Azure 安全中心的安全警报Security alerts in Azure Security Center

在 Azure 安全中心,针对许多不同的资源类型提供多种不同的警报。In Azure Security Center, there are a variety of alerts for many different resource types. 安全中心为部署在 Azure 上的资源以及部署在本地和混合云环境中的资源生成警报。Security Center generates alerts for resources deployed on Azure, and also for resources deployed on on-premises and hybrid cloud environments.

安全警报由高级检测触发,仅在 Azure 安全中心标准层中提供。Security alerts are triggered by advanced detections and are available only in the standard tier of Azure Security Center. 提供免费版。A free is available. 可以从“定价和设置”页升级。You can upgrade from the Pricing & settings page. 详细了解安全中心定价Learn more about Security Center pricing.

应对当前的威胁 Respond to today's threats

过去 20 年里,威胁态势有了很大的改变。There have been significant changes in the threat landscape over the last 20 years. 在过去,公司通常只需担心网站被各个攻击者改头换面。许多情况下,这些攻击者感兴趣的是看看“自己能够做什么”。In the past, companies typically only had to worry about web site defacement by individual attackers who were mostly interested in seeing "what they could do". 而现在,攻击者则更为复杂,更有组织性。Today's attackers are much more sophisticated and organized. 他们通常有具体的经济和战略目标。They often have specific financial and strategic goals. 他们的可用资源也更多,因为他们可能是由国家/地区提供资金支持的,可能是有组织犯罪。They also have more resources available to them, as they may be funded by nation states or organized crime.

这些不断变化的现实导致攻击者的专业水准前所未有地高。These changing realities have led to an unprecedented level of professionalism in the attacker ranks. 他们不再对篡改网页感兴趣。No longer are they interested in web defacement. 他们现在感兴趣的是窃取信息、金融帐户和私人数据 - 所有这些都可以用来在公开市场上换钱;他们还感兴趣的是特定的有利用价值的商业、政治或军事职位。They are now interested in stealing information, financial accounts, and private data - all of which they can use to generate cash on the open market or to leverage a particular business, political, or military position. 比这更引人关注的是,这些以财务为目标的攻击者在侵入网络后会破坏基础结构,对人们造成伤害。Even more concerning than those attackers with a financial objective are the attackers who breach networks to do harm to infrastructure and people.

作为响应,组织通常会部署各种点解决方案,查找已知的攻击特征,重点做好企业外围防护或终结点防护。In response, organizations often deploy various point solutions, which focus on defending either the enterprise perimeter or endpoints by looking for known attack signatures. 这些解决方案会生成大量的低保真警报,需要安全分析师进行会审和调查。These solutions tend to generate a high volume of low fidelity alerts, which require a security analyst to triage and investigate. 大多数组织缺乏必要的时间和专业技术来响应此类警报 - 许多警报被置之不理。Most organizations lack the time and expertise required to respond to these alerts - so many go unaddressed.

此外,攻击者的方法不断进化,可破坏许多基于签名的防御,并适合云环境In addition, attackers have evolved their methods to subvert many signature-based defenses and adapt to cloud environments. 必须采用新方法更快地确定新出现的威胁,加快检测和应对速度。New approaches are required to more quickly identify emerging threats and expedite detection and response.

什么是安全警报和安全事件?What are security alerts and security incidents?

“警报”是指安全中心在资源上检测到威胁时生成的通知。Alerts are the notifications that Security Center generates when it detects threats on your resources. 安全中心按优先级列出警报,以及快速调查问题所需的信息。Security Center prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. 安全中心还提供有关如何针对攻击采取补救措施的建议。Security Center also provides recommendations for how you can remediate an attack.

“安全事件”是相关警报的集合,而不是单独列出每个警报。A security incident is a collection of related alerts, instead of listing each alert individually. 安全中心使用云智能警报关联将不同警报和低保真信号关联到安全事件。Security Center uses Cloud Smart Alert Correlation to correlate different alerts and low fidelity signals into security incidents.

通过事件,安全中心可提供攻击活动和所有相关警报的单一视图。Using incidents, Security Center provides you with a single view of an attack campaign and all of the related alerts. 利用此视图,你可以快速了解攻击者采取的操作以及受影响的资源。This view enables you to quickly understand what actions the attacker took, and what resources were affected. 有关详细信息,请参阅云智能警报关联For more information, see Cloud smart alert correlation.

安全中心如何检测威胁?How does Security Center detect threats?

Microsoft 安全研究人员始终在不断地寻找威胁。Microsoft security researchers are constantly on the lookout for threats. 由于 Microsoft 在云中和本地广泛存在,因此他们可以访问大量遥测数据。Because of Microsoft's global presence in the cloud and on-premises, they have access to an expansive set of telemetry. 由于能够广泛访问和收集各种数据集,可以通过本地消费者产品和企业产品以及联机服务发现新的攻击模式和趋势。The wide-reaching and diverse collection of datasets enables the discovering of new attack patterns and trends across its on-premises consumer and enterprise products, as well as its online services. 因此,当攻击者发布新的越来越复杂的漏斗利用方式时,安全中心就可以快速更新其检测算法。As a result, Security Center can rapidly update its detection algorithms as attackers release new and increasingly sophisticated exploits. 此方法可以让用户始终跟上变化莫测的威胁环境。This approach helps you keep pace with a fast moving threat environment.

为了检测真实威胁和减少误报,安全中心自动收集、分析和集成来自 Azure 资源和网络的日志数据。To detect real threats and reduce false positives, Security Center collects, analyzes, and integrates log data from your Azure resources and the network. 它还适用于连接的合作伙伴解决方案,如防火墙和终结点保护解决方案。It also works with connected partner solutions, like firewall and endpoint protection solutions. 安全中心分析该信息(通常需将多个来源的信息关联起来)即可确定威胁。Security Center analyzes this information, often correlating information from multiple sources, to identify threats.

安全中心数据收集和呈现

安全中心使用各种高级安全分析,远不止几种基于攻击特征的方法。Security Center employs advanced security analytics, which go far beyond signature-based approaches. 可以充分利用大数据和机器学习技术的突破跨整个云结构对事件进行评估,检测那些使用手动方式不可能发现的威胁,并预测攻击的发展方式。Breakthroughs in big data and machine learning technologies are leveraged to evaluate events across the entire cloud fabric - detecting threats that would be impossible to identify using manual approaches and predicting the evolution of attacks. 此类安全分析包括:These security analytics include:

  • 集成威胁智能:Microsoft 提供大量的全球威胁情报。Integrated threat intelligence: Microsoft has an immense amount of global threat intelligence. 遥测数据的来源包括:Azure、Microsoft 365、Microsoft CRM Online、Microsoft Dynamics AX、outlook.com、MSN.com、Microsoft 数字犯罪部门 (DCU)、Microsoft 安全响应中心 (MSRC)。Telemetry flows in from multiple sources, such as Azure, Microsoft 365, Microsoft CRM online, Microsoft Dynamics AX, outlook.com, MSN.com, the Microsoft Digital Crimes Unit (DCU), and Microsoft Security Response Center (MSRC). 研究人员也会收到在主要云服务提供商之间共享的威胁情报信息,以及来自其他第三方的源。Researchers also receive threat intelligence information that is shared among major cloud service providers and feeds from other third parties. Azure 安全中心可能会在分析该信息后发出警报,提醒用户注意来自行为不端攻击者的威胁。Azure Security Center can use this information to alert you to threats from known bad actors.

  • 行为分析:行为分析是一种技术,该技术会对数据进行分析并将数据与一系列已知模式对比。Behavioral analytics: Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. 不过,这些模式不是简单的特征,However, these patterns are not simple signatures. 需要对大型数据集运用复杂的机器学习算法来确定,They are determined through complex machine learning algorithms that are applied to massive datasets. 或者由分析专家通过仔细分析恶意行为来确定。They are also determined through careful analysis of malicious behaviors by expert analysts. Azure 安全中心可以使用行为分析对虚拟机日志、虚拟网络设备日志、结构日志和其他资源进行分析,确定遭到泄露的资源。Azure Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual machine logs, virtual network device logs, fabric logs, and other sources.

  • 异常检测:Azure 安全中心也通过异常检测确定威胁。Anomaly detection: Azure Security Center also uses anomaly detection to identify threats. 与行为分析(依赖于从大型数据集派生的已知模式)相比,异常检测更“个性化”,注重特定于你的部署的基线。In contrast to behavioral analytics (which depends on known patterns derived from large data sets), anomaly detection is more "personalized" and focuses on baselines that are specific to your deployments. 运用机器学习确定部署的正常活动,并生成规则,定义可能表示安全事件的异常条件。Machine learning is applied to determine normal activity for your deployments and then rules are generated to define outlier conditions that could represent a security event.

如何对警报进行分类?How are alerts classified?

安全中心为警报分配严重性,以帮助你确定参与每个警报的顺序优先级,以便在资源泄漏时可以立即访问。Security Center assigns a severity to alerts, to help you prioritize the order in which you attend to each alert, so that when a resource is compromised, you can get to it right away. 严重性取决于安全中心对调查结果或用于发出警报的分析的可信度,以及对导致警报的活动背后存在恶意意图的可信度级别。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

备注

警报严重性在门户和早于 2019-01-01 的 REST API 中以不同的方式显示。Alert severity is displayed differently in the portal and versions of the REST API that predate 01-01-2019. 如果你使用的是较低版本的 API,请升级以获得一致的体验,如下所述。If you're using an older version of the API, upgrade for the consistent experience described below.

  • 高:资源遭到泄露的可能性较高。High: There is a high probability that your resource is compromised. 应立即进行调查。You should look into it right away. 安全中心在所检测出的恶意意图和用于发出警报的发现结果方面的可信度较高。Security Center has high confidence in both the malicious intent and in the findings used to issue the alert. 例如,检测到执行已知的恶意工具的警报,例如用于凭据盗窃的一种常见工具 Mimikatz。For example, an alert that detects the execution of a known malicious tool such as Mimikatz, a common tool used for credential theft.
  • 中等:这可能是一个可疑活动,此类活动可能表明资源遭到泄漏。Medium: This is probably a suspicious activity may indicate that a resource is compromised. 安全中心对分析或发现结果的可信度为中等,所检测到的恶意意图的可信度为中等到高。Security Center's confidence in the analytic or finding is medium and the confidence of the malicious intent is medium to high. 这些通常是机器学习或基于异常的检测。These would usually be machine learning or anomaly-based detections. 例如,从异常位置进行的登录尝试。For example, a sign-in attempt from an anomalous location.
  • 低:这可能是无危险或已被阻止的攻击。Low: This might be a benign positive or a blocked attack.
    • 安全中心不足以肯定此意图是否带有恶意,并且此活动可能无恶意。Security Center is not confident enough that the intent is malicious and the activity may be innocent. 例如,日志清除是当攻击者尝试隐藏踪迹时可能发生的操作,但在许多情况下此操作是由管理员执行的例行操作。For example, log clear is an action that may happen when an attacker tries to hide their tracks, but in many cases is a routine operation performed by admins.
    • 安全中心通常不会告知你攻击何时被阻止,除非这是我们建议你应该仔细查看的一个引发关注的案例。Security Center doesn't usually tell you when attacks were blocked, unless it's an interesting case that we suggest you look into.
  • 信息:只有在深化到某个安全事件时,或者如果将 REST API 与特定警报 ID 配合使用,才会看到信息警报。Informational: You will only see informational alerts when you drill down into a security incident, or if you use the REST API with a specific alert ID. 一个事件通常由大量警报组成,有一些警报可能仅会单独出现以提供信息,而其他一些警报的上下文中的信息可能值得你深入探查一下。An incident is typically made up of a number of alerts, some of which may appear on their own to be only informational, but in the context of the other alerts may be worthy of a closer look.

持续监视和评估Continuous monitoring and assessments

Azure 安全中心受益于在整个 Microsoft 有安全研究和数据科学团队,持续监视威胁态势的变化情况。Azure Security Center benefits from having security research and data science teams throughout Microsoft who continuously monitor for changes in the threat landscape. 其中包括以下计划:This includes the following initiatives:

  • 威胁情报监视:威胁情报包括现有的或新出现的威胁的机制、指示器、含义和可操作建议。Threat intelligence monitoring: Threat intelligence includes mechanisms, indicators, implications, and actionable advice about existing or emerging threats. 此信息在安全社区共享,Microsoft 会持续监视内部和外部源提供的威胁情报源。This information is shared in the security community and Microsoft continuously monitors threat intelligence feeds from internal and external sources.
  • 信号共享:安全团队的见解会跨 Microsoft 的一系列云服务和本地服务、服务器、客户端终结点设备进行共享和分析。Signal sharing: Insights from security teams across Microsoft's broad portfolio of cloud and on-premises services, servers, and client endpoint devices are shared and analyzed.
  • Microsoft 安全专家:持续接触 Microsoft 的各个工作在专业安全领域(例如取证和 Web 攻击检测)的团队。Microsoft security specialists: Ongoing engagement with teams across Microsoft that work in specialized security fields, like forensics and web attack detection.
  • 检测优化:针对实际的客户数据集运行相关算法,安全研究人员与客户一起验证结果。Detection tuning: Algorithms are run against real customer data sets and security researchers work with customers to validate the results. 通过检出率和误报率优化机器学习算法。True and false positives are used to refine machine learning algorithms.

将这些措施结合起来,形成新的改进型检测方法,使你能够即时受益,而你不需采取任何措施。These combined efforts culminate in new and improved detections, which you can benefit from instantly - there's no action for you to take.

后续步骤Next steps

本文介绍了安全中心的各类警报。In this article, you learned about the different types of alerts available in Security Center. 有关详细信息,请参阅:For more information, see: