规划和操作指南Planning and operations guide

本指南适用于计划使用 Azure 安全中心的信息技术 (IT) 专业人员、IT 架构师、信息安全分析师和云管理员。This guide is for information technology (IT) professionals, IT architects, information security analysts, and cloud administrators planning to use Azure Security Center.

规划指南Planning guide

本指南介绍如何通过一系列任务,根据组织的安全要求和云管理模型优化安全中心的使用。This guide covers tasks that you can follow to optimize your use of Security Center based on your organization's security requirements and cloud management model. 若要充分利用安全中心,必须了解在需要进行安全开发和操作、监视、管理和事件响应的情况下,组织中的不同个人或团队是如何使用服务的。To take full advantage of Security Center, it is important to understand how different individuals or teams in your organization use the service to meet secure development and operations, monitoring, governance, and incident response needs. 规划安全中心的使用时,需要考虑的重要方面包括:The key areas to consider when planning to use Security Center are:

  • 安全角色和访问控制Security Roles and Access Controls
  • 安全策略和建议Security Policies and Recommendations
  • 数据收集和存储Data Collection and Storage
  • 载入非 Azure 资源Onboarding non-Azure resources
  • 持续安全监视Ongoing Security Monitoring
  • 事件响应Incident Response

下一部分介绍如何针对每个方面进行计划,并根据要求应用相关建议。In the next section, you will learn how to plan for each one of those areas and apply those recommendations based on your requirements.


阅读 Azure Security Center frequently asked questions (FAQ) (Azure 安全中心常见问题 (FAQ)),了解一系列常见问题,这些问题在设计和规划阶段可能也会有用。Read Azure Security Center frequently asked questions (FAQ) for a list of common questions that can also be useful during the designing and planning phase.

安全角色和访问控制Security roles and access controls

很多个人和团队可能会使用安全中心执行不同的安全相关任务,具体取决于组织的大小和结构。Depending on the size and structure of your organization, multiple individuals and teams may use Security Center to perform different security-related tasks. 下图示例性地说明了各种虚构性的人员及其相应的角色和安全责任:In the following diagram, you have an example of fictitious personas and their respective roles and security responsibilities:


这些人员通过安全中心行使不同的责任。Security Center enables these individuals to meet these various responsibilities. 例如:For example:

Jeff(工作负荷所有者)Jeff (Workload Owner)

  • 管理云工作负荷及其相关资源Manage a cloud workload and its related resources
  • 负责根据公司安全策略实施和维护各种保护措施Responsible for implementing and maintaining protections in accordance with company security policy

Ellen(首席信息安全官/首席信息官)Ellen (CISO/CIO)

  • 负责公司安全的各个方面Responsible for all aspects of security for the company
  • 需要跨云工作负荷了解公司的安全状况Wants to understand the company's security posture across cloud workloads
  • 需要了解各种主要攻击和风险Needs to be informed of major attacks and risks

David(IT 安全)David (IT Security)

  • 制定公司安全策略,确保实施适当的保护措施Sets company security policies to ensure the appropriate protections are in place
  • 监视合规性Monitors compliance with policies
  • 生成领导力报表或审核报表Generates reports for leadership or auditors

Judy(安全操作)Judy (Security Operations)

  • 全天候监视和响应安全警报Monitors and responds to security alerts 24/7
  • 将案例上报到云工作负荷所有者或 IT 安全分析师Escalates to Cloud Workload Owner or IT Security Analyst

Sam(安全分析师)Sam (Security Analyst)

  • 调查各种攻击Investigate attacks
  • 与云工作负荷所有者协作应用补救措施Work with Cloud Workload Owner to apply remediation

安全中心使用 Azure 基于角色的访问控制 (Azure RBAC) 提供可在 Azure 中分配给用户、组和服务的内置角色Security Center uses Azure role-based access control (Azure RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure. 用户打开安全中心时,只能看到有权访问的资源的相关信息。When a user opens Security Center, they only see information related to resources they have access to. 这意味着,可以将资源所属的订阅或资源组的“所有者”、“参与者”或“读者”角色分配给用户。Which means the user is assigned the role of Owner, Contributor, or Reader to the subscription or resource group that a resource belongs to. 除这些角色外,还有两个特定的安全中心角色:In addition to these roles, there are two specific Security Center roles:

  • 安全读取者:属于此角色的用户只能查看安全中心配置(包括建议、警报、策略和运行状况),无法进行更改。Security reader: a user that belongs to this role is able to view only Security Center configurations, which include recommendations, alerts, policy, and health, but it won't be able to make changes.
  • 安全管理员:与安全读取者一样,但它还可更新安全策略,消除建议和警报。Security admin: same as security reader but it can also update the security policy, dismiss recommendations and alerts.

上述安全中心角色无权访问存储、Web 和移动或物联网等其他 Azure 服务区域。The Security Center roles described above do not have access to other service areas of Azure such as Storage, Web & Mobile, or Internet of Things.

根据上图介绍的人员,需要以下 Azure RBAC:Using the personas explained in the previous diagram, the following Azure RBAC would be needed:

Jeff(工作负荷所有者)Jeff (Workload Owner)

  • 资源组所有者/参与者Resource Group Owner/Contributor

Ellen(首席信息安全官/首席信息官)Ellen (CISO/CIO)

  • 订阅所有者/参与者或安全管理员Subscription Owner/Contributor or Security Admin

David(IT 安全)David (IT Security)

  • 订阅所有者/参与者或安全管理员Subscription Owner/Contributor or Security Admin

Judy(安全操作)Judy (Security Operations)

  • 查看警报的订阅读取者或安全读取者Subscription Reader or Security Reader to view Alerts
  • 需要订阅所有者/参与者或安全管理员身份以消除警报Subscription Owner/Contributor or Security Admin required to dismiss Alerts

Sam(安全分析师)Sam (Security Analyst)

  • 查看警报的订阅读者Subscription Reader to view Alerts
  • 需要订阅所有者/参与者身份以消除警报Subscription Owner/Contributor required to dismiss Alerts
  • 可能需要工作区的访问权限Access to the workspace may be required

其他一些需要考虑的重要信息:Some other important information to consider:

  • 只有订阅所有者/参与者和安全管理员可以编辑安全策略。Only subscription Owners/Contributors and Security Admins can edit a security policy.
  • 只有订阅和资源组的所有者和参与者可以应用针对某个资源的安全建议。Only subscription and resource group Owners and Contributors can apply security recommendations for a resource.

使用安全中心的 Azure RBAC 规划访问控制时,请确保了解组织中的哪些人员会使用安全中心。When planning access control using Azure RBAC for Security Center, be sure to understand who in your organization will be using Security Center. 另外还需了解这些人员所执行的任务的类型,才能进行相应的 Azure RBAC 配置。Also, what types of tasks they will be performing and then configure Azure RBAC accordingly.


对于需要完成任务的用户,建议尽可能为其分配权限最小的角色。We recommend that you assign the least permissive role needed for users to complete their tasks. 例如,如果用户只需查看资源的安全状况信息而不需执行操作(例如应用建议或编辑策略),则应为其分配“读者”角色。For example, users who only need to view information about the security state of resources but not take action, such as applying recommendations or editing policies, should be assigned the Reader role.

安全策略和建议Security policies and recommendations

安全策略定义了工作负载的相应配置,有助于确保用户遵守公司或法规方面的安全要求。A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. 在安全中心内,可以定义 Azure 订阅策略,即根据工作负载类型或数据机密性量身定制。In Security Center, you can define policies for your Azure subscriptions, which can be tailored to the type of workload or the sensitivity of data.

安全中心策略由以下部分组成:Security Center policies contain the following components:

  • 数据收集:代理预配和数据收集设置。Data collection: agent provisioning and data collection settings.
  • 安全策略:可以通过 Azure Policy 来决定安全中心所监视和建议的控件,还可以通过 Azure Policy 来创建新的定义、定义其他策略,以及跨管理组分配策略。Security policy: an Azure Policy that determines which controls are monitored and recommended by Security Center, or use Azure Policy to create new definitions, define additional policies, and assign policies across management groups.
  • 电子邮件通知:安全联系人和通知设置。Email notifications: security contacts and notification settings.
  • 定价层:是否使用 Azure Defender,这决定了相应范围内的资源可使用哪些安全中心功能(可使用 API 针对订阅和工作区,或者针对资源组进行指定)。Pricing tier: with or without Azure Defender, which determine which Security Center features are available for resources in scope (can be specified for subscriptions and workspaces, or resource groups using the API).


指定安全联系人可以确保在发生安全事件时,Azure 能够联系到贵组织中的合适人员。Specifying a security contact will ensure that Azure can reach the right person in your organization if a security incident occurs. 若要详细了解如何启用此建议,请阅读 Provide security contact details in Azure Security Center (在 Azure 安全中心提供安全方面的联系细节)。Read Provide security contact details in Azure Security Center for more information on how to enable this recommendation.

安全策略定义和建议Security policies definitions and recommendations

安全中心自动为每个 Azure 订阅创建默认的安全策略。Security Center automatically creates a default security policy for each of your Azure subscriptions. 可以在安全中心编辑该策略,也可以使用 Azure Policy 创建新的定义、定义其他策略、跨管理组(可以代表整个组织、组织中的某个业务部门,等等)分配策略,以及跨相应范围监视对这些策略的遵循情况。You can edit the policy in Security Center or use Azure Policy to create new definitions, define additional policies, and assign policies across Management Groups (which can represent the entire organization, a business unit in it etc.), and monitor compliance to these policies across these scopes.

在配置安全策略之前,请查看每项 安全建议,确定这些策略是否适合各种订阅和资源组。Before configuring security policies, review each of the security recommendations, and determine whether these policies are appropriate for your various subscriptions and resource groups. 此外,请务必了解解决安全建议应采取的行动,以及组织中负责采纳新建议并采取必要措施的人员。It is also important to understand what action should be taken to address Security Recommendations and who in your organization will be responsible for monitoring for new recommendations and taking the needed steps.

数据收集和存储Data collection and storage

Azure 安全中心使用 Log Analytics 代理(Azure Monitor 服务同样使用此代理)从虚拟机中收集安全数据。Azure Security Center uses the Log Analytics agent - this is the same agent used by the Azure Monitor service - to collect security data from your virtual machines. 通过此代理收集的数据将存储在 Log Analytics 工作区中。Data collected from this agent will be stored in your Log Analytics workspace(s).


在安全策略中启用自动预配后,Log Analytics 代理(适用于 WindowsLinux)会安装在所有支持的 Azure VM 和新建的任何 VM 上。When automatic provisioning is enabled in the security policy, the Log Analytics agent (for Windows or Linux) is installed on all supported Azure VMs, and any new ones that are created. 如果 VM 或计算机已安装 Log Analytics 代理,Azure 安全中心会利用当前的已安装代理。If the VM or computer already has the Log Analytics agent installed, Azure Security Center will leverage the current installed agent. 代理的过程设计为非入侵性,对 VM 性能的影响非常小。The agent's process is designed to be non-invasive and have very minimal impact on VM performance.

适用于 Windows 的 Log Analytics 代理要求使用 TCP 端口 443。The Log Analytics agent for Windows requires use TCP port 443. 有关其他详细信息,请参阅故障排除文章See the Troubleshooting article for additional details.

如需在某个时候禁用数据收集功能,可在安全策略中将其关闭。If at some point you want to disable Data Collection, you can turn it off in the security policy. 然而,由于其他 Azure 管理和监视服务可能使用 Log Analytics 代理,因此关闭安全中心的数据收集功能后不会自动卸载代理。However, because the Log Analytics agent may be used by other Azure management and monitoring services, the agent will not be uninstalled automatically when you turn off data collection in Security Center. 必要时可手动卸载代理。You can manually uninstall the agent if needed.


若要查找受支持 VM 的列表,请阅读 Azure 安全中心常见问题解答 (FAQ)To find a list of supported VMs, read the Azure Security Center frequently asked questions (FAQ).


工作区是一种 Azure 资源,用作数据容器。A workspace is an Azure resource that serves as a container for data. 你或组织中的其他成员可以使用多个工作区,管理收集自所有或部分 IT 基础结构的不同数据集。You or other members of your organization might use multiple workspaces to manage different sets of data that is collected from all or portions of your IT infrastructure.

通过 Log Analytics 代理(代表 Azure 安全中心)收集的数据存储在与 Azure 订阅关联的现有 Log Analytics 工作区或新工作区中,具体取决于 VM 的地理位置。Data collected from the Log Analytics agent (on behalf of Azure Security Center) will be stored in either an existing Log Analytics workspace(s) associated with your Azure subscription or a new workspace(s), taking into account the Geo of the VM.

在 Azure 门户中,可浏览查看 Log Analytics 工作区的列表,其中包括 Azure 安全中心创建的任何工作区。In the Azure portal, you can browse to see a list of your Log Analytics workspaces, including any created by Azure Security Center. 系统会为新工作区创建相关资源组。A related resource group will be created for new workspaces. 二者均遵循此命名约定:Both will follow this naming convention:

  • 工作区:DefaultWorkspace-[subscription-ID]-[geo]Workspace: DefaultWorkspace-[subscription-ID]-[geo]
  • 资源组:DefaultResourceGroup-[geo]Resource Group: DefaultResourceGroup-[geo]

对于 Azure 安全中心创建的工作区,数据将保留 30 天。For workspaces created by Azure Security Center, data is retained for 30 days. 对于现有工作区,保留期取决于工作区定价层。For existing workspaces, retention is based on the workspace pricing tier. 还可以根据需要使用现有工作区。If you want, you can also use an existing workspace.


Microsoft 坚决承诺保护此类数据的隐私和安全性。Microsoft makes strong commitments to protect the privacy and security of this data. 从编程到服务运营,Microsoft 都严格遵守相关法规与安全准则。Microsoft adheres to strict compliance and security guidelines—from coding to operating a service. 有关数据处理和隐私的详细信息,请参阅 Azure 安全中心数据安全For more information about data handling and privacy, read Azure Security Center Data Security.

加入非 Azure 资源Onboard non-Azure resources

安全中心可以监视非 Azure 计算机的安全状态,但首先需要载入这些资源。Security Center can monitor the security posture of your non-Azure computers but you need to first onboard these resources.

持续安全监视Ongoing security monitoring

对安全中心建议进行初始配置和应用以后,下一步是考虑安全中心的操作过程。After initial configuration and application of Security Center recommendations, the next step is considering Security Center operational processes.

“安全中心概览”提供了一个统一的视图,介绍了已连接的所有 Azure 资源和非 Azure 资源的安全情况。The Security Center Overview provides a unified view of security across all your Azure resources and any non-Azure resources you have connected. 以下示例显示了一个有许多问题需要解决的环境:The example below shows an environment with many issues to be addressed:



安全中心不会干扰正常的操作过程,而是被动监视部署,根据启用的安全策略提供建议。Security Center will not interfere with your normal operational procedures, it will passively monitor your deployments and provide recommendations based on the security policies you enabled.

如果首次选择为当前 Azure 环境使用安全中心,请务必查看所有建议,此操作可在“建议”页中进行。When you first opt in to use Security Center for your current Azure environment, make sure that you review all recommendations, which can be done in the Recommendations page.

计划访问威胁智能选项,将其作为日常安全操作的一部分。Plan to visit the threat intelligence option as part of your daily security operations. 可以在其中确定对环境的安全威胁,例如,确定特定计算机是否为僵尸网络的一部分。There you can identify security threats against the environment, such as identify if a particular computer is part of a botnet.

监视新的或更改的资源Monitoring for new or changed resources

大多数 Azure 环境是动态的,其中资源会定期创建、开启或关闭、重新配置和更改。Most Azure environments are dynamic, with resources regularly being created, spun up or down, reconfigured, and changed. 安全中心可确保用户能够查看这些新资源的安全状态。Security Center helps ensure that you have visibility into the security state of these new resources.

将新资源(VM、SQL 数据库)添加到 Azure 环境时,安全中心会自动发现这些资源,并开始监视其安全性。When you add new resources (VMs, SQL DBs) to your Azure Environment, Security Center will automatically discover these resources and begin to monitor their security. 这还包括 PaaS Web 角色和辅助角色。This also includes PaaS web roles and worker roles. 如果在 安全策略中启用了数据收集功能,则会自动为虚拟机启用更多监视功能。If Data Collection is enabled in the Security Policy, additional monitoring capabilities will be enabled automatically for your virtual machines.

此外还应定期监视现有资源,确定可能造成安全风险、偏离建议基线和安全警报的配置更改。You should also regularly monitor existing resources for configuration changes that could have created security risks, drift from recommended baselines, and security alerts.

强化对访问权限和应用程序的控制Hardening access and applications

在进行安全操作时,还应采取预防性措施,限制对 VM 的访问,并控制在 VM 上运行的应用程序。As part of your security operations, you should also adopt preventative measures to restrict access to VMs, and control the applications that are running on VMs. 锁定到 Azure VM 的入站流量即可降低受攻击的风险,同时可以轻松进行访问,视需要连接到 VM。By locking down inbound traffic to your Azure VMs, you are reducing the exposure to attacks, and at the same time providing easy access to connect to VMs when needed. 使用“实时 VM 访问”功能,强化 VM 访问控制。Use just-in-time VM access access feature to hardening access to your VMs.

可使用自适应应用程序控制控制哪些应用程序可在 Azure 中的 VM 上运行。You can use adaptive application controls to limit which applications can run on your VMs located in Azure. 除其他优势外,这种控制还强化了 VM 抵御恶意软件侵害的能力。Among other benefits, this helps harden your VMs against malware. 安全中心利用机器学习来分析 VM 中运行的进程,以帮助创建允许列表规则。Using machine learning, Security Center analyzes processes running in the VM to help you create allow listing rules.

事件响应Incident response

安全中心会检测威胁并在威胁出现时向用户发出警报。Security Center detects and alerts you to threats as they occur. 组织应监视是否有新的安全警报,并根据需要采取行动,进一步进行调查,或采取应对攻击的补救措施。Organizations should monitor for new security alerts and take action as needed to investigate further or remediate the attack. 有关安全中心威胁防护工作原理的详细信息,请参阅 Azure 安全中心如何检测和响应威胁For more information on how Security Center threat protection works, read How Azure Security Center detects and responds to threats.

虽然本文不会协助用户创建自己的事件响应计划,但仍会在云的生命周期中使用 Azure 安全响应作为事件响应阶段的基础。While this article doesn't have the intent to assist you creating your own Incident Response plan, we are going to use Azure Security Response in the Cloud lifecycle as the foundation for incident response stages. 下图显示了这些阶段:The stages are shown in the following diagram:



若要构建自己的事件响应计划,用户可以使用国家标准和技术协会 (NIST) 提供的 Computer Security Incident Handling Guide (计算机安全事件处理指南)作为参考。You can use the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide as a reference to assist you building your own.

可以在以下阶段使用安全中心警报:You can use Security Center Alerts during the following stages:

  • 检测:确定一个或多个资源中的可疑活动。Detect: identify a suspicious activity in one or more resources.
  • 评估:进行初始评估,了解可疑活动的详细信息。Assess: perform the initial assessment to obtain more information about the suspicious activity.
  • 诊断:通过补救步骤采用技术过程解决问题。Diagnose: use the remediation steps to conduct the technical procedure to address the issue.

每个安全警报所提供的信息都可以用来更好地了解攻击的性质,并提供可能的缓解措施建议。Each Security Alert provides information that can be used to better understand the nature of the attack and suggest possible mitigations. 某些警报还提供链接,单击这些链接即可获取更多信息或访问 Azure 中的其他信息源。Some alerts also provide links to either more information or to other sources of information within Azure. 可使用提供的信息进一步研究并开始缓解操作,还可搜索存储于工作区中的安全相关数据。You can use the information provided for further research and to begin mitigation, and you can also search security-related data that is stored in your workspace.

下面的示例演示了正在发生的可疑的 RDP 活动:The following example shows a suspicious RDP activity taking place:


此页显示的详细信息包括攻击发生的时间、源主机名、目标 VM,并提供了建议步骤。This page shows the details regarding the time that the attack took place, the source hostname, the target VM and also gives recommendation steps. 在某些情况下,攻击的源信息可能为空。In some circumstances, the source information of the attack may be empty. 阅读 Missing Source Information in Azure Security Center Alerts (Azure 安全中心警报中缺少源信息),了解此类行为的详细信息。Read Missing Source Information in Azure Security Center Alerts for more information about this type of behavior.

确定受攻击的系统后,可以运行以前创建的工作流自动化Once you identify the compromised system, you can run a workflow automation that was previously created. 这些是在触发警报后可从安全中心执行的步骤的集合。These are a collection of procedures that can be executed from Security Center once triggered by an alert.

如何利用 Azure 安全中心和 Microsoft Operations Management Suite 进行事件响应视频中,你可查看一些演示,了解如何在每个这样的阶段发挥安全中心的作用。In the How to Leverage the Azure Security Center & Microsoft Operations Management Suite for an Incident Response video, you can see some demonstrations that show how Security Center can be used in each one of those stages.


请参阅管理和响应 Azure 安全中心的安全警报,详细了解在事件响应过程中如何使用安全中心功能进行协助。Read Managing and responding to security alerts in Azure Security Center for more information on how to use Security Center capabilities to assist you during your Incident Response process.

后续步骤Next steps

本文档介绍如何进行规划,为采用安全中心做准备。In this document, you learned how to plan for Security Center adoption. 若要了解有关安全中心的详细信息,请参阅以下文章:To learn more about Security Center, see the following: