Azure 安全中心的警报验证Alert validation in Azure Security Center

本文档介绍如何验证系统是否已针对 Azure 安全中心警报进行了适当的配置。This document helps you learn how to verify if your system is properly configured for Azure Security Center alerts.

什么是安全警报?What are security alerts?

警报是安全中心在检测到资源遭受威胁时生成的通知。Alerts are the notifications that Security Center generates when it detects threats on your resources. 安全中心会按优先级列出警报,同时还会提供所需信息以快速调查问题。It prioritizes and lists the alerts along with the information needed to quickly investigate the problem. 安全中心还提供有关如何针对攻击采取补救措施的建议。Security Center also provides recommendations for how you can remediate an attack. 有关详细信息,请参阅安全中心中的安全警报管理和响应安全警报For more information, see Security alerts in Security Center and Managing and responding to security alerts

模拟 Azure VM (Windows) 上的警报 Simulate alerts on your Azure VMs (Windows)

在计算机上安装安全中心代理以后,请在想让其成为受攻击的警报资源的计算机上执行以下步骤:After Security Center agent is installed on your computer, follow these steps from the computer where you want to be the attacked resource of the alert:

  1. 复制一个可执行文件(例如“calc.exe”)到计算机的桌面或方便操作的其他目录,然后将其重命名为“ASC_AlertTest_662jfi039N.exe” 。Copy an executable (for example calc.exe) to the computer's desktop, or other directory of your convenience, and rename it as ASC_AlertTest_662jfi039N.exe.
  2. 打开命令提示符,使用一个参数(假参数名称即可)执行此文件,例如:ASC_AlertTest_662jfi039N.exe -fooOpen the command prompt and execute this file with an argument (just a fake argument name), such as: ASC_AlertTest_662jfi039N.exe -foo
  3. 等待 5 到 10 分钟,然后打开安全中心警报。Wait 5 to 10 minutes and open Security Center Alerts. 应该会出现警报。An alert should appear.

备注

查看此 Windows 的测试警报时,请确保“启用参数审核”字段为 true 。When reviewing this test alert for Windows, make sure the field Arguments Auditing Enabled is true. 如果为 false,则需启用命令行参数审核。If it is false, then you need to enable command-line arguments auditing. 若要启用它,请使用以下命令:To enable it, use the following command:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Audit" /f /v "ProcessCreationIncludeCmdLine_Enabled"

模拟 Azure VM (Linux) 上的警报 Simulate alerts on your Azure VMs (Linux)

在计算机上安装安全中心代理以后,请在想让其成为受攻击的警报资源的计算机上执行以下步骤:After Security Center agent is installed on your computer, follow these steps from the computer where you want to be the attacked resource of the alert:

  1. 复制一个可执行文件到方便操作的位置,然后将其重命名为“./asc_alerttest_662jfi039n”,例如:Copy an executable to a convenient location and rename it to ./asc_alerttest_662jfi039n, for example:

    cp /bin/echo ./asc_alerttest_662jfi039n

  2. 打开命令提示符并执行此文件:Open the command prompt and execute this file:

    ./asc_alerttest_662jfi039n testing eicar pipe

  3. 等待 5 到 10 分钟,然后打开安全中心警报。Wait 5 to 10 minutes and open Security Center Alerts. 应该会出现警报。An alert should appear.

模拟 Kubernetes 上的警报 Simulate alerts on Kubernetes

如果已将 Azure Kubernetes 服务与安全中心集成,则可以使用以下 kubectl 命令测试警报是否正常运行:If you've integrated Azure Kubernetes Service with Security Center, you can test that your alerts are working with the following kubectl command:

kubectl get pods --namespace=asc-alerttest-662jfi039n

有关保护 Kubernetes 节点和群集的详细信息,请参阅 Azure Defender for Kubernetes 简介For more information about defending your Kubernetes nodes and clusters, see Introduction to Azure Defender for Kubernetes

后续步骤Next steps

本文介绍了警报验证过程。This article introduced you to the alerts validation process. 熟悉该验证以后,请尝试阅读以下文章:Now that you're familiar with this validation, try the following articles: