Azure 安全中心中的数据收集Data collection in Azure Security Center

安全中心从 Azure 虚拟机 (VM)、虚拟机规模集、IaaS 容器和非 Azure 计算机(包括本地计算机)收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) computers to monitor for security vulnerabilities and threats. 数据是使用 Log Analytics 代理收集的,该代理从计算机中读取各种与安全相关的配置和事件日志,然后将数据复制到工作区进行分析。Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. 此类数据的示例包括:操作系统类型和版本、操作系统日志(Windows 事件日志)、正在运行的进程、计算机名称、IP 地址和已登录的用户。Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.

必须收集数据才能深入了解缺少的更新、配置不当的 OS 安全设置、终结点保护状态,以及运行状况和威胁防护结果。Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. 只需对计算资源(VM、虚拟机规模集、IaaS 容器和非 Azure 计算机)启用数据收集。Data collection is only needed for compute resources (VMs, virtual machine scale sets, IaaS containers, and non-Azure computers). 即使未预配代理,也能从 Azure 安全中心受益;但是,安全性会受到限制,并且上面列出的功能不受支持。You can benefit from Azure Security Center even if you don’t provision agents; however, you will have limited security and the capabilities listed above are not supported.

本文介绍如何安装 Log Analytics 代理和设置用于存储所收集的数据的 Log Analytics 工作区。This article describes how to install a Log Analytics agent and set a Log Analytics workspace in which to store the collected data. 这两项操作都需要启用数据收集。Both operations are required to enable data collection. 如果将数据存储在 Log Analytics 中,无论是使用新工作区还是现有工作区,都可能会产生额外的数据存储费用。Storing data in Log Analytics, whether you use a new or existing workspace, might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

提示

有关支持的平台列表,请参阅 Azure 安全中心支持的平台For the list of supported platforms, see Supported platforms in Azure Security Center.

启用 Log Analytics 代理的自动预配Enable automatic provisioning of the Log Analytics agent

备注

Azure Sentinel 的用户:请注意,可以从 Azure 安全中心或 Azure Sentinel 配置单个工作区上下文中的安全事件集合,但不能同时从这两者进行配置。Users of Azure Sentinel: note that security events collection within the context of a single workspace can be configured from either Azure Security Center or Azure Sentinel, but not both. 如果你计划将 Azure Sentinel 添加到已从 Azure 安全中心获得 Azure Defender 警报并设置为收集安全事件的工作区,你有两种选择:If you're planning to add Azure Sentinel to a workspace that is already getting Azure Defender alerts from Azure Security Center, and is set to collect Security Events, you have two options:

  • 保留 Azure 安全中心的安全事件集合不变。Leave the Security Events collection in Azure Security Center as is. 你将能够在 Azure Sentinel 以及 Azure Defender 中查询和分析这些事件。You will be able to query and analyze these events in Azure Sentinel as well as in Azure Defender. 但是,你将不能监视连接器的连接状态或在 Azure Sentinel 中更改其配置。You will not, however, be able to monitor the connector's connectivity status or change its configuration in Azure Sentinel. 如果这对你很重要,请考虑第二种选择。If this is important to you, consider the second option.

  • 在 Azure 安全中心中禁用安全事件集合,然后才在 Azure Sentinel 中添加安全事件连接器。Disable Security Events collection in Azure Security Center, and only then add the Security Events connector in Azure Sentinel. 与第一种选择一样,你将能够在 Azure Sentinel 和 Azure Defender/ASC 中查询和分析事件,但现在你将能够监视连接器的连接状态或在且仅在 Azure Sentinel 中更改其配置。As with the first option, you will be able to query and analyze events in both Azure Sentinel and Azure Defender/ASC, but you will now be able to monitor the connector's connectivity status or change its configuration in - and only in - Azure Sentinel.

若要从计算机收集数据,应安装 Log Analytics 代理。To collect the data from the machines, you should have the Log Analytics agent installed. 可以自动安装该代理(建议),也可以手动安装。Installation of the agent can be done automatically (recommended) or you can install the agent manually. 默认情况下自动设置处于关闭状态。By default, automatic provisioning is off.

启用自动预配后,安全中心可在所有受支持的 Azure VM 以及任何新建的 Azure VM 中部署 Log Analytics 代理。When automatic provisioning is on, Security Center deploys the Log Analytics agent on all supported Azure VMs and any new ones that are created. 建议使用自动设置,但如果有必要,可以手动安装代理(请参阅手动安装 Log Analytics 代理)。Automatic provisioning is recommended but you can install the agent manually if necessary (see Manual installation of the Log Analytics agent).

将代理部署到计算机后,安全中心可以提供与系统更新状态、OS 安全配置、终结点保护相关的其他建议,并生成其他安全警报。With the agent deployed to your machines, Security Center can provide additional recommendations related to system update status, OS security configurations, endpoint protection, as well as generate additional security alerts.

若要启用对 Log Analytics 代理的自动预配,请执行以下操作:To enable automatic provisioning of the Log Analytics agent:

  1. 从安全中心的菜单中,选择“定价和设置”。From Security Center's menu, select Pricing & settings.

  2. 选择相关订阅。Select the relevant subscription.

  3. 在“数据收集”页上,将“自动预配”设置为“开启” 。In the Data collection page, set Auto provisioning to On.

  4. 选择“保存”。Select Save.

    启用 Log Analytics 代理的自动预配

    提示

    如果需要设置工作区,那么代理安装过程可能需要最多 25 分钟的时间。If a workspace needs to be provisioned, agent installation might take up to 25 minutes.

工作区配置Workspace configuration

安全中心收集的数据存储在 Log Analytics 工作区中。Data collected by Security Center is stored in Log Analytics workspace(s). 可以从安全中心创建的工作区中或现有工作区中存储的 Azure VM 收集数据。Your data can be collected from Azure VMs stored in workspaces created by Security Center or in an existing workspace you created.

工作区配置是按订阅设置的,多个订阅可以使用同一个工作区。Workspace configuration is set per subscription, and many subscriptions may use the same workspace.

使用安全中心创建的工作区Using a workspace created by Security Center

安全中心可以自动创建用于存储数据的默认工作区。Security center can automatically create a default workspace in which to store the data.

选择安全中心创建的工作区:To select a workspace created by Security Center:

  1. 在“默认工作区配置”下,选择“使用安全中心创建的工作区”。Under Default workspace configuration, select Use workspace(s) created by Security center. 在数据收集选项中使用默认工作区

  2. 单击“ 保存”。Click Save.
    安全中心会在该地理位置创建新的资源组和默认工作区,并将代理连接到该工作区。Security Center creates a new resource group and default workspace in that geolocation, and connects the agent to that workspace. 工作区和资源组的命名约定是:The naming convention for the workspace and resource group is:
    工作区:DefaultWorkspace-[subscription-ID]-[geo]
    资源组:DefaultResourceGroup-[geo]
    Workspace: DefaultWorkspace-[subscription-ID]-[geo]
    Resource Group: DefaultResourceGroup-[geo]

    如果订阅包含多个地理位置中的 VM,则安全中心会创建多个工作区。If a subscription contains VMs from multiple geolocations, then Security Center creates multiple workspaces. 创建多个工作区的目的是维护数据隐私规则。Multiple workspaces are created to maintain data privacy rules.

  3. 安全中心将会根据针对订阅设置的定价层,在工作区中自动启用安全中心解决方案。Security Center will automatically enable a Security Center solution on the workspace per the pricing tier set for the subscription.

备注

安全中心创建的工作区的 Log Analytics 定价层不会影响安全中心计费。The Log Analytics pricing tier of workspaces created by Security Center does not affect Security Center billing. 安全中心的计费始终依据工作区上安装的以下安全中心安全策略和解决方案。Security Center billing is always based on your Security Center security policy and the solutions installed on a workspace. 对于未启用 Azure Defender 的订阅,安全中心在默认工作区上启用 SecurityCenterFree 解决方案。For subscriptions without Azure Defender, Security Center enables the SecurityCenterFree solution on the default workspace. 对于启用 Azure Defender 的订阅,安全中心在默认工作区上启用 Security 解决方案。For subscriptions with Azure Defender, Security Center enables the Security solution on the default workspace. 在 Log Analytics 中存储数据可能会产生额外的数据存储费用。Storing data in Log Analytics might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

有关现有 Log Analytics 帐户的详细信息,请参阅现有 Log Analytics 客户For more information about existing log analytics accounts, see Existing log analytics customers.

使用现有工作区Using an existing workspace

如果已有一个 Log Analytics 工作区,可以使用该工作区。If you already have an existing Log Analytics workspace, you might want to use the same workspace.

若要使用现有 Log Analytics 工作区,必须对该工作区拥有读取和写入权限。To use your existing Log Analytics workspace, you must have read and write permissions on the workspace.

备注

在现有工作区中启用的解决方案将应用到与该工作区相连接的 Azure VM。Solutions enabled on the existing workspace will be applied to Azure VMs that are connected to it. 对于付费的解决方案,这可能会产生额外的费用。For paid solutions, this could result in additional charges. 出于数据隐私的考虑,请确保所选工作区位于适当的地理区域。For data privacy considerations, make sure your selected workspace is in the right geographic region. 在 Log Analytics 中存储数据可能会产生额外的数据存储费用。Storing data in log analytics might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

选择现有 Log Analytics 工作区的具体步骤:To select an existing Log Analytics workspace:

  1. 在“默认工作区配置”下,选择“使用其他工作区” 。Under Default workspace configuration, select Use another workspace. 在数据收集选项中设置默认工作区

  2. 从下拉菜单中,选择一个工作区,用于存储所收集的数据。From the pull-down menu, select a workspace to store collected data.

    备注

    下拉菜单提供跨所有订阅的所有工作区。In the pull down menu, all the workspaces across all of your subscriptions are available. 请参阅跨订阅工作区选择以获取详细信息。See cross subscription workspace selection for more information. 必须有权访问该工作区。You must have permission to access the workspace.

  3. 选择“保存” 。Select Save.

  4. 选择“保存”后,系统会询问是否要重新配置以前已连接到默认工作区的受监视 VM。After selecting Save, you will be asked if you would like to reconfigure monitored VMs that were previously connected to a default workspace.

    • 如果只希望在新 VM 上应用新的工作区设置,请选择“否”。Select No if you want the new workspace settings to apply on new VMs only. 新的工作区设置只会应用于新的代理安装;新发现的 VM 没有安装 Log Analytics 代理。The new workspace settings only apply to new agent installations; newly discovered VMs that do not have the Log Analytics agent installed.
    • 如果希望在所有 VM 上应用新的工作区设置,请选择“是”。Select Yes if you want the new workspace settings to apply on all VMs. 此外,所有连接到安全中心创建的工作区的 VM 也都会重新连接到新的目标工作区。In addition, every VM connected to a Security Center created workspace is reconnected to the new target workspace.

    备注

    如果选择“是”,不得删除安全中心创建的工作区,除非所有 VM 已重新连接到新的目标工作区。If you select Yes, you must not delete the workspace(s) created by Security Center until all VMs have been reconnected to the new target workspace. 如果过早删除工作区,此操作将会失败。This operation fails if a workspace is deleted too early.

    • 若要取消该操作,请选择“取消”。To cancel the operation, select Cancel.

      查看用于重新配置受监视的 VM 的选项

  5. 选择工作区是否将启用 Azure Defender。Select whether or not the workspace will have Azure Defender enabled.

    若要使用现有工作区,请设置该工作区的定价层。To use an existing workspace, set the pricing tier for the workspace. 这会在该工作区中安装一个安全中心解决方案(如果尚不存在)。This will install a security Center solution on the workspace if one is not already present.

    1. 在“安全中心”主菜单中,选择“定价和设置”。In the Security Center main menu, select Pricing & settings.

    2. 选择要将代理连接到的工作区。Select the workspace to which you'll be connecting the agent.

    3. 选择“启用 Azure Defender”或“关闭 Azure Defender”。Select Azure Defender on or Azure Defender off.

    备注

    如果工作区中已启用 SecuritySecurityCenterFree 解决方案,则会自动设置定价层。If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will be set automatically.

跨订阅工作区选择Cross-subscription workspace selection

选择用于存储数据的工作区时,跨所有订阅的所有工作区可用。When you select a workspace in which to store your data, all the workspaces across all your subscriptions are available. 通过跨订阅工作区选择,可以从不同订阅中运行的虚拟机收集数据并将其存储在所选的工作区中。Cross-subscription workspace selection allows you to collect data from virtual machines running in different subscriptions and store it in the workspace of your choice. 如果在组织中使用集中式工作区,并想要使用该工作区来收集安全数据,则这种选择非常有用。This selection is useful if you are using a centralized workspace in your organization and want to use it for security data collection. 有关如何管理工作区的详细信息,请参阅管理工作区访问权限For more information on how to manage workspaces, see Manage workspace access.

数据收集层Data collection tier

在 Azure 安全中心选择数据收集层只会影响 Log Analytics 工作区中安全事件的存储。Selecting a data collection tier in Azure Security Center will only affect the storage of security events in your Log Analytics workspace. 无论你选择在 Log Analytics 工作区中存储哪一层安全事件(如果有),Log Analytics 代理仍将收集和分析 Azure 安全中心威胁防护所需的安全事件。The Log Analytics agent will still collect and analyze the security events required for Azure Security Center’s threat protection, regardless of which tier of security events you choose to store in your Log Analytics workspace (if any). 选择在工作区中存储安全事件将允许在工作区中调查、搜索和审核这些事件。Choosing to store security events in your workspace will enable investigation, search, and auditing of those events in your workspace.

备注

在 Log Analytics 中存储数据可能会产生额外的数据存储费用。Storing data in log analytics might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

可以根据要在工作区中存储的四组事件为订阅和工作区选择正确的筛选策略:You can choose the right filtering policy for your subscriptions and workspaces from four sets of events to be stored in your workspace:

  • - 禁用安全事件存储。None - Disable security event storage. 这是默认设置。This is the default setting.
  • 最小 - 一个较小的事件集,适合希望最大程度地减小事件量的客户。Minimal - A smaller set of events for customers who want to minimize the event volume.
  • 通用 - 这是一个事件集,可满足大多数客户的需求,使他们可以进行完整的审核跟踪。Common - This is a set of events that satisfies most customers and allows them a full audit trail.
  • 所有事件 - 适用于想要确保存储所有事件的客户。All events - For customers who want to make sure all events are stored.

这些安全事件集只能与 Azure Defender 一起使用。These security events sets are available only with Azure Defender. 若要详细了解安全中心的定价层,请参阅定价See Pricing to learn more about Security Center's pricing tiers.

这些集合专门用于典型应用场景。These sets were designed to address typical scenarios. 请务必先评估哪个事件集适合你的需求,再进行实现。Make sure to evaluate which one fits your needs before implementing it.

为了确定属于通用和最小事件集的事件,我们与客户进行协作,参照行业标准,了解了每个事件及其使用情况的未筛选频率。To determine the events that will belong to the Common and Minimal event sets, we worked with customers and industry standards to learn about the unfiltered frequency of each event and their usage. 我们在此过程中使用了以下准则:We used the following guidelines in this process:

  • 最小 - 确保此集只涵盖可能指示成功违反的事件以及数量很少的重要事件。Minimal - Make sure that this set covers only events that might indicate a successful breach and important events that have a very low volume. 例如,此集包含用户成功和失败的登录(事件 ID 4624 和 4625),但不包含对审核很重要但对检测毫无意义且数量相对较多的注销。For example, this set contains user successful and failed login (event IDs 4624, 4625), but it doesn’t contain sign out which is important for auditing but not meaningful for detection and has relatively high volume. 此集的大多数数据量是登录事件和进程创建事件(事件 ID 4688)。Most of the data volume of this set is the login events and process creation event (event ID 4688).
  • 通用 - 提供此集中的完整用户审核跟踪。Common - Provide a full user audit trail in this set. 例如,此集包含用户登录和用户注销(事件 ID 4634)。For example, this set contains both user logins and user sign outs (event ID 4634). 我们加入审核操作,如安全组更改、关键域控制器 Kerberos 操作以及行业组织建议的其他事件。We include auditing actions like security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.

数量非常少的事件包含在通用集中,因为在所有事件中选择该集的主要动机是为了减少数量,而不是筛选出特定事件。Events that have very low volume were included in the Common set as the main motivation to choose it over all the events is to reduce the volume and not to filter out specific events.

下面是对每个集的安全和 App Locker 事件 ID 的完整分类:Here is a complete breakdown of the Security and App Locker event IDs for each set:

数据层Data tier 收集的事件指示器Collected event indicators
轻微Minimal 1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,
4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,82224756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,8222
通用Common 1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,
4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,
4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,
4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,
4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,
4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,
6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,300046273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004

备注

  • 如果使用组策略对象 (GPO),建议启用审核策略过程创建事件 4688 以及事件 4688 内的 CommandLine 字段。If you are using Group Policy Object (GPO), it is recommended that you enable audit policies Process Creation Event 4688 and the CommandLine field inside event 4688. 有关过程创建事件 4688 的详细信息,请参阅安全中心的常见问题解答For more information about Process Creation Event 4688, see Security Center's FAQ. 有关这些审核策略的详细信息,请参阅审核策略建议For more information about these audit policies, see Audit Policy Recommendations.
  • 若要为自适应应用程序控件启用数据收集,安全中心会在审核模式下配置本地 AppLocker 策略以允许所有应用程序。To enable data collection for Adaptive Application Controls, Security Center configures a local AppLocker policy in Audit mode to allow all applications. 这将导致 AppLocker 生成事件,然后由安全中心收集和利用这些事件。This will cause AppLocker to generate events which are then collected and leveraged by Security Center. 请务必注意,不会在已配置 AppLocker 策略的任何计算机上配置此策略。It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy.
  • 若要收集 Windows 筛选平台事件 ID 5156,需要启用审核筛选平台连接 (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable)To collect Windows Filtering Platform Event ID 5156, you need to enable Audit Filtering Platform Connection (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable)

选择筛选策略的具体步骤:To choose your filtering policy:

  1. 在“数据收集”页上,选择“存储更多原始数据 - Windows 安全事件”下的筛选策略 。On the Data Collection page, select your filtering policy under Store additional raw data - Windows security events.

  2. 选择“保存”。Select Save. 选择要收集的 Windows 安全事件

在预先安装了代理的情况下进行自动预配 Automatic provisioning in cases of a pre-existing agent installation

以下用例指定在已安装代理或扩展的情况下如何进行自动预配。The following use cases specify how automatic provision works in cases when there is already an agent or extension installed.

  • Log Analytics 代理已安装在计算机上,而不是作为扩展(直接代理)安装的Log Analytics agent is installed on the machine, but not as an extension (Direct agent)
    如果 Log Analytics 代理直接安装在 VM 上(而不是作为 Azure 扩展安装),则安全中心将安装 Log Analytics 代理扩展,可能还会将 Log Analytics 代理升级到最新版本。If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Security Center will install the Log Analytics agent extension, and may upgrade the Log Analytics agent to the latest version. 安装的代理将继续向其已配置的工作区报告,此外,它还会向安全中心上配置的工作区报告(Windows 计算机支持多主页)。The agent installed will continue to report to its already configured workspace(s), and additionally will report to the workspace configured in Security Center (Multi-homing is supported on Windows machines). 如果配置的工作区是一个用户的工作区(而不是安全中心的默认工作区),则需要在该工作区上安装“security”/“securityFree”解决方案,以便安全中心开始处理向该工作区报告的 VM 和计算机中的事件。If the configured workspace is a user workspace (not Security Center's default workspace), then you will need to install the "security/"securityFree" solution on it for Security Center to start processing events from VMs and computers reporting to that workspace.

    对于 Linux 计算机,尚不支持代理多主页,因此,如果检测到现有的代理安装,则不会进行自动预配,并且不会更改计算机的配置。For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.
    对于在 2019 年 3 月 17 日之前已加入安全中心的订阅中的现有计算机,检测到现有代理时,不会安装 Log Analytics 代理扩展,且计算机不受影响。For existing machines on subscriptions onboarded to Security Center before 17th March 2019, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. 对于这些计算机,请参阅“解决计算机上的监视代理运行状况问题”建议,以解决这些计算机上的代理安装问题。For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.

  • 已在计算机上安装 System Center Operations Manager 代理System Center Operations Manager agent is installed on the machine
    安全中心会将 Log Analytics 代理扩展并行安装到现有 Operations Manager 上。Security center will install the Log Analytics agent extension side by side to the existing Operations Manager. 现有 Operations Manager 代理将继续正常向 Operations Manager 服务器报告。The existing Operations Manager agent will continue to report to the Operations Manager server normally. Operations Manager 代理和 Log Analytics 代理共享公共运行时库,在此过程中这些库将更新为最新版本。The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. 如果已安装 Operations Manager 代理版本 2012,则 请勿 启用自动预配。If Operations Manager agent version 2012 is installed, do not enable automatic provisioning.

  • 存在现有的 VM 扩展A pre-existing VM extension is present

    • 当将监视代理作为扩展安装时,扩展配置仅允许向单个工作区进行报告。When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. 安全中心不会覆盖用户工作区的现有连接。Security Center does not override existing connections to user workspaces. 如果已连接的工作区中安装了“security”或“securityFree”解决方案,安全中心会将来自 VM 的安全性数据存储在该工作区中。Security Center will store security data from the VM in the workspace already connected, provided that the "security" or "securityFree" solution has been installed on it. 在此过程中,安全中心可以将扩展版本升级到最新版本。Security Center may upgrade the extension version to the latest version in this process.
    • 若要查看现有扩展将数据发送到哪个工作区,请运行测试来验证与 Azure 安全中心的连接To see to which workspace the existing extension is sending data to, run the test to Validate connectivity with Azure Security Center. 或者,可以打开 Log Analytics 工作区,选择一个工作区,选择 VM,然后查看 Log Analytics 代理连接。Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
    • 如果环境中的 Log Analytics 代理安装在客户端工作站上并向现有的 Log Analytics 工作区报告,请查看 Azure 安全中心支持的操作系统列表以确保操作系统受支持。If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of operating systems supported by Azure Security Center to make sure your operating system is supported. 有关详细信息,请参阅现有 Log Analytics 客户For more information, see Existing log analytics customers.

关闭自动预配 Turn off automatic provisioning

若要关闭 Log Analytics 代理的自动预配,请执行以下操作:To turn off automatic provisioning of the Log Analytics agent:

  1. 在门户的“安全中心”菜单中,选择“定价和设置”。From Security Center's menu in the portal, select Pricing & settings.

  2. 选择相关订阅。Select the relevant subscription.

    从“定价和设置”页中选择一个订阅

  3. 选择“数据收集”。Select Data Collection.

  4. 在“自动预配”下,选择“关闭”以禁用自动预配 。Under Auto Provisioning, select Off to disable automatic provisioning.

  5. 选择“保存”。Select Save.

自动预配处于禁用状态(关闭)时,不会显示默认的工作区配置部分。When auto provisioning is disabled (turned off), the default workspace configuration section is not displayed.

如果关闭之前处于启用状态的自动预配功能,则不会在新 VM 上预配代理。If you switch off auto provision after it was previously on agents will not be provisioned on new VMs.

备注

禁用自动预配不会从曾预配了 Log Analytics 代理的 Azure VM 中删除该代理。Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. 有关删除 OMS 扩展的信息,请参阅如何删除安全中心安装的 OMS 扩展For information on removing the OMS extension, see How do I remove OMS extensions installed by Security Center.

手动代理预配 Manual agent provisioning

可通过多种方法手动安装 Log Analytics 代理。There are several ways to install the Log Analytics agent manually. 手动安装时,请务必禁用自动预配。When installing manually, make sure you disable auto provisioning.

Operations Management Suite VM 扩展部署Operations Management Suite VM extension deployment

可以手动安装 Log Analytics 代理,使安全中心能够从 VM 收集安全数据并提供建议和警报。You can manually install the Log Analytics agent, so Security Center can collect security data from your VMs and provide recommendations and alerts.

  1. 禁用自动预配。Disable auto provisioning.

  2. (可选)创建工作区。Optionally, create a workspace.

  3. 在要安装 Log Analytics 代理的工作区上启用 Azure Defender:Enable Azure Defender on the workspace on which you're installing the Log Analytics agent:

    1. 在安全中心的菜单中,选择“定价和设置”。From Security Center's menu, select Pricing & settings.

    2. 设置要安装代理的工作区。Set the workspace on which you're installing the agent. 确保该工作区位于安全中心内所用的同一个订阅中,并且你对该工作区拥有读/写权限。Make sure the workspace is in the same subscription you use in Security Center and that you have read/write permissions on the workspace.

    3. 将 Azure Defender 设置为“启用”,并选择“保存”。Set Azure Defender to on, and select Save.

      备注

      如果工作区中已启用 SecuritySecurityCenterFree 解决方案,则会自动设置定价层。If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will be set automatically.

  4. 若要使用资源管理器模板在新 VM 上部署代理,请安装 Log Analytics 代理:If you want to deploy the agents on new VMs using a Resource Manager template, install the Log Analytics agent:

  5. 若要在现有 VM 上部署扩展,请遵照收集有关 Azure 虚拟机的数据中的说明。To deploy the extensions on existing VMs, follow the instructions in Collect data about Azure Virtual Machines.

    备注

    “收集事件和性能数据”部分是可选的。The section Collect event and performance data is optional.

  6. 若要使用 PowerShell 部署扩展,请按照虚拟机文档中的说明进行操作:To use PowerShell to deploy the extension, use the instructions from the virtual machines documentation:

备注

有关如何使用 PowerShell 加入安全中心的说明,请参阅使用PowerShell 自动加入 Azure 安全中心For instructions on how to onboard Security Center using PowerShell, see Automate onboarding of Azure Security Center using PowerShell.

疑难解答Troubleshooting

  • 若要识别自动预配安装问题,请参阅监视代理运行状况问题To identify automatic provision installation issues, see Monitoring agent health issues.

  • 若要确定监视代理网络要求,请参阅监视代理网络要求故障排除To identify monitoring agent network requirements, see Troubleshooting monitoring agent network requirements.

  • 若要识别手动加入问题,请参阅如何排查 Operations Management Suite 加入问题To identify manual onboarding issues, see How to troubleshoot Operations Management Suite onboarding issues.

  • 若要识别未受监视的 VM 和计算机上的问题:To identify Unmonitored VMs and computers issues:

    如果某个 VM 或计算机未运行 Log Analytics 代理扩展,则它不受安全中心的监视。A VM or computer is unmonitored by Security Center if the machine is not running the Log Analytics agent extension. 计算机上可能已安装了本地代理,例如 OMS 直接代理或 System Center Operations Manager 代理。A machine may have a local agent already installed, for example the OMS direct agent or the System Center Operations Manager agent. 装有这些代理的计算机被标识为未受监视,因为安全中心不完全支持这些代理。Machines with these agents are identified as unmonitored because these agents are not fully supported in Security Center. 若要充分利用安全中心的所有功能,需要使用 Log Analytics 代理扩展。To fully benefit from all of Security Center’s capabilities, the Log Analytics agent extension is required.

    若要详细了解安全中心无法成功监视那些已针对自动预配初始化的 VM 和计算机的原因,请参阅监视代理运行状况问题For more information about the reasons Security Center is unable to successfully monitor VMs and computers initialized for automatic provisioning, see Monitoring agent health issues.

后续步骤Next steps

本文介绍了数据收集和自动设置在安全中心中的工作方式。This article showed you how data collection and automatic provisioning in Security Center works. 若要了解有关安全中心的详细信息,请参阅以下页面:To learn more about Security Center, see the following pages: