Azure 安全中心的安全警报和事件Security alerts and incidents in Azure Security Center

安全中心针对在 Azure 上以及在本地和混合云环境中部署的资源生成警报。Security Center generates alerts for resources deployed on your Azure, on-premises, and hybrid cloud environments.

安全警报由高级检测触发,仅适用于 Azure Defender。Security alerts are triggered by advanced detections and are available only with Azure Defender. 可以从“定价与设置”页升级,如快速入门:启用 Azure Defender 中所述。You can upgrade from the Pricing & settings page, as described in Quickstart: Enable Azure Defender. 可免费试用 30 天。A free 30-day trial is available. 有关根据你所在区域以所选货币给出的定价详细信息,请参阅安全中心定价For pricing details in your currency of choice and according to your region, see Security Center pricing.

什么是安全警报和安全事件?What are security alerts and security incidents?

“警报”是指安全中心在资源上检测到威胁时生成的通知。Alerts are the notifications that Security Center generates when it detects threats on your resources. 安全中心按优先级列出警报,以及快速调查问题所需的信息。Security Center prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. 安全中心还提供有关如何针对攻击采取补救措施的建议。Security Center also provides recommendations for how you can remediate an attack.

“安全事件”是相关警报的集合,而不是单独列出每个警报。A security incident is a collection of related alerts, instead of listing each alert individually. 安全中心使用云智能警报关联将不同的警报和低保真信号关联到安全事件。Security Center uses Cloud smart alert correlation to correlate different alerts and low fidelity signals into security incidents.

通过事件,安全中心可提供攻击活动和所有相关警报的单一视图。Using incidents, Security Center provides you with a single view of an attack campaign and all of the related alerts. 利用此视图,你可以快速了解攻击者采取的操作以及受影响的资源。This view enables you to quickly understand what actions the attacker took, and what resources were affected.

应对当前的威胁 Respond to today's threats

过去 20 年里,威胁态势有了很大的改变。There have been significant changes in the threat landscape over the last 20 years. 在过去,公司通常只需担心网站被各个攻击者改头换面。许多情况下,这些攻击者感兴趣的是看看“自己能够做什么”。In the past, companies typically only had to worry about web site defacement by individual attackers who were mostly interested in seeing "what they could do". 而现在,攻击者则更为复杂,更有组织性。Today's attackers are much more sophisticated and organized. 他们通常有具体的经济和战略目标。They often have specific financial and strategic goals. 他们的可用资源也更多,因为他们可能是由国家/地区提供资金支持的,可能是有组织犯罪。They also have more resources available to them, as they might be funded by nation states or organized crime.

这些不断变化的现实导致攻击者的专业水准前所未有地高。These changing realities have led to an unprecedented level of professionalism in the attacker ranks. 他们不再对篡改网页感兴趣。No longer are they interested in web defacement. 他们现在感兴趣的是窃取信息、金融帐户和私人数据 - 所有这些都可以用来在公开市场上换钱;他们还感兴趣的是特定的有利用价值的商业、政治或军事职位。They are now interested in stealing information, financial accounts, and private data - all of which they can use to generate cash on the open market or to leverage a particular business, political, or military position. 比这更引人关注的是,这些以财务为目标的攻击者在侵入网络后会破坏基础结构,对人们造成伤害。Even more concerning than those attackers with a financial objective are the attackers who breach networks to do harm to infrastructure and people.

作为响应,组织通常会部署各种点解决方案,查找已知的攻击特征,重点做好企业外围防护或终结点防护。In response, organizations often deploy various point solutions, which focus on defending either the enterprise perimeter or endpoints by looking for known attack signatures. 这些解决方案会生成大量的低保真警报,需要安全分析师进行会审和调查。These solutions tend to generate a high volume of low fidelity alerts, which require a security analyst to triage and investigate. 大多数组织缺乏必要的时间和专业技术来响应此类警报 - 许多警报被置之不理。Most organizations lack the time and expertise required to respond to these alerts - so many go unaddressed.

此外,攻击者的方法不断进化,可破坏许多基于签名的防御,并适合云环境In addition, attackers have evolved their methods to subvert many signature-based defenses and adapt to cloud environments. 必须采用新方法更快地确定新出现的威胁,加快检测和应对速度。New approaches are required to more quickly identify emerging threats and expedite detection and response.

持续监视和评估Continuous monitoring and assessments

Azure 安全中心受益于在整个 Microsoft 有安全研究和数据科学团队,持续监视威胁态势的变化情况。Azure Security Center benefits from having security research and data science teams throughout Microsoft who continuously monitor for changes in the threat landscape. 其中包括以下计划:This includes the following initiatives:

  • 威胁情报监视:威胁情报包括现有的或新出现的威胁的机制、指示器、含义和可操作建议。Threat intelligence monitoring: Threat intelligence includes mechanisms, indicators, implications, and actionable advice about existing or emerging threats. 此信息在安全社区共享,Microsoft 会持续监视内部和外部源提供的威胁情报源。This information is shared in the security community and Microsoft continuously monitors threat intelligence feeds from internal and external sources.
  • 信号共享:安全团队的见解会跨 Microsoft 的一系列云服务和本地服务、服务器、客户端终结点设备进行共享和分析。Signal sharing: Insights from security teams across Microsoft's broad portfolio of cloud and on-premises services, servers, and client endpoint devices are shared and analyzed.
  • Microsoft 安全专家:持续接触 Microsoft 的各个工作在专业安全领域(例如取证和 Web 攻击检测)的团队。Microsoft security specialists: Ongoing engagement with teams across Microsoft that work in specialized security fields, like forensics and web attack detection.
  • 检测优化:针对实际的客户数据集运行相关算法,安全研究人员与客户一起验证结果。Detection tuning: Algorithms are run against real customer data sets and security researchers work with customers to validate the results. 通过检出率和误报率优化机器学习算法。True and false positives are used to refine machine learning algorithms.

将这些措施结合起来,形成新的改进型检测方法,使你能够即时受益,而你不需采取任何措施。These combined efforts culminate in new and improved detections, which you can benefit from instantly - there's no action for you to take.

安全中心如何检测威胁?How does Security Center detect threats?

Microsoft 安全研究人员始终在不断地寻找威胁。Microsoft security researchers are constantly on the lookout for threats. 由于在云中和本地的广泛存在,我们可以访问大量的遥测数据。Because of our global presence in the cloud and on-premises, we have access to an expansive set of telemetry. 由于能够广泛访问和收集各种数据集,我们可以通过本地消费者产品和企业产品以及联机服务发现新的攻击模式和趋势。The wide-reaching and diverse collection of datasets enables us to discover new attack patterns and trends across our on-premises consumer and enterprise products, as well as our online services. 因此,当攻击者发布新的越来越复杂的漏斗利用方式时,安全中心就可以快速更新其检测算法。As a result, Security Center can rapidly update its detection algorithms as attackers release new and increasingly sophisticated exploits. 此方法可以让用户始终跟上变化莫测的威胁环境。This approach helps you keep pace with a fast moving threat environment.

为了检测真实威胁和减少误报,安全中心自动收集、分析和集成来自 Azure 资源和网络的日志数据。To detect real threats and reduce false positives, Security Center collects, analyzes, and integrates log data from your Azure resources and the network. 它还适用于连接的合作伙伴解决方案,如防火墙和终结点保护解决方案。It also works with connected partner solutions, like firewall and endpoint protection solutions. 安全中心分析该信息(通常需将多个来源的信息关联起来)即可确定威胁。Security Center analyzes this information, often correlating information from multiple sources, to identify threats.

安全中心数据收集和呈现

安全中心使用各种高级安全分析,远不止几种基于攻击特征的方法。Security Center employs advanced security analytics, which go far beyond signature-based approaches. 可以充分利用大数据和机器学习技术的突破跨整个云结构对事件进行评估,检测那些使用手动方式不可能发现的威胁,并预测攻击的发展方式。Breakthroughs in big data and machine learning technologies are leveraged to evaluate events across the entire cloud fabric - detecting threats that would be impossible to identify using manual approaches and predicting the evolution of attacks. 此类安全分析包括:These security analytics include:

  • 集成威胁智能:Microsoft 提供大量的全球威胁情报。Integrated threat intelligence: Microsoft has an immense amount of global threat intelligence. 遥测数据的来源包括:Azure、Microsoft 365、Microsoft CRM Online、Microsoft Dynamics AX、outlook.com、MSN.com、Microsoft 数字犯罪部门 (DCU)、Microsoft 安全响应中心 (MSRC)。Telemetry flows in from multiple sources, such as Azure, Microsoft 365, Microsoft CRM online, Microsoft Dynamics AX, outlook.com, MSN.com, the Microsoft Digital Crimes Unit (DCU), and Microsoft Security Response Center (MSRC). 研究人员也会收到在主要云服务提供商之间共享的威胁情报信息,以及来自其他第三方的源。Researchers also receive threat intelligence information that is shared among major cloud service providers and feeds from other third parties. Azure 安全中心可能会在分析该信息后发出警报,提醒用户注意来自行为不端攻击者的威胁。Azure Security Center can use this information to alert you to threats from known bad actors.

  • 行为分析:行为分析是一种技术,该技术会对数据进行分析并将数据与一系列已知模式对比。Behavioral analytics: Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. 不过,这些模式不是简单的特征,However, these patterns are not simple signatures. 需要对大型数据集运用复杂的机器学习算法来确定,They are determined through complex machine learning algorithms that are applied to massive datasets. 或者由分析专家通过仔细分析恶意行为来确定。They are also determined through careful analysis of malicious behaviors by expert analysts. Azure 安全中心可以使用行为分析对虚拟机日志、虚拟网络设备日志、结构日志和其他资源进行分析,确定遭到泄露的资源。Azure Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual machine logs, virtual network device logs, fabric logs, and other sources.

  • 异常检测:Azure 安全中心也通过异常检测确定威胁。Anomaly detection: Azure Security Center also uses anomaly detection to identify threats. 与行为分析(依赖于从大型数据集派生的已知模式)相比,异常检测更“个性化”,注重特定于你的部署的基线。In contrast to behavioral analytics (which depends on known patterns derived from large data sets), anomaly detection is more "personalized" and focuses on baselines that are specific to your deployments. 运用机器学习确定部署的正常活动,并生成规则,定义可能表示安全事件的异常条件。Machine learning is applied to determine normal activity for your deployments and then rules are generated to define outlier conditions that could represent a security event.

如何对警报进行分类?How are alerts classified?

安全中心为警报分配严重性,以帮助你确定参与每个警报的顺序优先级,以便在资源泄漏时可以立即访问。Security Center assigns a severity to alerts, to help you prioritize the order in which you attend to each alert, so that when a resource is compromised, you can get to it right away. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

备注

警报严重性在门户和早于 2019-01-01 的 REST API 中以不同的方式显示。Alert severity is displayed differently in the portal and versions of the REST API that predate 01-01-2019. 如果你使用的是较低版本的 API,请升级以获得一致的体验,如下所述。If you're using an older version of the API, upgrade for the consistent experience described below.

严重性Severity 建议的响应Recommended response
High 资源遭到泄露的可能性较高。There is a high probability that your resource is compromised. 应立即进行调查。You should look into it right away. 安全中心在所检测出的恶意意图和用于发出警报的发现结果方面的可信度较高。Security Center has high confidence in both the malicious intent and in the findings used to issue the alert. 例如,检测到执行已知的恶意工具的警报,例如用于凭据盗窃的一种常见工具 Mimikatz。For example, an alert that detects the execution of a known malicious tool such as Mimikatz, a common tool used for credential theft.
中等Medium 这可能是一个可疑活动,此类活动可能表明资源遭到泄漏。This is probably a suspicious activity might indicate that a resource is compromised. 安全中心对分析或发现结果的可信度为中等,所检测到的恶意意图的可信度为中等到高。Security Center's confidence in the analytic or finding is medium and the confidence of the malicious intent is medium to high. 这些通常是机器学习或基于异常的检测。These would usually be machine learning or anomaly-based detections. 例如,从异常位置进行的登录尝试。For example, a sign-in attempt from an anomalous location.
Low 这可能是无危险或已被阻止的攻击。This might be a benign positive or a blocked attack. 安全中心不太确定此意图是否是恶意的,也不太确定此活动是否没有风险。Security Center isn't confident enough that the intent is malicious and the activity might be innocent. 例如,日志清除是当攻击者尝试隐藏踪迹时可能发生的操作,但在许多情况下此操作是由管理员执行的例行操作。For example, log clear is an action that might happen when an attacker tries to hide their tracks, but in many cases is a routine operation performed by admins. 安全中心通常不会告知你攻击何时被阻止,除非这是我们建议你应该仔细查看的一个引发关注的案例。Security Center doesn't usually tell you when attacks were blocked, unless it's an interesting case that we suggest you look into.
信息Informational 一个事件通常由大量警报组成,一些警报单独看来可能价值不大,但在综合其他警报的情况下则值得深入探查。An incident is typically made up of a number of alerts, some of which might appear on their own to be only informational, but in the context of the other alerts might be worthy of a closer look.

导出警报Export alerts

你可以通过多种方法在安全中心外查看警报,其中包括:You have a range of options for viewing your alerts outside of Security Center, including:

  • 警报仪表板上的“下载 CSV 报表”可提供到 CSV 的一次性导出。Download CSV report on the alerts dashboard provides a one-time export to CSV.
  • 定价和设置中的“连续导出”允许你将安全警报和建议流配置到 Log Analytics 工作区和事件中心。Continuous export from pricing & settings allows you to configure streams of security alerts and recommendations to Log Analytics workspaces and Event Hubs. 详细了解连续导出Learn more about continuous export

Azure 安全中心中的云智能警报关联(事件)Cloud smart alert correlation in Azure Security Center (incidents)

Azure 安全中心使用高级分析和威胁情报来持续分析混合云工作负载,在存在恶意活动时发出警报。Azure Security Center continuously analyzes hybrid cloud workloads by using advanced analytics and threat intelligence to alert you about malicious activity.

威胁的范围正在不断扩大。The breadth of threat coverage is growing. 检测哪怕最微小的攻击的需求也是很重要的,而安全分析人员对不同的警报进行会审并识别实际攻击可能非常具有挑战性。The need to detect even the slightest compromise is important, and it can be challenging for security analysts to triage the different alerts and identify an actual attack. 安全中心可以帮助分析人员处理这些疲于应付的警报。Security Center helps analysts cope with this alert fatigue. 通过将不同的警报和低保真度信号关联到安全事件中,它有助于诊断发生的攻击。It helps diagnose attacks as they occur, by correlating different alerts and low fidelity signals into security incidents.

Fusion 分析是为安全中心事件提供支持的技术和分析后端,它使安全中心能够将不同的警报和上下文信号关联在一起。Fusion analytics is the technology and analytic back end that powers Security Center incidents, enabling it to correlate different alerts and contextual signals together. Fusion 查看跨资源订阅上报告的不同信号。Fusion looks at the different signals reported on a subscription across the resources. Fusion 查找具有共享上下文信息的攻击进度或信号的模式,指示你应该对它们使用统一的响应过程。Fusion finds patterns that reveal attack progression or signals with shared contextual information, indicating that you should use a unified response procedure for them.

Fusion 分析将安全域知识与 AI 相结合,用于分析警报,发现新的攻击模式。Fusion analytics combines security domain knowledge with AI to analyze alerts, discovering new attack patterns as they occur.

安全中心利用 MITRE 攻击矩阵将警报与其感知意图相关联,有助于形成规范化的安全域知识。Security Center leverages MITRE Attack Matrix to associate alerts with their perceived intent, helping formalize security domain knowledge. 此外,通过使用为攻击的每个步骤收集的信息,安全中心可以排除看似是攻击步骤但实际上不是的活动。In addition, by using the information gathered for each step of an attack, Security Center can rule out activity that appears to be steps of an attack, but actually isn't.

由于攻击通常发生在不同的租户之间,安全中心可以结合 AI 算法来分析每个订阅上报告的攻击序列。Because attacks often occur across different tenants, Security Center can combine AI algorithms to analyze attack sequences that are reported on each subscription. 此技术将攻击序列标识为常见的警报模式,而不是只是偶然地相互关联。This technique identifies the attack sequences as prevalent alert patterns, instead of just being incidentally associated with each other.

在调查事件期间,分析员经常需要额外的上下文,以便得出有关威胁的性质以及如何缓解威胁的裁定。During an investigation of an incident, analysts often need extra context to reach a verdict about the nature of the threat and how to mitigate it. 例如,即使检测到网络异常,但不了解网络上发生的其他情况或者目标资源相关情况,很难知道接下来要采取什么操作。For example, even when a network anomaly is detected, without understanding what else is happening on the network or with regard to the targeted resource, it's difficult to understand what actions to take next. 为了提供帮助,安全事件可以包括工件、相关事件和信息。To help, a security incident can include artifacts, related events, and information. 可用于安全事件的其他信息因检测到的威胁类型和环境配置而异。The additional information available for security incidents varies, depending on the type of threat detected and the configuration of your environment.

提示

有关可通过合成分析生成的安全事件警报的列表,请参阅警报的引用表For a list of security incident alerts that can be produced by the fusion analytics, see the Reference table of alerts.

检测到的安全事件报告的屏幕截图

若要管理安全事件,请参阅如何在 Azure 安全中心管理安全事件To manage your security incidents, see How to manage security incidents in Azure Security Center.

后续步骤Next steps

本文介绍了安全中心的各类警报。In this article, you learned about the different types of alerts available in Security Center. 有关详细信息,请参阅:For more information, see: