使用自适应应用程序控制来减少计算机的攻击面Use adaptive application controls to reduce your machines' attack surfaces

了解 Azure 安全中心自适应应用程序控制的优势,以及可如何使用此数据驱动的智能功能增强安全性。Learn about the benefits of Azure Security Center's adaptive application controls and how you can enhance your security with this data-driven, intelligent feature.

安全中心的自适应应用程序控制是什么?What are Security Center's adaptive application controls?

自适应应用程序控制是一种自动化智能解决方案,用于为计算机定义包含已知安全应用程序的允许列表。Adaptive application controls are an intelligent and automated solution for defining allow lists of known-safe applications for your machines.

通常,组织拥有定期运行相同流程的计算机集合。Often, organizations have collections of machines that routinely run the same processes. 安全中心使用机器学习来分析计算机上运行的应用程序,并创建已知安全软件列表。Security Center uses machine learning to analyze the applications running on your machines and create a list of the known-safe software. 允许列表基于特定 Azure 工作负载,你可以使用下面的说明进一步自定义建议。Allow lists are based on your specific Azure workloads, and you can further customize the recommendations using the instructions below.

启用并配置自适应应用程序控制后,如果有任何运行的应用程序不是你定义为安全的应用程序,你将收到安全警报。When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe.

自适应应用程序控制有哪些优势?What are the benefits of adaptive application controls?

通过定义已知安全应用程序列表,并在执行任何其他内容时生成警报,可以实现多个强化目标:By defining lists of known-safe applications, and generating alerts when anything else is executed, you can achieve multiple hardening goals:

  • 识别潜在的恶意软件,甚至是反恶意软件解决方案可能遗漏的任何恶意软件Identify potential malware, even any that might be missed by antimalware solutions
  • 改进对规定仅使用许可软件的本地安全策略的遵从性Improve compliance with local security policies that dictate the use of only licensed software
  • 避免运行旧的或不受支持的应用程序Avoid running old or unsupported applications
  • 防止使用组织禁止的特定软件Prevent specific software that's banned by your organization
  • 加强对访问敏感数据的应用的监管Increase oversight of apps that access sensitive data

目前无强制选项可用。No enforcement options are currently available. 自适应应用程序控制旨在提供安全警报,前提是运行的任何应用程序不是你定义为安全的应用程序。Adaptive application controls are intended to provide security alerts if any application runs other than the ones you've defined as safe.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布版 (GA)General Availability (GA)
定价:Pricing: 需要用于服务器的 Azure DefenderRequires Azure Defender for servers
支持的计算机:Supported machines: 是 运行 Windows 和 Linux 的 Azure 和非 Azure 计算机Azure and non-Azure machines running Windows and Linux
所需角色和权限:Required roles and permissions: “安全读者”和“读者”角色可以查看组和已知安全应用程序列表 Security Reader and Reader roles can both view groups and the lists of known-safe applications
“参与者”和“安全管理员”角色可以查看组和已知安全应用程序的列表 Contributor and Security Admin roles can both edit groups and the lists of known-safe applications
云:Clouds: 是 中国云China cloud

在一组计算机上启用应用程序控制Enable application controls on a group of machines

如果安全中心在你的订阅中确定了始终运行一组相似应用程序的计算机组,则系统将提示以下建议:应在计算机中启用自适应应用程序控制以定义安全应用程序If Security Center has identified groups of machines in your subscriptions that consistently run a similar set of applications, you'll be prompted with the following recommendation: Adaptive application controls for defining safe applications should be enabled on your machines.

选择建议,或打开自适应应用程序控制页面,查看建议的已知安全应用程序列表和计算机组。Select the recommendation, or open the adaptive application controls page to view the list of suggested known-safe applications and groups of machines.

  1. 打开 Azure Defender 仪表板,从高级保护区域选择“自适应应用程序控制”。Open the Azure Defender dashboard and from the advanced protection area, select Adaptive application controls.

    从 Azure 仪表板打开自适应应用程序控制

    “自适应应用程序控制”页随即打开,你的 VM 会分组到以下多个选项卡中:The Adaptive application controls page opens with your VMs grouped into the following tabs:

    • 已配置 - 已具有定义的应用程序允许列表的计算机组。Configured - Groups of machines that already have a defined allow list of applications. 对于每个组,“已配置”选项卡会显示:For each group, the configured tab shows:

      • 组中的计算机数the number of machines in the group
      • 最近的警报recent alerts
    • 推荐 - 始终运行相同应用程序且未配置允许列表的计算机组。Recommended - Groups of machines that consistently run the same applications, and don't have an allow list configured. 我们建议你为这些组启用自适应应用程序控制。We recommend that you enable adaptive application controls for these groups.

      提示

      如果你看到一个带有前缀“REVIEWGROUP”的组名,则该组名包含具有部分一致的应用程序列表的计算机。If you see a group name with the prefix "REVIEWGROUP", it contains machines with a a partially consistent list of applications. 安全中心不显示模式,但建议你查看此组以了解是否可以按照编辑组的自适应应用程序控制规则中所述,手动定义一些自适应应用程序控制规则。Security Center can't see a pattern but recommends reviewing this group to see whether you can manually define some adaptive application controls rules as described in Editing a group's adaptive application controls rule.

      你还可以将计算机从该组移动到其他组,如将计算机从一个组移动到另一个组中所述。You can also move machines from this group to other groups as described in Move a machine from one group to another.

    • 无推荐 - 没有已定义的应用程序允许列表且不支持此功能的计算机。No recommendation - Machines without a defined allow list of applications, and which don't support the feature. 你的计算机出现在此选项卡中可能是因为以下原因:Your machine might be in this tab for the following reasons:

      • 缺少 Log Analytics 代理It's missing a Log Analytics agent
      • Log Analytics 代理未发送事件The Log Analytics agent isn't sending events
      • 这是一台 Windows 计算机,具有通过 GPO 或本地安全策略启用的预先存在的 AppLocker 策略It's a Windows machine with a pre-existing AppLocker policy enabled by either a GPO or a local security policy

      提示

      安全中心至少需要两周的数据才能定义每个计算机组的唯一推荐。Security Center needs at least two weeks of data to define the unique recommendations per group of machines. “无推荐”选项卡下将显示最近创建的计算机或属于仅最近启用了 Azure Defender 的订阅的计算机。Machines that have recently been created, or which belong to subscriptions that were only recently enabled with Azure Defender, will appear under the No recommendation tab.

  2. 打开“推荐”选项卡。此时将显示带有推荐允许列表的计算机组。Open the Recommended tab. The groups of machines with recommended allow lists appears.

    “推荐”选项卡

  3. 选择组。Select a group.

  4. 要配置新规则,请查看此“配置应用程序控制规则”页的各个部分和内容,这些内容对于特定计算机组是唯一的:To configure your new rule, review the various sections of this Configure application control rules page and the contents, which will be unique to this specific group of machines:

    配置新规则

    1. 选择计算机 - 默认情况下,将选择标识组中的所有计算机。Select machines - By default, all machines in the identified group are selected. 如果取消选择任何计算机,则会此规则中删除它们。Unselect any to removed them from this rule.

    2. 推荐应用程序 - 查看此组中计算机的常用应用程序列表,并建议允许其运行。Recommended applications - Review this list of applications that are common to the machines within this group, and recommended to be allowed to run.

    3. 更多应用程序 - 查看此应用程序列表,这些应用程序在该组计算机上不常出现,或者已知可被攻击。More applications - Review this list of applications that are either seen less frequently on the machines within this group, or are known to be exploitable. 一个警告图标,表示攻击者可能会利用特定应用程序绕过应用程序允许列表。A warning icon indicates that a specific application could be used by an attacker to bypass an application allow list. 建议仔细检查这些应用程序。We recommend that you carefully review these applications.

      提示

      两个应用程序列表都包含将特定应用程序限制为某些用户的选项。Both application lists include the option to restrict a specific application to certain users. 尽可能采用最小特权原则。Adopt the principle of least privilege whenever possible.

      应用程序由其发布者定义,如果应用程序没有发布者信息(未签名),则会为特定应用程序的完整路径创建路径规则。Applications are defined by their publishers, if an application doesn't have publisher information (it's unsigned), a path rule is created for the full path of the specific application.

    4. 要应用规则,请选择“审核”。To apply the rule, select Audit.

编辑组的自适应应用程序控制规则Edit a group's adaptive application controls rule

由于组织中的已知更改,你可能决定编辑一组计算机的允许列表。You might decide to edit the allow list for a group of machines because of known changes in your organization.

编辑计算机组的规则:To edit the rules for a group of machines:

  1. 打开 Azure Defender 仪表板,从高级保护区域选择“自适应应用程序控制”。Open the Azure Defender dashboard and from the advanced protection area, select Adaptive application controls.

  2. 从“已配置”选项卡中,选择包含要编辑的规则的组。From the Configured tab, select the group with the rule you want to edit.

  3. 查看“配置应用程序控制规则”页的各个部分,如在一组计算机上启用自适应应用程序控制中所述。Review the various sections of the Configure application control rules page as described in Enable adaptive application controls on a group of machines.

  4. (可选)添加一个或多个自定义规则:Optionally, add one or more custom rules:

    1. 选择“添加规则”。Select Add rule.

      添加自定义规则

    2. 如果要定义已知的安全路径,请将“规则类型”更改为“路径”,然后输入单个路径。If you're defining a known safe path, change the Rule type to 'Path' and enter a single path. 可以在路径中包含通配符。You can include wildcards in the path.

      提示

      在路径中使用通配符可能有用的一些方案:Some scenarios for which wildcards in a path might be useful:

      • 在路径末尾使用通配符,可以添加该文件夹和子文件夹中的所有可执行文件。Using a wildcard at the end of a path to allow all executables within this folder and sub-folders.
      • 在路径中间使用通配符,可以启用文件夹名称发生更改的已知可执行文件名称(例如,包含已知可执行文件的个人用户文件夹、自动生成的文件夹名称等)。Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (for example, personal user folders containing a known executable, automatically generated folder names, etc).
    3. 定义允许的用户和受保护的文件类型。Define the allowed users and protected file types.

    4. 定义完规则后,选择“添加”。When you've finished defining the rule, select Add.

  5. 选择“保存”,应用所做的更改。To apply the changes, select Save.

查看和编辑组设置Review and edit a group's settings

  1. 若要查看组详细信息和设置,请选择“组设置”To view the details and settings of your group, select Group settings

    此窗格显示组名称(可修改)、OS 类型、位置和其他相关详细信息。This pane shows the name of the group (which can be modified), the OS type, the location, and other relevant details.

    自适应应用程序控制的“组设置”页

  2. (可选)修改组名称或文件类型保护模式。Optionally, modify the group's name or file type protection modes.

  3. 选择“应用”和“保存” 。Select Apply and Save.

响应“应更新自适应应用程序控制策略中的允许列表规则”建议Respond to the "Allowlist rules in your adaptive application control policy should be updated" recommendation

如果安全中心的机器学习识别出以前不允许的可能合法的行为,你将看到此建议。You'll see this recommendation when Security Center's machine learning identifies potentially legitimate behavior that hasn't previously been allowed. 该建议提供针对现有定义的新规则,用于减少误报警报数量。The recommendation suggests new rules for your existing definitions to reduce the number of false positive alerts.

修正问题:To remediate the issues:

  1. 从建议页中,选择“应更新自适应应用程序控制策略中的允许列表规则”建议,查看新标识的、可能合法的行为组。From the recommendations page, select the Allowlist rules in your adaptive application control policy should be updated recommendation to see groups with newly identified, potentially legitimate behavior.

  2. 选择包含要编辑的规则的组。Select the group with the rule you want to edit.

  3. 查看“配置应用程序控制规则”页的各个部分,如在一组计算机上启用自适应应用程序控制中所述。Review the various sections of the Configure application control rules page as described in Enable adaptive application controls on a group of machines.

  4. 选择“审核”,应用所做的更改。To apply the changes, select Audit.

审核警报和冲突Audit alerts and violations

  1. 打开 Azure Defender 仪表板,从高级保护区域选择“自适应应用程序控制”。Open the Azure Defender dashboard and from the advanced protection area, select Adaptive application controls.

  2. 要查看最近发出了警报的计算机组,请查看“已配置”选项卡中列出的组。To see groups with machines that have recent alerts, review the groups listed in the Configured tab.

  3. 要进一步调查,请选择一个组。To investigate further, select a group.

    最近的警报

  4. 要查看更多详细信息以及受影响的计算机列表,请选择一个警报。For further details, and the list of affected machines, select an alert.

    “警报”页将显示警报的更多详细信息,并提供“执行操作”链接以及有关如何缓解威胁的建议。The alerts page shows the more details of the alerts and provides a Take action link with recommendations of how to mitigate the threat.

> [!NOTE]
> <span data-ttu-id="4ccd6-211">自适应应用程序控制每 12 小时计算一次事件数量。</span><span class="sxs-lookup"><span data-stu-id="4ccd6-211">Adaptive application controls calculates events once every twelve hours.</span></span> <span data-ttu-id="4ccd6-212">“警报”页中显示的“活动开始时间”是自适应应用程序控制创建警报的时间,而不是可疑进程处于活动状态的时间。</span><span class="sxs-lookup"><span data-stu-id="4ccd6-212">The "activity start time" shown in the alerts page is the time that adaptive application controls created the alert, **not** the time that the suspicious process was active.</span></span>

将计算机从一个组移动到另一个组Move a machine from one group to another

将计算机从一个组移动到另一个组时,适用于该计算机的应用程序控制策略会更改为移动到的组的设置。When you move a machine from one group to another, the application control policy applied to it changes to the settings of the group that you moved it to. 也可将计算机从已配置的组移动到未配置的组,这样做会删除应用于该计算机的所有应用程序控制规则。You can also move a machine from a configured group to a non-configured group, doing so removes any application control rules that were applied to the machine.

  1. 打开 Azure Defender 仪表板,从高级保护区域选择“自适应应用程序控制”。Open the Azure Defender dashboard and from the advanced protection area, select Adaptive application controls.

  2. 在“自适应应用程序控制”页中,从“已配置”选项卡中选择包含要移动的计算机的组 。From the Adaptive application controls page, from the Configured tab, select the group containing the machine to be moved.

  3. 打开“已配置的计算机”列表。Open the list of Configured machines.

  4. 通过行尾的三个点打开计算机菜单,然后选择“移动”。Open the machine's menu from three dots at the end of the row, and select Move. “将计算机移动到其他组”窗格随即打开。The Move machine to a different group pane opens.

  5. 选择目标组,然后选择“移动计算机”。Select the destination group, and select Move machine.

  6. 选择“保存”,以保存更改。To save your changes, select Save.

通过 REST API 管理应用程序控制Manage application controls via the REST API

要以编程方式管理自适应应用程序控制,请使用我们的 REST API。To manage your adaptive application controls programatically, use our REST API.

安全中心 API 文档的“自适应应用程序控制”部分提供了相关的 API 文档。The relevant API documentation is available in the Adaptive Application Controls section of Security Center's API docs.

REST API 提供的一些函数:Some of the functions that are available from the REST API:

  • List 可检索所有组建议,并为每个组提供带有对象的 JSON。List retrieves all your group recommendations and provides a JSON with an object for each group.

  • Get 可检索带有完整建议数据(即机器列表、发布者/路径规则等)的 JSON。Get retrieves the JSON with the full recommendation data (that is, list of machines, publisher/path rules, and so on).

  • Put 可用于配置规则(使用 Get 检索到的 JSON 作为此请求的主体)。Put configures your rule (use the JSON you retrieved with Get as the body for this request).

    重要

    Put 函数需要的参数比 Get 命令返回的 JSON 所含参数少。The Put function expects fewer parameters than the JSON returned by the Get command contains.

    在 Put 请求中使用 JSON 之前,请删除以下属性:recommendationStatus、configurationStatus、issues、location 和 sourceSystem。Remove the following properties before using the JSON in the Put request: recommendationStatus, configurationStatus, issues, location, and sourceSystem.

常见问题解答 - 自适应应用程序控制FAQ - Adaptive application controls

是否有任何强制执行应用程序控制的选项?Are there any options to enforce the application controls?

目前无强制选项可用。No enforcement options are currently available. 自适应应用程序控制旨在提供安全警报,前提是运行的任何应用程序不是你定义为安全的应用程序。Adaptive application controls are intended to provide security alerts if any application runs other than the ones you've defined as safe. 如本页所示,它具有一系列的优势(自适应应用程序控制的优势是什么?)并且具有良好的可定制性。They have a range of benefits (What are the benefits of adaptive application controls?) and are extremely customizable as shown on this page.

后续步骤Next steps

本文档介绍了如何在 Azure 安全中心使用自适应应用程序控制来定义 Azure 和非 Azure 计算机中运行的应用程序允许列表。In this document, you learned how to use adaptive application control in Azure Security Center to define allow lists of applications running on your Azure and non-Azure machines. 要详细了解安全中心的一些其他云工作负载保护功能,请参阅:To learn more about some of Security Center's other cloud workload protection features, see: