全性评估。If you have subscriptions on the free pricing tier, their secure scores will be impacted by this change because they were never assessed for their identity and access security.

详细了解标识和访问建议Learn more about identity and access recommendations.

详细了解监视标识和访问Learn more about monitoring identity and access.