Azure 安全中心数据安全性Azure Security Center data security

为了帮助客户防止、检测和应对威胁,Azure 安全中心将收集和处理安全相关的数据,包括配置信息、元数据、事件日志等等。To help customers prevent, detect, and respond to threats, Azure Security Center collects and processes security-related data, including configuration information, metadata, event logs, and more. 从编程到服务运营,Microsoft 都严格遵守相关法规与安全准则。Microsoft adheres to strict compliance and security guidelines—from coding to operating a service.

本文介绍如何在安全中心管理数据和确保数据安全性。This article explains how data is managed and safeguarded in Security Center.

数据源Data sources

安全中心将分析以下源中的数据,提供安全状态视图、识别漏洞、建议缓解措施,并检测现行的威胁:Security Center analyzes data from the following sources to provide visibility into your security state, identify vulnerabilities and recommend mitigations, and detect active threats:

  • Azure 服务:通过与 Azure 服务的资源提供程序通信,使用已部署的 Azure 服务的配置信息。Azure services: Uses information about the configuration of Azure services you have deployed by communicating with that service’s resource provider.
  • 网络流量:使用从 Microsoft 基础结构中采样的网络流量元数据,例如源/目标 IP/端口、数据包大小以及网络协议。Network traffic: Uses sampled network traffic metadata from Microsoft’s infrastructure, such as source/destination IP/port, packet size, and network protocol.
  • 合作伙伴解决方案:使用来自集成合作伙伴解决方案(例如防火墙和反恶意软件解决方案)的安全警报。Partner solutions: Uses security alerts from integrated partner solutions, such as firewalls and antimalware solutions.
  • 计算机:使用配置详细信息和有关安全事件的信息,如 Windows 事件和审核日志,以及计算机中的系统日志消息。Your machines: Uses configuration details and information about security events, such as Windows event and audit logs, and syslog messages from your machines.

数据保护Data protection

数据隔离Data segregation

服务中每个组件的数据都保持逻辑隔离。Data is kept logically separate on each component throughout the service. 所有数据均按组织进行标记。All data is tagged per organization. 此标记方式贯穿数据的整个生命周期,在服务的每个层强制实施。This tagging persists throughout the data lifecycle, and it is enforced at each layer of the service.

数据访问Data access

为了提供安全建议及调查潜在安全威胁,Microsoft 人员可能会访问 Azure 服务收集或分析的信息,包括进程创建事件以及其他项目,其中可能会意外地包括计算机中的客户数据或个人数据。To provide security recommendations and investigate potential security threats, Microsoft personnel may access information collected or analyzed by Azure services, including process creation events, and other artifacts, which may unintentionally include customer data or personal data from your machines.

我们遵守 Microsoft Online Services 数据保护附录,其中指出,Microsoft 不会将客户数据或其衍生信息用于任何广告目的或类似的商业目的。We adhere to the Microsoft Online Services Data Protection Addendum, which states that Microsoft will not use Customer Data or derive information from it for any advertising or similar commercial purposes. 我们只会根据需要将客户数据用于向用户提供 Azure 服务,包括用于与提供这些服务相对应的目的。We only use Customer Data as needed to provide you with Azure services, including purposes compatible with providing those services. 用户保留对客户数据的所有权限。You retain all rights to Customer Data.

数据使用Data use

Microsoft 使用多个租户所使用的模式和威胁情报增强预防和检测威胁的能力;执行过程中遵循隐私声明中所述的隐私承诺。Microsoft uses patterns and threat intelligence seen across multiple tenants to enhance our prevention and detection capabilities; we do so in accordance with the privacy commitments described in our Privacy Statement.

管理计算机中的数据收集Manage data collection from machines

在 Azure 中启用安全中心后,即为每个 Azure 订阅启用了数据收集功能。When you enable Security Center in Azure, data collection is turned on for each of your Azure subscriptions. 也可以在安全中心中为订阅启用数据收集。You can also enable data collection for your subscriptions in Security Center. 启用数据收集后,安全中心即可在所有受支持的现有 Azure 虚拟机以及任何新创建的虚拟机中预配 Log Analytics 代理。When data collection is enabled, Security Center provisions the Log Analytics agent on all existing supported Azure virtual machines and any new ones that are created.

Log Analytics 代理扫描各种安全相关配置和事件,并将其收集到 Windows 事件跟踪 (ETW) 的跟踪中。The Log Analytics agent scans for various security-related configurations and events it into Event Tracing for Windows (ETW) traces. 另外,在运行计算机的过程中,操作系统会引发事件日志事件。In addition, the operating system will raise event log events during the course of running the machine. 此类数据的示例包括:操作系统类型和版本、操作系统日志(Windows 事件日志)、正在运行的进程、计算机名称、IP 地址、已登录用户、租户 ID。Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, logged in user, and tenant ID. Log Analytics 代理读取事件日志条目和 ETW 跟踪,并将其复制到工作区进行分析。The Log Analytics agent reads event log entries and ETW traces and copies them to your workspace(s) for analysis. Log Analytics 代理还启用进程创建事件和命令行审核。The Log Analytics agent also enables process creation events and command line auditing.

如果不使用 Azure Defender,也可以在“安全策略”中从虚拟机禁用数据收集。If you aren't using Azure Defender, you can also disable data collection from virtual machines in the Security Policy. 受 Azure Defender 保护的订阅需要数据收集。Data Collection is required for subscriptions that are protected by Azure Defender. 即使禁用数据收集,也仍会启用 VM 磁盘快照和项目收集。VM disk snapshots and artifact collection will still be enabled even if data collection has been disabled.

可以指定存储从计算机收集的数据的工作区和区域。You can specify the workspace and region where data collected from your machines is stored. 默认情况下,将从计算机中收集的数据存储在中国最近的工作区中。The default is to store data collected from your machines in the nearest workspace in China.

数据使用Data consumption

客户可以从以下数据流访问安全中心相关数据:Customers can access Security Center related data from the following data streams:

StreamStream 数据类型Data types
Azure 活动日志Azure Activity log 所有安全警报、经审核的安全中心实时访问请求,以及由自适应应用程序控制生成的所有警报。All security alerts, approved Security Center just-in-time access requests, and all alerts generated by adaptive application controls.
Azure Monitor 日志Azure Monitor logs 所有安全警报。All security alerts.
Azure Resource GraphAzure Resource Graph 安全警报、安全建议、漏洞评估结果、安全分数信息、合规性检查的状态等。Security alerts, security recommendations, vulnerability assessment results, secure score information, status of compliance checks, and more.
Azure 安全中心 REST APIAzure Security Center REST API 安全警报、安全建议等。Security alerts, security recommendations, and more.

后续步骤Next steps

本文档介绍如何在 Azure 安全中心管理数据和确保数据安全性。In this document, you learned how data is managed and safeguarded in Azure Security Center.

若要详细了解 Azure 安全中心,请参阅什么是 Azure 安全中心?To learn more about Azure Security Center, see What is Azure Security Center?