Azure 安全中心威胁情报报告Azure Security Center threat intelligence report

本页介绍 Azure 安全中心威胁情报报告如何帮助你详细了解有关触发了安全警报的威胁。This page explains how Azure Security Center's threat intelligence reports can help you learn more about a threat that triggered a security alert.

什么是威胁智能报告?What is a threat intelligence report?

安全中心可以监视 Azure 资源、网络以及连接的合作伙伴解决方案中的安全信息,从而针对威胁进行保护。Security Center threat protection works by monitoring security information from your Azure resources, the network, and connected partner solutions. 分析该信息(通常需将多个来源的信息关联起来)即可确定威胁。It analyzes this information, often correlating information from multiple sources, to identify threats. 有关详细信息,请参阅 Azure 安全中心如何检测和应对威胁For more information, see How Azure Security Center detects and responds to threats.

当安全中心识别到威胁时,它将触发安全警报,其中包含有关事件的详细信息,包括修正建议。When Security Center identifies a threat, it triggers a security alert, which contains detailed information regarding the event, including suggestions for remediation. 为帮助事件响应团队调查威胁和采取补救措施,安全中心提供威胁情报报告,其中包含有关已检测到的威胁的信息。To help incident response teams investigate and remediate threats, Security Center provides threat intelligence reports containing information about detected threats. 该报告包含如下所示的信息:The report includes information such as:

  • 攻击者的身份或关联项(如果此信息可用)Attacker's identity or associations (if this information is available)
  • 攻击者的目标Attackers' objectives
  • 当前和历史攻击活动(如果此信息可用)Current and historical attack campaigns (if this information is available)
  • 攻击者的策略、工具和过程Attackers' tactics, tools, and procedures
  • 相关危害指标 (IoC),例如 URL 和文件哈希Associated indicators of compromise (IoC) such as URLs and file hashes
  • 受害者研究,即研究行业和地理普遍性,帮助确定 Azure 资源有无风险Victimology, which is the industry and geographic prevalence to assist you in determining if your Azure resources are at risk
  • 缓解计划和修复信息Mitigation and remediation information

备注

任何特定报表中的信息量都将有所不同;详细信息的级别基于恶意软件的活动和普遍性。The amount of information in any particular report will vary; the level of detail is based on the malware's activity and prevalence.

安全中心有三种类型的威胁报告,可因攻击而异。Security Center has three types of threat reports, which can vary according to the attack. 可用报告有:The reports available are:

  • 活动组报告:深入分析攻击者、其目标和策略。Activity Group Report: provides deep dives into attackers, their objectives, and tactics.
  • 活动报告:重点提供特定攻击活动的详细信息。Campaign Report: focuses on details of specific attack campaigns.
  • 威胁摘要报告:包含前两个报告中的所有项目。Threat Summary Report: covers all of the items in the previous two reports.

在事件响应过程中,这种类型的信息很有用,该过程包括进行调查以了解攻击来源、攻击者动机以及可以执行什么操作来防止将来出现此问题。This type of information is useful during the incident response process, where there's an ongoing investigation to understand the source of the attack, the attacker�s motivations, and what to do to mitigate this issue in the future.

如何访问威胁智能报告?How to access the threat intelligence report?

  1. 在安全中心边栏中打开“安全警报”页面。From Security Center's sidebar, open the Security alerts page.

  2. 选择警报。Select an alert. 此时将打开警报详细信息页面,其中包含有关警报的更多详细信息。The alerts details page opens with more details about the alert. 下面是“检测到勒索软件痕迹”警报详细信息页面。Below is the Ransomware indicators detected alert details page.

    “检测到勒索软件痕迹”警报详细信息页面Ransomware indicators detected alert details page

  3. 选择指向报告的链接,随机将在默认浏览器中打开 PDF。Select the link to the report, and a PDF will open in your default browser.

    “潜在的不安全操作”警报详细信息页面Potentially Unsafe Action alert details page

    还可以选择性下载 PDF 报告。You can optionally download the PDF report.

    提示

    每个安全警报的可用信息量因警报类型而异。The amount of information available for each security alert will vary according to the type of alert.

后续步骤Next steps

本页说明了如何在调查安全警报时打开威胁情报报告。This page explained how to open threat intelligence reports when investigating security alerts. 如需相关信息,请参阅以下页面:For related information, see the following pages: