Azure 安全中心的威胁防护Threat protection in Azure Security Center

安全中心检测到环境中任何区域出现威胁时,它会生成警报。When Security Center detects a threat in any area of your environment, it generates an alert. 这些警报描述了受影响资源的详细信息、建议的修正步骤,以及在某些情况下用于触发逻辑应用响应的选项。These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.

Azure 安全中心的威胁防护为你的环境提供了全面的防御:Azure Security Center's threat protection provides comprehensive defenses for your environment:

  • Azure 计算资源的威胁防护:Windows 计算机、Linux 计算机、Azure 应用服务和 Azure 容器Threat protection for Azure compute resources: Windows machines, Linux machines, Azure App Service, and Azure containers

  • Azure 数据资源的威胁防护:SQL 数据库和 SQL 数据仓库、Azure 存储和 Azure Cosmos DBThreat protection for Azure data resources: SQL Database and SQL Data Warehouse, Azure Storage, and Azure Cosmos DB

  • Azure 服务层的威胁防护:Azure 网络层、Azure 管理层(Azure 资源管理器)(预览版)和 Azure Key Vault(预览版)Threat protection for Azure service layers: Azure network layer, Azure management layer (Azure Resource Manager) (Preview), and Azure Key Vault (Preview)

Windows 计算机的威胁防护 Threat protection for Windows machines

Azure 安全中心与 Azure 服务集成,以监视和保护基于 Windows 的计算机。Azure Security Center integrates with Azure services to monitor and protect your Windows-based machines. 安全中心以一种易于使用的格式显示所有这些服务的警报和修正建议。Security Center presents the alerts and remediation suggestions from all of these services in an easy-to-use format.

  • Microsoft Defender ATP - 安全中心通过与 Microsoft Defender 高级威胁防护 (ATP) 集成来扩展其云工作负载保护平台。Microsoft Defender ATP - Security Center extends its cloud workload protection platforms by integrating with Microsoft Defender Advanced Threat Protection (ATP). 它们共同提供了全面的终结点检测和响应 (EDR) 功能。Together, they provide comprehensive endpoint detection and response (EDR) capabilities.

    重要

    使用安全中心的 Windows 服务器会自动启用 Microsoft Defender ATP 传感器。The Microsoft Defender ATP sensor is automatically enabled on Windows servers that use Security Center.

    Microsoft Defender ATP 检测到威胁时,它会触发警报。When Microsoft Defender ATP detects a threat, it triggers an alert. 警报显示在“安全中心”仪表板上。The alert is shown on the Security Center dashboard. 从仪表板,你可以转到 Microsoft Defender ATP 控制台并执行详细调查以发现攻击范围。From the dashboard, you can pivot to the Microsoft Defender ATP console, and perform a detailed investigation to uncover the scope of the attack. 有关 Microsoft Defender ATP 的详细信息,请参阅将服务器载入到 Microsoft Defender ATP 服务For more information about Microsoft Defender ATP, see Onboard servers to the Microsoft Defender ATP service.

  • 故障转储分析 - 当软件出现故障时,故障转储可捕获发生故障时的部分内存。Crash dump analysis - When software crashes, a crash dump captures a portion of memory at the time of the crash.

    故障可能是由恶意软件造成的,或可能包含恶意软件。A crash might have been caused by malware or contain malware. 为避免被安全产品检测到,各种形式的恶意软件都会使用无文件攻击,这可避免写入磁盘或对写入磁盘的软件组件进行加密。To avoid being detected by security products, various forms of malware use a fileless attack, which avoids writing to disk or encrypting software components written to disk. 使用传统的基于磁盘的方法很难检测到这种类型的攻击。This type of attack is difficult to detect by using traditional disk-based approaches.

    但是,通过使用内存分析,可以检测到这种攻击。However, by using memory analysis, you can detect this kind of attack. 通过分析故障转储中的内存,安全中心可以检测到攻击所使用的技术。By analyzing the memory in the crash dump, Security Center can detect the techniques the attack is using. 例如,攻击可能试图利用软件中的漏洞,访问机密数据以及隐秘地持久保存在受到攻击的计算机中。For example, the attack might be attempting to exploit vulnerabilities in the software, access confidential data, and surreptitiously persist within a compromised machine. 安全中心可以在对主机性能产生最小影响的情况下执行此操作。Security Center does this work with minimal performance impact to hosts.

    有关故障转储分析警报的详细信息,请参阅警报引用表For details of the crash dump analysis alerts, see the Reference table of alerts.

  • 无文件攻击检测 - 针对终结点的无文件攻击很常见。Fileless attack detection - Fileless attacks targeting your endpoints are common. 为了避免检测,无文件攻击会将恶意有效负载注入内存中。To avoid detection, fileless attacks inject malicious payloads into memory. 攻击者的有效负载会持久保存在受影响进程的内存中,并执行各种恶意活动。Attacker payloads persist within the memory of compromised processes, and perform a wide range of malicious activities.

    借助无文件攻击检测,自动内存取证技术可以识别无文件攻击工具包、技术和行为。With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. 该解决方案会在运行时定期扫描计算机,并直接从关键安全类型或成员进程的内存中提取见解。This solution periodically scans your machine at runtime, and extracts insights directly from the memory of security-critical processes.

    它可找到利用、代码注入以及执行恶意有效负载的证据。It finds evidence of exploitation, code injection, and execution of malicious payloads. 无文件攻击检测会生成详细的安全警报,以加速警报会审、关联和下游响应时间。Fileless attack detection generates detailed security alerts to accelerate alert triage, correlation, and downstream response time. 此方法补充了基于事件的 EDR 解决方案,可提供更大的检测范围。This approach complements event-based EDR solutions, providing greater detection coverage.

    有关无文件攻击检测警报的详细信息,请参阅警报引用表For details of the fileless attack detection alerts, see the Reference table of alerts.

提示

可以通过下载 Azure 安全中心 Playbook:安全警报来模拟 Windows 警报。You can simulate Windows alerts by downloading Azure Security Center Playbook: Security Alerts.

Linux 计算机的威胁防护 Threat protection for Linux machines

安全中心通过使用 auditd(最常见的 Linux 审核框架之一)从 Linux 计算机收集审核记录。Security Center collects audit records from Linux machines by using auditd, one of the most common Linux auditing frameworks. auditd 位于主线内核中。auditd lives in the mainline kernel.

  • Linux auditd 警报与 Log Analytics 代理集成 - auditd 系统包含内核级别子系统,该子系统负责监视系统调用。Linux auditd alerts and Log Analytics agent integration - The auditd system consists of a kernel-level subsystem, which is responsible for monitoring system calls. 它按指定的规则集筛选调用,并将其消息写入套接字。It filters them by a specified rule set, and writes messages for them to a socket. 安全中心集成了 Log Analytics 代理中 auditd 包中的功能。Security Center integrates functionalities from the auditd package within the Log Analytics agent. 通过这种集成,无需任何先决条件即可在所有受支持的 Linux 发行版中收集 auditd 事件。This integration enables collection of auditd events in all supported Linux distributions, without any prerequisites.

    通过使用适用于 Linux 的 Log Analytics 代理,收集和扩充 auditd 记录,并将其聚合到事件中。auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent. 安全中心会持续添加使用 Linux 信号检测云和本地 Linux 计算机上的恶意行为的新分析。Security Center continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines. 与 Windows 功能类似,这些分析涵盖可疑进程、可疑登录尝试、内核模块加载以及其他活动。Similar to Windows capabilities, these analytics span across suspicious processes, dubious sign in attempts, kernel module loading, and other activities. 这些活动可能表明计算机正在受到攻击或已被破坏。These activities can indicate a machine is either under attack or has been breached.

    有关 Linux 警报的列表,请参阅警报引用表For a list of the Linux alerts, see the Reference table of alerts.

提示

可以通过下载 Azure 安全中心 Playbook:Linux 检测来模拟 Linux 警报。You can simulate Linux alerts by downloading Azure Security Center Playbook: Linux Detections.

Azure 应用服务的威胁防护 Threat protection for Azure App Service

备注

该服务当前在 Azure 政府和主权云区域中不可用。This service is not currently available in Azure government and sovereign cloud regions.

安全中心使用云规模来识别针对应用服务上运行的应用程序的攻击。Security Center uses the scale of the cloud to identify attacks targeting applications running over App Service. 攻击者通过探测 Web 应用程序来找出并利用弱点。Attackers probe web applications to find and exploit weaknesses. 在路由到特定环境之前,对在 Azure 中运行的应用程序的请求会经历多个网关,并在其中进行检查和记录。Before being routed to specific environments, requests to applications running in Azure go through several gateways, where they're inspected and logged. 然后,此数据将用于识别漏洞和攻击者,以及用于学习以后将使用的新模式。This data is then used to identify exploits and attackers, and to learn new patterns that will be used later.

通过使用 Azure 作为云提供商提供的可见性,安全中心可分析应用服务内部日志,以识别针对多个目标的攻击方法。By using the visibility that Azure has as a cloud provider, Security Center analyzes App Service internal logs to identify attack methodology on multiple targets. 例如,方法包含广泛的扫描和分布式攻击。For example, methodology includes widespread scanning and distributed attacks. 这种类型的攻击通常来自 IP 的一个很小的子集,并且显示了爬网到多个主机上的类似终结点的模式。This type of attack typically comes from a small subset of IPs, and shows patterns of crawling to similar endpoints on multiple hosts. 攻击会搜索易受攻击的页面或插件,且无法从单个主机的角度进行识别。The attacks are searching for a vulnerable page or plugin, and can't be identified from the standpoint of a single host.

如果运行的是基于 Windows 的应用服务计划,则安全中心还具有对基础沙盒和 VM 的访问权限。If you're running a Windows-based App Service plan, Security Center also has access to the underlying sandboxes and VMs. 连同上面提到的日志数据一起,基础结构可以说明问题,从在野外环境中持续不断的新攻击到在客户计算机中的入侵。Together with the log data mentioned above, the infrastructure can tell the story, from a new attack circulating in the wild to compromises in customer machines. 因此,即使安全中心是在 Web 应用已被利用后才进行部署的,它也能检测到持续不断的攻击。Therefore, even if Security Center is deployed after a web app has been exploited, it may be able to detect ongoing attacks.

有关 Azure 应用服务警报的列表,请参阅警报引用表For a list of the Azure App Service alerts, see the Reference table of alerts.

Azure 容器的威胁防护 Threat protection for Azure containers

备注

该服务当前在 Azure 政府和主权云区域中不可用。This service is not currently available in Azure government and sovereign cloud regions.

安全中心为容器化环境提供实时威胁防护,并针对可疑活动生成警报。Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. 可以使用此信息快速补救安全问题,并提高容器的安全性。You can use this information to quickly remediate security issues and improve the security of your containers.

安全中心提供不同级别的威胁防护:Security Center provides threat protection at different levels:

  • 主机级别 - 安全中心的代理(在标准层上提供,有关详细信息,请参阅定价)监视 Linux 中的可疑活动。Host level - Security Center's agent (available on the Standard tier, see pricing for details) monitors Linux for suspicious activities. 对于源自节点或在其上运行的容器的可疑活动,代理会触发警报。The agent triggers alerts for suspicious activities originating from the node or a container running on it. 此类活动的示例包括 Web shell 检测以及与已知可疑 IP 地址的连接。Examples of such activities include web shell detection and connection with known suspicious IP addresses.

    为了更深入地了解容器化环境的安全性,代理会监视特定于容器的分析。For a deeper insight into the security of your containerized environment, the agent monitors container-specific analytics. 它将针对诸如特权容器创建、对 API 服务器的可疑访问以及在 Docker 容器中运行的安全外壳 (SSH) 服务器等事件触发警报。It will trigger alerts for events such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

    重要

    如果你选择不在主机上安装代理,则只会收到威胁防护权益和安全警报的子集。If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. 你仍将收到与网络分析以及与恶意服务器进行通信相关的警报。You'll still receive alerts related to network analysis and communications with malicious servers.

    有关主机级别警报的列表,请参阅警报引用表For a list of the host level alerts, see the Reference table of alerts.

  • 在 AKS 群集级别,威胁防护基于对 Kubernetes 审核日志的分析。At the AKS cluster level, the threat protection is based on analyzing Kubernetes' audit logs. 若要启用此无代理监视,请在“定价和设置”页上将 Kubernetes 选项添加到订阅中(请参阅定价) 。To enable this agentless monitoring, add the Kubernetes option to your subscription from the Pricing & settings page (see pricing). 为了在此级别生成警报,安全中心会使用 AKS 检索到的日志来监视由 AKS 管理的服务。To generate alerts at this level, Security Center monitors your AKS-managed services using the logs retrieved by AKS. 此级别事件示例包括公开 Kubernetes 仪表板、创建高特权角色以及创建敏感装载。Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.

    备注

    安全中心为在订阅设置上启用 Kubernetes 选项后发生的 Azure Kubernetes 服务操作和部署生成安全警报。Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after the Kubernetes option is enabled on the subscription settings.

    有关 AKS 群集级别警报的列表,请参阅警报引用表For a list of the AKS cluster level alerts, see the Reference table of alerts.

此外,我们的全球安全研究人员团队会持续监视威胁趋势。Also, our global team of security researchers constantly monitor the threat landscape. 他们会在发现漏洞时添加特定于容器的警报。They add container-specific alerts and vulnerabilities as they're discovered.

提示

可以按照此博客文章中的说明来模拟容器警报。You can simulate container alerts by following the instructions in this blog post.

SQL 数据库和 SQL 数据仓库的威胁防护 Threat protection for SQL Database and SQL Data Warehouse

Azure SQL 数据库的高级威胁防护可检测异常活动,指出有人在访问或利用数据库时的异常行为和可能有害的尝试。Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

如果出现可疑数据库活动、潜在漏洞或 SQL 注入攻击,以及异常数据库访问和查询模式,你将看到警报。You'll see alerts when there are suspicious database activities, potential vulnerabilities, or SQL injection attacks, and anomalous database access and query patterns.

Azure SQL 数据库和 SQL 的高级威胁防护是适用于高级 SQL 安全功能的高级数据安全 (ADS) 统一包的一部分,涵盖 Azure SQL 数据库、Azure SQL 数据库托管实例、Azure SQL 数据仓库数据库和 Azure 虚拟机上的 SQL 服务器。Advanced Threat Protection for Azure SQL Database and SQL is part of the Advanced Data Security (ADS) unified package for advanced SQL security capabilities, covering Azure SQL Databases, Azure SQL Database managed instances, Azure SQL Data Warehouse databases, and SQL servers on Azure Virtual Machines.

有关详细信息,请参阅:For more information, see:

Azure 存储的威胁防护 Threat protection for Azure Storage

适用于存储的高级威胁防护可检测到异常的或可能有害的访问或利用存储帐户的尝试。Advanced Threat Protection for Storage detects unusual and potentially harmful attempts to access or exploit storage accounts. 这一层保护使你无需成为安全专家便可以解决威胁,并可帮助你管理安全监视系统。This layer of protection allows you to address threats without requiring you to be a security expert, and helps you manage your security monitoring systems.

如需定价详细信息(包括 30 天免费试用版的信息),请参阅 Azure 安全中心定价页For pricing details, including a free 30 day trial, see the Azure Security Center pricing page.

有关详细信息,请参阅:For more information, see:

提示

可以按照此博客文章中的说明来模拟 Azure 存储警报。You can simulate Azure Storage alerts by following the instructions in this blog post.

Azure Cosmos DB 威胁防护 Threat protection for Azure Cosmos DB

Azure Cosmos DB 警报是因访问或攻击 Azure Cosmos DB 帐户的异常且可能有害的尝试而生成的。The Azure Cosmos DB alerts are generated by unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts.

有关详细信息,请参阅:For more information, see:

Azure 网络层的威胁防护 Threat protection for Azure network layer

安全中心网络层分析基于示例 IPFIX 数据(即 Azure 核心路由器收集的数据包标头)。Security Center network-layer analytics are based on sample IPFIX data, which are packet headers collected by Azure core routers. 根据此数据馈送,安全中心将使用机器学习模型来识别和标记恶意流量活动。Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. 安全中心还会使用 Microsoft 威胁情报数据库来扩充 IP 地址。Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.

某些网络配置可能会限制安全中心生成有关可疑网络活动的警报。Some network configurations may restrict Security Center from generating alerts on suspicious network activity. 若要使安全中心生成网络警报,请确保:For Security Center to generate network alerts, ensure that:

  • 虚拟机具有一个公共 IP 地址(或位于具有公共 IP 地址的负载均衡器上)。Your virtual machine has a public IP address (or is on a load balancer with a public IP address).

  • 外部 IDS 解决方案不会阻止虚拟机的网络出口流量。Your virtual machine's network egress traffic isn't blocked by an external IDS solution.

  • 在可疑通信发生的整个时段内,已为虚拟机分配了相同的 IP 地址。Your virtual machine has been assigned the same IP address for the entire hour during which the suspicious communication occurred. 这也适用于作为托管服务的一部分而创建的 VM(例如 AKS、Databricks)。This also applies to VMs created as part of a managed service (for example, AKS, Databricks).

有关 Azure 网络层警报的列表,请参阅警报引用表For a list of the Azure network layer alerts, see the Reference table of alerts.

若要详细了解安全中心如何使用网络相关信号来应用威胁防护,请参阅安全中心的启发式 DNS 检测For details of how Security Center can use network-related signals to apply threat protection, see Heuristic DNS detections in Security Center.

Azure 管理层(Azure 资源管理器)的威胁防护(预览)Threat protection for Azure management layer (Azure Resource Manager) (Preview)

基于 Azure 资源管理器的安全中心保护层当前处于预览阶段。Security Center's protection layer based on Azure Resource Manager is currently in preview.

安全中心通过使用 Azure 资源管理器事件(其被视为 Azure 的控制平面)来提供额外一层保护。Security Center offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. 通过分析 Azure 资源管理器记录,安全中心可检测 Azure 订阅环境中的异常或可能有害的操作。By analyzing the Azure Resource Manager records, Security Center detects unusual or potentially harmful operations in the Azure subscription environment.

有关 Azure 资源管理器(预览版)警报的列表,请参阅警报引用表For a list of the Azure Resource Manager (Preview) alerts, see the Reference table of alerts.

备注

先前的分析中有部分由 Microsoft Cloud App Security 提供支持。Several of the preceding analytics are powered by Microsoft Cloud App Security. 若要从这些分析中获益,必须激活 Cloud App Security 许可证。To benefit from these analytics, you must activate a Cloud App Security license. 如果你具有 Cloud App Security 许可证,则默认情况下将启用这些警报。If you have a Cloud App Security license, then these alerts are enabled by default. 禁用警报的方法如下:To disable the alerts:

  1. 在“安全中心”边栏选项卡中,选择“安全策略” 。In the Security Center blade, select Security policy. 对于要更改的订阅,请选择“编辑设置”。For the subscription you want to change, select Edit settings.
  2. 选择“威胁检测”。Select Threat detection.
  3. 在“启用集成”下,清除“允许 Microsoft Cloud App Security 访问我的数据”,然后选择“保存” 。Under Enable integrations, clear Allow Microsoft Cloud App Security to access my data, and select Save.

备注

安全中心会将与安全性相关的客户数据存储在其资源所在的地理区域。Security Center stores security-related customer data in the same geo as its resource. 如果 Microsoft 尚未在资源所在的地理区域中部署安全中心,则会将数据存储在美国。If Microsoft hasn't yet deployed Security Center in the resource's geo, then it stores the data in the United States. 启用 Cloud App Security 后,这些信息将按 Cloud App Security 的地理位置规则存储。When Cloud App Security is enabled, this information is stored in accordance with the geo location rules of Cloud App Security. 有关详细信息,请参阅非区域性服务的数据存储For more information, see Data storage for non-regional services.

Azure Key Vault 的威胁防护(预览版)Threat protection for Azure Key Vault (Preview)

备注

该服务当前在 Azure 政府和主权云区域中不可用。This service is not currently available in Azure government and sovereign cloud regions.

Azure 密钥保管库是一种云服务,用于保护加密密钥和机密(例如证书、连接字符串和密码)。Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.

Azure 安全中心包含适用于 Azure Key Vault 的 Azure 本机高级威胁防护,提供额外的安全情报层。Azure Security Center includes Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. 安全中心可检测在访问或利用 Key Vault 帐户时的异常行为和可能有害的尝试。Security Center detects unusual and potentially harmful attempts to access or exploit Key Vault accounts. 这一层保护使你无需成为安全专家也无需管理第三方安全监视系统便可以解决威胁。This layer of protection allows you to address threats without being a security expert, and without the need to manage third-party security monitoring systems.

当发生异常活动时,安全中心会显示警报,并有选择地通过电子邮件将其发送给订阅管理员。When anomalous activities occur, Security Center shows alerts and optionally sends them via email to subscription administrators. 这些警报包含可疑活动的详细信息以及有关如何进行调查和修正威胁的建议。These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

有关 Azure Key Vault 警报的列表,请参阅警报引用表For a list of the Azure Key Vault alerts, see the Reference table of alerts.

其他 Microsoft 服务的威胁防护 Threat protection for other Microsoft services

Azure WAF 的威胁防护 Threat protection for Azure WAF

Azure 应用程序网关提供的 Web 应用程序防火墙 (WAF) 可以对 Web 应用程序进行集中保护,避免其受到常见的攻击和漏洞伤害。Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.

Web 应用程序正逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. 应用程序网关 WAF 基于开放 Web 应用程序安全项目中的核心规则集 3.0 或 2.2.9。The Application Gateway WAF is based on Core Rule Set 3.0 or 2.2.9 from the Open Web Application Security Project. WAF 会自动更新,以防止出现新的漏洞。The WAF is updated automatically to protect against new vulnerabilities.

如果你具有 Azure WAF 的许可证,则无需进行其他配置即可将 WAF 警报流式传输到安全中心。If you have a license for Azure WAF, your WAF alerts are streamed to Security Center with no additional configuration needed. 有关 WAF 生成的警报的详细信息,请参阅 Web 应用程序防火墙 CRS 规则组和规则For more information on the alerts generated by WAF, see Web application firewall CRS rule groups and rules.

后续步骤Next steps

若要从这些威胁防护功能中了解有关安全警报的详细信息,请参阅以下文章:To learn more about the security alerts from these threat protection features, see the following articles: