在 Azure 安全中心管理和响应安全警报Manage and respond to security alerts in Azure Security Center

本主题介绍如何查看和处理收到的警报,以保护资源。This topic shows you how to view and process the alerts that you have received in order to protect your resources.

备注

若要启用高级检测,请升级到 Azure 安全中心标准版。To enable advanced detections, upgrade to Azure Security Center Standard. 有免费试用版可用。A free trial is available. 要升级,请选择 安全策略中的“定价层”。To upgrade, select Pricing Tier in the Security Policy. 请参阅 Azure 安全中心定价,了解详细信息。See Azure Security Center pricing to learn more.

什么是安全警报?What are security alerts?

安全中心会自动收集、分析以及整合 Azure 资源、网络和所连合作伙伴解决方案(如,防火墙和终结点保护解决方案)的日志数据,检测真正的威胁并减少误报。Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, like firewall and endpoint protection solutions, to detect real threats and reduce false positives. 安全中心显示了一系列安全警报(按严重程度排序),并显示了快速调查问题所需的信息以及修复攻击的建议。A list of prioritized security alerts is shown in Security Center along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.

备注

有关安全中心检测功能工作原理的详细信息,请参阅 Azure 安全中心如何检测和应对威胁For more information about how Security Center detection capabilities work, see How Azure Security Center detects and responds to threats.

管理安全警报Manage your security alerts

  1. 在安全中心仪表板中,参阅“威胁防护”磁贴以查看和概要了解警报。From the Security Center dashboard, see the Threat protection tile to view and overview of the alerts.

    安全中心的“安全警报”磁贴

  2. 若要查看有关警报的更多详细信息,请单击该磁贴。To see more details about the alerts, click the tile.

    安全中心的“安全警报”

  3. 若要筛选显示的警报,请单击“筛选”,然后从打开的“筛选器”边栏选项卡中选择要应用的筛选器选项。To filter the alerts shown, click Filter, and from the Filter blade that opens, select the filter options that you want to apply. 列表会根据所选筛选器进行更新。The list updates according to the selected filter. 筛选功能可能非常有用。Filtering can be very helpful. 例如,假设正在调查系统中的潜在危害,需要处理过去 24 小时内发生的安全警报。For example, you might you want to address security alerts that occurred in the last 24 hours because you are investigating a potential breach in the system.

    筛选安全中心的警报

响应安全警报Respond to security alerts

  1. 在“安全警报”列表中,单击一个安全警报。From the Security alerts list, click a security alert. 此时会显示所涉及的资源以及对抗攻击所需执行的步骤。The resources involved and the steps you need to take to remediate an attack is shown.

    响应安全警报

  2. 查看此信息后,请单击受攻击的资源。After reviewing the information, click a resource that was attacked.

    有关如何处理安全警报的建议

    可以通过“常规信息”部分深入了解触发安全警报的原因。The General Information section can offer an insight into what triggered the security alert. 它显示的信息包括目标资源、源 IP 地址(如果适用)、警报是否仍然处于活动状态,以及修正方式建议。It displays information such as the target resource, source IP address (when applicable), if the alert is still active, and recommendations about how to remediate.

    备注

    在某些情况下,源 IP 地址不可用,一些 Windows 安全事件日志不包括 IP 地址。In some instances, the source IP address is not available, some Windows security events logs do not include the IP address.

  3. 安全中心建议的修正步骤因安全警报而异。The remediation steps suggested by Security Center vary according to the security alert. 对于每个警报,请执行这些步骤。Follow them for each alert.

    在某些情况下,为了缓解安全警报,可能需要使用其他 Azure 控件或服务来实施建议的修正。In some cases, in order to mitigate a security alert, you may have to use other Azure controls or services to implement the recommended remediation.

另请参阅See also

本文档中已经介绍了如何在安全中心配置安全策略。In this document, you learned how to configure security policies in Security Center. 若要了解有关安全中心的详细信息,请参阅以下文章:To learn more about Security Center, see the following: