Azure 安全中心中的云智能警报关联(事件)Cloud smart alert correlation in Azure Security Center (incidents)

Azure 安全中心使用高级分析和威胁情报来持续分析混合云工作负载,在存在恶意活动时发出警报。Azure Security Center continuously analyzes hybrid cloud workloads by using advanced analytics and threat intelligence to alert you about malicious activity.

威胁的范围正在不断扩大。The breadth of threat coverage is growing. 检测哪怕最微小的攻击的需求也是很重要的,而安全分析人员对不同的警报进行会审并识别实际攻击可能非常具有挑战性。The need to detect even the slightest compromise is important, and it can be challenging for security analysts to triage the different alerts and identify an actual attack. 安全中心可以帮助分析人员处理这些疲于应付的警报。Security Center helps analysts cope with this alert fatigue. 通过将不同的警报和低保真度信号关联到安全事件中,它有助于诊断发生的攻击。It helps diagnose attacks as they occur, by correlating different alerts and low fidelity signals into security incidents.

Fusion 分析是为安全中心事件提供支持的技术和分析后端,它使安全中心能够将不同的警报和上下文信号关联在一起。Fusion analytics is the technology and analytic back end that powers Security Center incidents, enabling it to correlate different alerts and contextual signals together. Fusion 查看跨资源订阅上报告的不同信号。Fusion looks at the different signals reported on a subscription across the resources. Fusion 查找具有共享上下文信息的攻击进度或信号的模式,指示你应该对它们使用统一的响应过程。Fusion finds patterns that reveal attack progression or signals with shared contextual information, indicating that you should use a unified response procedure for them.

Fusion 分析将安全域知识与 AI 相结合,用于分析警报,发现新的攻击模式。Fusion analytics combines security domain knowledge with AI to analyze alerts, discovering new attack patterns as they occur.

安全中心利用 MITRE 攻击矩阵将警报与其感知意图相关联,有助于形成规范化的安全域知识。Security Center leverages MITRE Attack Matrix to associate alerts with their perceived intent, helping formalize security domain knowledge. 此外,通过使用为攻击的每个步骤收集的信息,安全中心可以排除看似是攻击步骤但实际上不是的活动。In addition, by using the information gathered for each step of an attack, Security Center can rule out activity that appears to be steps of an attack, but actually isn't.

由于攻击通常发生在不同的租户之间,安全中心可以结合 AI 算法来分析每个订阅上报告的攻击序列。Because attacks often occur across different tenants, Security Center can combine AI algorithms to analyze attack sequences that are reported on each subscription. 此技术将攻击序列标识为常见的警报模式,而不是只是偶然地相互关联。This technique identifies the attack sequences as prevalent alert patterns, instead of just being incidentally associated with each other.

在调查事件期间,分析员经常需要额外的上下文,以便得出有关威胁的性质以及如何缓解威胁的裁定。During an investigation of an incident, analysts often need extra context to reach a verdict about the nature of the threat and how to mitigate it. 例如,即使检测到网络异常,但不了解网络上发生的其他情况或者目标资源相关情况,很难知道接下来要采取什么操作。For example, even when a network anomaly is detected, without understanding what else is happening on the network or with regard to the targeted resource, it's difficult to understand what actions to take next. 为了提供帮助,安全事件可以包括工件、相关事件和信息。To help, a security incident can include artifacts, related events, and information. 可用于安全事件的其他信息因检测到的威胁类型和环境配置而异。The additional information available for security incidents varies, depending on the type of threat detected and the configuration of your environment.


若要更好地了解安全事件,请参阅如何管理 Azure 安全中心中的安全事件To better understand security incidents, see How to manage security incidents in Azure Security Center.