使用 PowerShell 自动载入 Azure 安全中心Automate onboarding of Azure Security Center using PowerShell

通过 Azure 安全中心 PowerShell 模块,能够以编程方式保护 Azure 工作负载的安全。You can secure your Azure workloads programmatically, using the Azure Security Center PowerShell module. 借助 PowerShell,可以自动执行任务,并可避免手动任务中固有的人为错误。Using PowerShell enables you to automate tasks and avoid the human error inherent in manual tasks. 对于涉及几十个资源且具有数百乃至数千种资源的大规模部署,这一方法尤为有用 – 所有这些必须从一开始就受到保护。This is especially useful in large-scale deployments that involve dozens of subscriptions with hundreds and thousands of resources – all of which must be secured from the beginning.

通过 PowerShell 使用 Azure 安全中心,使你能够以编程方式自动开始使用 Azure 资源并对其进行管理,以及添加必要的安全控件。Onboarding Azure Security Center using PowerShell enables you to programmatically automate onboarding and management of your Azure resources and add the necessary security controls.

本文提供了一个示例 PowerShell 脚本,可在你的环境中进行修改和使用,以跨订阅推出安全中心。This article provides a sample PowerShell script that can be modified and used in your environment to roll out Security Center across your subscriptions.

在此示例中,通过实施安全中心的标准层,提供高级威胁防护和检测功能,我们将对 ID 为 d07c0080-170c-4c24-861d-9c817742786c 的订阅启用安全中心,并应用提供高级别保护的建议设置:In this example, we will enable Security Center on a subscription with ID: d07c0080-170c-4c24-861d-9c817742786c and apply the recommended settings that provide a high level of protection, by implementing the Standard tier of Security Center, which provides advanced threat protection and detection capabilities:

  1. 设置安全中心标准版保护级别Set the Security Center standard level of protection.

  2. 将 Log Analytics 工作区设置为 Log Analytics 代理将发送其在与订阅关联的 VM 上收集的数据位置,在此示例中,是现有用户定义的工作区 (myWorkspace)。Set the Log Analytics workspace to which the Log Analytics agent will send the data it collects on the VMs associated with the subscription – in this example, an existing user defined workspace (myWorkspace).

  3. 激活部署 Log Analytics 代理的安全中心的自动代理预配。Activate Security Center’s automatic agent provisioning which deploys the Log Analytics agent.

  4. 将组织的 CISO 设置为安全中心警报和重要事件的安全联系人Set the organization’s CISO as the security contact for Security Center alerts and notable events.

  5. 分配安全中心的默认安全策略Assign Security Center’s default security policies.

先决条件Prerequisites

这些步骤应在运行安全中心 cmdlet 前执行:These steps should be performed before you run the Security Center cmdlets:

  1. 以管理员身份运行 PowerShell。Run PowerShell as admin.

  2. 在 PowerShell 中运行以下命令:Run the following commands in PowerShell:

    Set-ExecutionPolicy -ExecutionPolicy AllSigned
    Install-Module -Name Az.Security -Force
    

通过 PowerShell 开始使用安全中心Onboard Security Center using PowerShell

  1. 将你的订阅注册到安全中心资源提供程序:Register your subscriptions to the Security Center Resource Provider:

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"
    Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security' 
    
  2. 可选:设置订阅的覆盖范围级别(定价层)(如果未定义,则定价层设置为“免费”):Optional: Set the coverage level (pricing tier) of the subscriptions (If not defined, the pricing tier is set to Free):

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"
    Set-AzSecurityPricing -Name "default" -PricingTier "Standard"
    
  3. 配置代理将报告的 Log Analytics 工作区。Configure a Log Analytics workspace to which the agents will report. 必须具有一个已创建的 Log Analytics 工作区,订阅的虚拟机将向其报告。You must have a Log Analytics workspace that you already created, that the subscription’s VMs will report to. 你可以定义向同一工作区报告的多个订阅。You can define multiple subscriptions to report to the same workspace. 如未定义,则将使用默认工作区。If not defined, the default workspace will be used.

    Set-AzSecurityWorkspaceSetting -Name "default" -Scope
    "/subscriptions/d07c0080-170c-4c24-861d-9c817742786c" -WorkspaceId"/subscriptions/d07c0080-170c-4c24-861d-9c817742786c/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"
    
  4. 在 Azure VM 上自动预配安装 Log Analytics 代理:Auto-provision installation of the Log Analytics agent on your Azure VMs:

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"
    
    Set-AzSecurityAutoProvisioningSetting -Name "default" -EnableAutoProvision
    

    备注

    建议启用自动预配,以确保 Azure 虚拟机自动受到 Azure 安全中心的保护。It is recommended to enable auto provisioning to make sure that your Azure virtual machines are automatically protected by Azure Security Center.

  5. 可选:强烈建议为你加入的订阅定义安全联系人详细信息,该信息将被用作接收安全中心所生成警报和通知的收件人:Optional: It is highly recommended that you define the security contact details for the subscriptions you onboard, which will be used as the recipients of alerts and notifications generated by Security Center:

    Set-AzSecurityContact -Name "default1" -Email "CISO@my-org.com" -Phone "2142754038" -AlertAdmin -NotifyOnAlert 
    
  6. 分配默认安全中心策略计划:Assign the default Security Center policy initiative:

    Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
    $Policy = Get-AzPolicySetDefinition | where {$_.Properties.displayName -EQ '[Preview]: Enable Monitoring in Azure Security Center'}
    New-AzPolicyAssignment -Name 'ASC Default <d07c0080-170c-4c24-861d-9c817742786c>' -DisplayName 'Security Center Default <subscription ID>' -PolicySetDefinition $Policy -Scope '/subscriptions/d07c0080-170c-4c24-861d-9c817742786c'
    

至此,你已通过 PowerShell 成功载入 Azure 安全中心!You now successfully onboarded Azure Security Center with PowerShell!

现在可以将这些 PowerShell cmdlet 与自动化脚本结合使用,从而以编程方式循环访问订阅和资源。You can now use these PowerShell cmdlets with automation scripts to programmatically iterate across subscriptions and resources. 这可节省时间并减少人为错误的可能性。This saves time and reduces the likelihood of human error. 你可以使用此示例脚本作为参考。You can use this sample script as reference.

另请参阅See also

若要详细了解如何通过 PowerShell 来自动开始使用安全中心,请参阅以下文章:To learn more about how you can use PowerShell to automate onboarding to Security Center, see the following article:

若要详细了解安全中心,请参阅以下文章:To learn more about Security Center, see the following article: