在 Azure 安全中心管理和响应安全警报Manage and respond to security alerts in Azure Security Center

本主题介绍如何查看和处理收到的警报,以保护资源。This topic shows you how to view and process the alerts that you have received in order to protect your resources.

备注

若要启用高级检测,请启用 Azure Defender。To enable advanced detections, enable Azure Defender. 提供试用版。A trial is available. 要升级,请选择 安全策略中的“定价层”。To upgrade, select Pricing Tier in the Security Policy. 请参阅 Azure 安全中心定价,了解详细信息。See Azure Security Center pricing to learn more.

什么是安全警报?What are security alerts?

安全中心会自动收集、分析以及整合 Azure 资源、网络和所连合作伙伴解决方案(如,防火墙和终结点保护解决方案)的日志数据,检测真正的威胁并减少误报。Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, like firewall and endpoint protection solutions, to detect real threats and reduce false positives. 安全中心显示了一系列安全警报(按严重程度排序),并显示了快速调查问题所需的信息以及修复攻击的建议。A list of prioritized security alerts is shown in Security Center along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.

备注

有关安全中心检测功能工作原理的详细信息,请参阅 Azure 安全中心如何检测和应对威胁For more information about how Security Center detection capabilities work, see How Azure Security Center detects and responds to threats.

管理安全警报Manage your security alerts

  1. 在安全中心仪表板中,参阅“威胁防护”磁贴以查看和概要了解警报。From the Security Center dashboard, see the Threat protection tile to view and overview of the alerts.

    安全中心的“安全警报”磁贴

  2. 若要查看有关警报的更多详细信息,请单击该磁贴。To see more details about the alerts, click the tile.

    安全中心的“安全警报”

  3. 若要筛选显示的警报,请单击“筛选”,然后从打开的“筛选器”边栏选项卡中选择要应用的筛选器选项。To filter the alerts shown, click Filter, and from the Filter blade that opens, select the filter options that you want to apply. 列表会根据所选筛选器进行更新。The list updates according to the selected filter. 筛选功能可能非常有用。Filtering can be very helpful. 例如,假设正在调查系统中的潜在危害,需要处理过去 24 小时内发生的安全警报。For example, you might you want to address security alerts that occurred in the last 24 hours because you are investigating a potential breach in the system.

    筛选安全中心的警报

响应安全警报Respond to security alerts

  1. 在“安全警报”列表中,单击一个安全警报。From the Security alerts list, click a security alert. 此时会显示所涉及的资源以及对抗攻击所需执行的步骤。The resources involved and the steps you need to take to remediate an attack is shown.

    响应安全警报

  2. 查看此信息后,请单击受攻击的资源。After reviewing the information, click a resource that was attacked.

    安全警报页面的左窗格显示有关安全警报的大致信息:标题、严重性、状态、活动时间、可疑活动的说明以及受影响的资源。The left pane of the security alert page shows high-level information regarding the security alert: title, severity, status, activity time, description of the suspicious activity, and the affected resource. 受影响的资源旁边是与资源相关的 Azure 标记。Alongside the affected resource are the Azure tags relevant to the resource. 在调查警报时,可以使用这些标记来推断资源的组织环境。Use these to infer the organizational context of the resource when investigating the alert.

    右侧窗格包含“警报详细信息”选项卡,其中包含警报的更多详细信息,用于帮助你调查问题:IP 地址、文件、进程等。The right pane includes the Alert details tab containing further details of the alert to help you investigate the issue: IP addresses, files, processes, and more.

    有关如何处理安全警报的建议

    右侧窗格中还包含“执行操作”选项卡。使用此选项卡可以对安全警报执行其他操作。Also in the right pane is the Take action tab. Use this tab to take further actions regarding the security alert. 操作,例如:Actions such as:

    • 缓解威胁 - 为此安全警报提供手动修正步骤Mitigate the threat - provides manual remediation steps for this security alert
    • 防范将来的攻击 - 提供安全建议,帮助减少攻击面,提高安全状况,从而防范将来的攻击Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks
    • 触发自动响应 - 提供可触发逻辑应用的选项,作为对此安全警报的响应Trigger automated response - provides the option to trigger a logic app as a response to this security alert
    • 抑制类似的警报 - 如果警报与组织无关,则提供可抑制具有类似特征的未来警报的选项Suppress similar alerts - provides the option to suppress future alerts with similar characteristics if the alert isn�t relevant for your organization

    “执行操作”选项卡

请参阅See also

本文档介绍了如何查看安全警报。In this document, you learned how to view security alerts. 请参阅以下页面,以获取相关材料:See the following pages for related material: