教程:响应安全事件Tutorial: Respond to security incidents

安全中心使用高级分析和威胁智能来持续分析混合云工作负荷,在存在恶意活动时发出警报。Security Center continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you to malicious activity. 另外,你可以将其他安全产品和服务中的警报集成到安全中心,并根据自己的指示器或智能源创建自定义警报。In addition, you can integrate alerts from other security products and services into Security Center, and create custom alerts based on your own indicators or intelligence sources. 生成警报后,需采取快速行动进行调查和修正。Once an alert is generated, swift action is needed to investigate and remediate. 在本教程中,您将学习如何执行以下操作:In this tutorial, you will learn how to:

  • 会审安全警报Triage security alerts
  • 通过深入调查确定安全事件的根本原因和范围Investigate further to determine the root cause and scope of a security incident
  • 搜索有助于调查的安全数据Search security data to aid in investigation

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

先决条件Prerequisites

若要逐步执行本教程中介绍的功能,你必须位于安全中心的“标准”定价层。To step through the features covered in this tutorial, you must be on Security Center's Standard pricing tier. 可以免费试用安全中心标准版。You can try Security Center Standard at no cost. 若要了解详细信息,请参阅定价页To learn more, see the pricing page. 快速入门教程“将 Azure 订阅载入到安全中心标准版”详细介绍了如何升级到标准版。The quickstart Onboard your Azure subscription to Security Center Standard walks you through how to upgrade to Standard.

方案Scenario

Contoso 最近向 Azure 迁移了部分本地资源,包括基于虚拟机的一些业务线工作负荷和 SQL 数据库。Contoso recently migrated some of their on-premises resources to Azure, including some virtual machine-based line-of-business workloads and SQL databases. 目前,Contoso 的核心计算机安全事件响应团队 (CSIRT) 无法调查安全问题,因为其当前的事件响应工具尚未集成安全智能。Currently, Contoso's Core Computer Security Incident Response Team (CSIRT) has a problem investigating security issues because of security intelligence not being integrated with their current incident response tools. 由于没有集成,检测阶段以及评估和诊断阶段都出现了问题(误报过多)。This lack of integration introduces a problem during the Detect stage (too many false positives), as well as during the Assess and Diagnose stages. 在此次迁移过程中,他们决定加入安全中心计划,以便解决此问题。As part of this migration, they decided to opt in for Security Center to help them address this problem.

在加载所有资源并遵循安全中心提供的所有安全建议进行操作以后,此迁移的第一阶段宣告完成。The first phase of this migration finished after they onboarded all resources and addressed all of the security recommendations from Security Center. Contoso CSIRT 负责处理计算机安全事件。Contoso CSIRT is the focal point for dealing with computer security incidents. 该团队由许多人员组成,负责处理安全事件。The team consists of a group of people with responsibilities for dealing with any security incident. 团队成员都有明确的任务,确保在响应时不遗漏任何领域。The team members have clearly defined duties to ensure that no area of response is left uncovered.

就本方案来说,需重点介绍 Contoso CSIRT 中以下成员的角色:For the purpose of this scenario, we're going to focus on the roles of the following personas that are part of Contoso CSIRT:

事件响应生命周期

Judy 负责安全操作。Judy is in security operations. 其职责包括:Their responsibilities include:

  • 全天候监视和响应安全威胁。Monitoring and responding to security threats around the clock.
  • 必要时会问题上报给云工作负荷所有者或安全分析师。Escalating to the cloud workload owner or security analyst as needed.

Sam 是安全分析师,其职责包括:Sam is a security analyst and their responsibilities include:

  • 调查各种攻击。Investigating attacks.
  • 根据警报进行补救。Remediating alerts.
  • 与工作负荷所有者合作,确定并应用补救措施。Working with workload owners to determine and apply mitigations.

正如所见,Judy 和 Sam 的职责不同,他们必须通力合作,共享安全中心信息。As you can see, Judy and Sam have different responsibilities, and they must work together to share Security Center information.

会审安全警报Triage security alerts

安全中心提供所有安全警报的统一视图。Security Center provides a unified view of all security alerts. 将会根据严重性设置安全警报的级别,并尽可能将相关的警报合并到一个安全事件中。Security alerts are ranked based on the severity and when possible related alerts are combined into a security incident. 会审警报和事件时,应做到:When triaging alerts and incidents, you should:

  • 消除不需其他操作的警报。例如,如果警报为误报,则不需其他操作Dismiss alerts for which no additional action is required, for example if the alert is a false positive
  • 采取行动对已知攻击造成的危害进行补救,例如,阻止源自恶意 IP 地址的网络流量Act to remediate known attacks, for example blocking network traffic from a malicious IP address
  • 确定需要进一步调查的警报Determine alerts that require further investigation
  1. 在安全中心主菜单的“检测”下,选择“安全警报” :On the Security Center main menu under DETECTION, select Security alerts:

    安全警报

  2. 在警报列表中单击某个安全事件(警报的集合),详细了解该事件。In the list of alerts, click on a security incident, which is a collection of alerts, to learn more about this incident. 此时会打开“检测到的安全事件”。Security incident detected opens.

    安全事件

  3. 此屏幕顶部为安全事件说明,底部为此事件包含的警报的列表。On this screen you have the security incident description on top, and the list of alerts that are part of this incident. 单击要进一步调查的警报可获取更多信息。Click on the alert that you want to investigate further to obtain more information.

    安全事件

    警报类型可能多种多样。请阅读了解 Azure 安全中心的安全警报一文,详细了解警报类型以及可能的修正步骤。The type of alert can vary, read Understanding security alerts in Azure Security Center for more details about the type of alert, and potential remediation steps. 对于可以安全消除的警报,可右键单击警报,然后选择“消除”选项:For alerts that can be safely dismissed, you can right click on the alert and select the option Dismiss:

    警报

  4. 如果恶意活动的根本原因和范围未知,请转到下一步进行深入调查。If the root cause and scope of the malicious activity is unknown, proceed to the next step to investigate further.

调查警报或事件Investigate an alert or incident

  1. 在“安全警报”页上单击“启动调查”按钮(如果已启动,则此按钮的名称会变为“继续调查”)。 On the Security alert page, click Start investigation button (if you already started, the name changes to Continue investigation).

    调查

    调查图以图形方式表示与此安全警报或事件相关的实体。The investigation map is a graphical representation of the entities that are connected to this security alert or incident. 单击图中的一个实体就会显示有关该实体的信息(其中包含新的实体),且图会展开。By clicking on an entity in the map, the information about that entity will show new entities, and the map expands. 图中所选实体的属性在页面右侧的窗格中突出显示。The entity that is selected in the map has its properties highlighted in the pane on the right side of the page. 每个选项卡上提供的信息因所选实体而异。The information available on each tab will vary according to the selected entity. 在调查过程中,请查看所有相关的信息,更好地了解攻击者的活动。During the investigation process, review all relevant information to better understand the attacker's movement.

  2. 如果需要更多证据,或者必须对调查过程中发现的实体进行深入调查,请转到下一步。If you need more evidence, or must further investigate entities that were found during the investigation, proceed to the next step.

搜索调查数据Search data for investigation

可以使用安全中心的搜索功能查找系统受损的更多证据,以及调查过程中涉及的实体的更多详细信息。You can use search capabilities in Security Center to find more evidence of compromised systems, and more details about the entities that are part of the investigation.

若要进行搜索,请打开“安全中心”仪表板,在左侧导航窗格中单击“搜索”,选择包含要搜索的实体的工作区,键入搜索查询,然后单击搜索按钮。 To perform a search open the Security Center dashboard, click Search in the left navigation pane, select the workspace that contains the entities that you want to search, type the search query, and click the search button.

清理资源Clean up resources

本系列中的其他快速入门和教程是在本快速入门的基础上制作的。Other quickstarts and tutorials in this collection build upon this quickstart. 如果打算继续学习后续的快速入门和教程,请继续运行“标准”层并让自动预配保持启用状态。If you plan to continue on to work with subsequent quickstarts and tutorials, continue running the Standard tier and keep automatic provisioning enabled. 如果不打算继续或想要返回到“免费”层,请执行以下操作:If you do not plan to continue or wish to return to the Free tier:

  1. 返回到安全中心主菜单,选择“安全策略”。Return to the Security Center main menu and select Security Policy.
  2. 选择要返回到“免费”层的订阅或策略。Select the subscription or policy that you want to return to Free. 此时会打开“安全策略”。Security policy opens.
  3. 在“策略组件”下选择“定价层”。Under POLICY COMPONENTS, select Pricing tier.
  4. 选择“免费”,将订阅从“标准”层更改为“免费”层。Select Free to change subscription from Standard tier to Free tier.
  5. 选择“保存” 。Select Save.

如果希望禁用自动预配,请执行以下操作:If you wish to disable automatic provisioning:

  1. 返回到安全中心主菜单,选择“安全策略”。Return to the Security Center main menu and select Security policy.
  2. 选择希望禁用自动设置的订阅。Select the subscription that you wish to disable automatic provisioning.
  3. 在“安全策略 - 数据收集”下的“载入”下选择“关闭”,禁用自动预配。Under Security policy – Data Collection, select Off under Onboarding to disable automatic provisioning.
  4. 选择“保存” 。Select Save.

备注

禁用自动预配不会从已预配 Log Analytics 代理的 Azure VM 中删除该代理。Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent has been provisioned. 禁用自动设置会限制对资源的安全监视。Disabling automatic provisioning limits security monitoring for your resources.

后续步骤Next steps

本教程介绍了响应安全事件时需使用的安全中心功能,例如:In this tutorial, you learned about Security Center features to be used when responding to a security incident, such as:

  • 安全事件,其中聚合了某个资源的相关警报Security incident which is an aggregation of related alerts for a resource
  • 调查图,以图形方式表示与某个安全警报或事件相关的实体Investigation map which is a graphical representation of the entities connected to a security alert or incident
  • 搜索功能,用于查找系统受损的更多证据Search capabilities to find more evidence of compromised systems