在 Azure 安全中心管理和响应安全警报Manage and respond to security alerts in Azure Security Center

本主题介绍了如何查看和处理安全中心的警报并保护你的资源。This topic shows you how to view and process Security Center's alerts and protect your resources.

触发安全警报的高级检测仅适用于 Azure Defender。Advanced detections that trigger security alerts are only available with Azure Defender. 提供试用版。A trial is available. 若要升级,请参阅启用 Azure DefenderTo upgrade, see Enable Azure Defender.

什么是安全警报?What are security alerts?

安全中心会自动收集、分析以及整合 Azure 资源、网络和所连合作伙伴解决方案(如,防火墙和终结点保护解决方案)的日志数据,检测真正的威胁并减少误报。Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, like firewall and endpoint protection solutions, to detect real threats and reduce false positives. 安全中心显示了一系列安全警报(按严重程度排序),并显示了快速调查问题所需的信息以及修复攻击的建议。A list of prioritized security alerts is shown in Security Center along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.

若要了解各种类型的警报,请参阅安全警报 - 参考指南To learn about the different types of alerts, see Security alerts - a reference guide.

有关安全中心如何生成警报的概述,请参阅 Azure 安全中心如何检测和应对威胁For an overview of how Security Center generates alerts, see how Azure Security Center detects and responds to threats.

管理安全警报Manage your security alerts

  1. 从安全中心的概述页上,选择页面顶部的“安全警报”磁贴,或选择侧栏中的链接。From Security Center's overview page, select the Security alerts tile at the top of the page, or the link from the sidebar..

    从 Azure 安全中心的概述页访问安全警报页

    此时将打开安全警报页。The security alerts page opens.

    Azure 安全中心的安全警报列表

  2. 若要筛选警报列表,请选择任何相关的筛选器。To filter the alerts list, select any of the relevant filters. 你还可以通过“添加筛选器”选项添加进一步的筛选器。You can optionally add further filters with the Add filter option.

    向警报视图添加筛选器

    列表会根据你选择的筛选选项进行更新。The list updates according to the filtering options you've selected. 筛选功能可能非常有用。Filtering can be very helpful. 例如,假设正在调查系统中的潜在危害,需要处理过去 24 小时内发生的安全警报。For example, you might you want to address security alerts that occurred in the last 24 hours because you are investigating a potential breach in the system.

响应安全警报Respond to security alerts

  1. 从“安全警报”列表中,选择一个警报。From the Security alerts list, select an alert. 此时会打开一个侧窗格,其中显示了警报和所有受影响的资源的说明。A side pane opens and shows a description of the alert and all the affected resources.

    安全警报的迷你详细信息视图

    提示

    在此侧窗格处于打开状态时,可以通过键盘上的向上和向下箭头键快速查看警报列表。With this side pane open, you can quickly review the alerts list with the up and down arrows on your keyboard.

  2. 有关详细信息,请选择“查看完整详细信息”。For further information, select View full details.

    安全警报页面的左窗格显示有关安全警报的大致信息:标题、严重性、状态、活动时间、可疑活动的说明以及受影响的资源。The left pane of the security alert page shows high-level information regarding the security alert: title, severity, status, activity time, description of the suspicious activity, and the affected resource. 受影响的资源旁边是与资源相关的 Azure 标记。Alongside the affected resource are the Azure tags relevant to the resource. 在调查警报时,可以使用这些标记来推断资源的组织环境。Use these to infer the organizational context of the resource when investigating the alert.

    右侧窗格包含“警报详细信息”选项卡,其中包含警报的更多详细信息,用于帮助你调查问题:IP 地址、文件、进程等。The right pane includes the Alert details tab containing further details of the alert to help you investigate the issue: IP addresses, files, processes, and more.

    有关如何处理安全警报的建议

    右侧窗格中还包含“执行操作”选项卡。使用此选项卡可以对安全警报执行其他操作。Also in the right pane is the Take action tab. Use this tab to take further actions regarding the security alert. 操作,例如:Actions such as:

    • 缓解威胁 - 为此安全警报提供手动修正步骤Mitigate the threat - provides manual remediation steps for this security alert
    • 防范将来的攻击 - 提供安全建议,帮助减少攻击面,提高安全状况,从而防范将来的攻击Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks
    • 触发自动响应 - 提供可触发逻辑应用的选项,作为对此安全警报的响应Trigger automated response - provides the option to trigger a logic app as a response to this security alert
    • 抑制类似的警报 - 如果警报与组织无关,则提供可抑制具有类似特征的未来警报的选项Suppress similar alerts - provides the option to suppress future alerts with similar characteristics if the alert isn�t relevant for your organization

    “执行操作”选项卡

请参阅See also

本文档介绍了如何查看安全警报。In this document, you learned how to view security alerts. 请参阅以下页面,以获取相关材料:See the following pages for related material: