自动执行对安全中心触发器的响应Automate responses to Security Center triggers

每个安全计划都包含事件响应的多个工作流。Every security program includes multiple workflows for incident response. 这些流程可能包含通知相关利益干系人、启动更改管理进程,以及应用特定的修正步骤。These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. 安全专家建议你尽可能多地将这些流程自动化。Security experts recommend that you automate as many steps of those procedures as you can. 自动化可减少开销,Automation reduces overhead. 还可确保根据你预定义的要求快速、一致地执行处理步骤,从而增强安全性。It can also improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements.

本文介绍 Azure 安全中心的工作流自动化功能。This article describes the workflow automation feature of Azure Security Center. 此功能可根据安全警报、建议和监管合规性触发逻辑应用。This feature can trigger Logic Apps on security alerts, recommendations, and changes to regulatory compliance. 例如,你可能希望安全中心在出现警报时向特定用户发送电子邮件。For example, you might want Security Center to email a specific user when an alert occurs. 你还将了解如何使用 Azure 逻辑应用创建逻辑应用。You'll also learn how to create Logic Apps using Azure Logic Apps.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布版 (GA)General Availability (GA)
定价:Pricing: 免费Free
所需角色和权限:Required roles and permissions: 资源组上的安全管理员角色或所有者角色 Security admin role or Owner on the resource group
还必须具有对目标资源的写入权限Must also have write permissions for the target resource

若要使用 Azure 逻辑应用工作流,还必须具有以下逻辑应用角色/权限:To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:
逻辑应用读取/触发访问需要- 逻辑应用操作员权限(此角色无法创建或编辑逻辑应用,仅可运行现有应用)- Logic App Operator permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only run existing ones)
创建和修改逻辑应用需要- 逻辑应用参与者权限- Logic App Contributor permissions are required for Logic App creation and modification
如果要使用逻辑应用连接器,可能需要使用额外的凭据登录到各自的服务(例如 Outlook/Teams/Slack 实例)If you want to use Logic App connectors, you may need additional credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)
云:Clouds: 是 中国云China cloud

创建一个逻辑应用,并定义它应自动运行的时间Create a logic app and define when it should automatically run

  1. 从安全中心的边栏选择“工作流自动化”。From Security Center's sidebar, select Workflow automation.

    工作流自动化列表

    在此页上,你可创建新的自动化规则,还可启用、禁用或删除现有规则。From this page you can create new automation rules, as well as enable, disable, or delete existing ones.

  2. 若要定义新工作流,请单击“添加工作流自动化”。To define a new workflow, click Add workflow automation.

    此时会出现一个窗格,其中包含用于新的自动化的选项。A pane appears with the options for your new automation. 可在此处输入:Here you can enter:

    1. 自动化的名称和说明。A name and description for the automation.

    2. 将启动此自动工作流的触发器。The triggers that will initiate this automatic workflow. 例如,你可能希望在生成包含“SQL”的安全警报时运行逻辑应用。For example, you might want your Logic App to run when a security alert that contains "SQL" is generated.

      备注

      如果触发器是包含“子建议”(例如“应修正关于 SQL 数据库的漏洞评估结果”)的建议,逻辑应用不会针对每个新的安全发现触发,仅当父建议的状态发生更改时才会触发。If your trigger is a recommendation that has "sub-recommendations", for example Vulnerability assessment findings on your SQL databases should be remediated, the logic app will not trigger for every new security finding; only when the status of the parent recommendation changes.

    3. 满足触发条件时将运行的逻辑应用。The Logic App that will run when your trigger conditions are met.

      添加工作流自动化窗格

  3. 在“操作”部分中单击“访问逻辑应用页面”,创建新的逻辑应用。From the Actions section, click visit the Logic Apps page to create a new Logic App.

    你将转到 Azure 逻辑应用。You'll be taken to Azure Logic Apps.

    创建新的逻辑应用Creating a new Logic App

  4. 输入名称、资源组和位置,然后单击“创建”。Enter a name, resource group, and location, and click Create.

  5. 在新的逻辑应用中,可从安全类别中选择内置的预定义模板。In your new logic app, you can choose from built-in, predefined templates from the security category. 也可定义在触发此进程时要发生的自定义事件流。Or you can define a custom flow of events to occur when this process is triggered.

    提示

    有时在逻辑应用中,参数作为字符串的一部分包含在连接器中,而不是包含在自己的字段中。Sometimes in a logic app, parameters are included in the connector as part of a string and not in their own field. 有关如何提取参数的示例,请参阅在生成 Azure 安全中心工作流自动化时使用逻辑应用参数的步骤 #14。For an example of how to extract parameters, see step #14 of Working with logic app parameters while building Azure Security Center workflow automations.

    逻辑应用设计器支持以下安全中心触发器:The logic app designer supports these Security Center triggers:

    • 创建或触发 Azure 安全中心建议时 - 如果逻辑应用依赖于已弃用或已替换的建议,自动化将停止工作,你需更新触发器。When an Azure Security Center Recommendation is created or triggered - If your logic app relies on a recommendation that gets deprecated or replaced, your automation will stop working and you'll need to update the trigger. 若要跟踪对建议的更改,请参阅 Azure 安全中心发行说明To track changes to recommendations, see Azure Security Center release notes.

    • 创建或触发 Azure 安全中心警报时 - 你可自定义触发器,使其仅与你关注的严重性级别的警报关联。When an Azure Security Center Alert is created or triggered - You can customize the trigger so that it relates only to alerts with the severity levels that interest you.

    • 当创建或触发安全中心监管合规性评估时:根据监管合规性的更新触发自动化。When a Security Center regulatory compliance assessment is created or triggered - Trigger automations based on updates to regulatory compliance assessments.

    备注

    如果使用名为“触发 Azure 安全中心警报的响应时”的旧触发器,逻辑应用不会通过工作流自动化功能启动。If you are using the legacy trigger "When a response to an Azure Security Center alert is triggered", your logic apps will not be launched by the Workflow Automation feature. 请改用上述的任一触发器。Instead, use either of the triggers mentioned above.

    示例逻辑应用Sample logic app

  6. 定义逻辑应用后,回到工作流自动化定义窗格(“添加工作流自动化”)。After you've defined your logic app, return to the workflow automation definition pane ("Add workflow automation"). 单击“刷新”,确保新的逻辑应用可供选择。Click Refresh to ensure your new Logic App is available for selection.

    刷新

  7. 选择逻辑应用并保存自动化。Select your logic app and save the automation. 请注意,“逻辑应用”下拉列表仅显示支持上述安全中心连接器的逻辑应用。Note that the Logic App dropdown only shows Logic Apps with supporting Security Center connectors mentioned above.

手动触发逻辑应用Manually trigger a Logic App

查看任何安全警报或建议时,还可手动运行逻辑应用。You can also run Logic Apps manually when viewing any security alert or recommendation.

若要手动运行逻辑应用,请打开警报或建议,然后单击“触发逻辑应用”:To manually run a Logic App, open an alert or a recommendation and click Trigger Logic App:

手动触发逻辑应用Manually trigger a Logic App

使用提供的策略大规模配置工作流自动化Configure workflow automation at scale using the supplied policies

自动执行组织的监视和事件响应流程可以显著缩短调查和缓解安全事件所需的时间。Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

若要在整个组织中部署自动化配置,请使用提供的 Azure Policy“DeployIfNotExist”策略(如下所述)来创建和配置工作流自动化过程。To deploy your automation configurations across your organization, use the supplied Azure Policy 'DeployIfNotExist' policies described below to create and configure workflow automation procedures.

开始使用工作流自动化模板Get started with workflow automation templates.

实施这些策略:To implement these policies:

  1. 从下表中选择要应用的策略:From the table below, select the policy you want to apply:

    目标Goal 策略Policy 策略 IDPolicy ID
    安全警报的工作流自动化Workflow automation for security alerts 为 Azure 安全中心警报部署工作流自动化Deploy Workflow Automation for Azure Security Center alerts f1525828-9a90-4fcf-be48-268cdd02361ef1525828-9a90-4fcf-be48-268cdd02361e
    安全建议的工作流自动化Workflow automation for security recommendations 为 Azure 安全中心建议部署工作流自动化Deploy Workflow Automation for Azure Security Center recommendations 73d6ab6c-2475-4850-afd6-43795f3492ef73d6ab6c-2475-4850-afd6-43795f3492ef

    提示

    还可通过搜索 Azure Policy 来找到这些策略:You can also find these by searching Azure Policy:

    1. 打开 Azure Policy。Open Azure Policy. 访问 Azure Policy
    2. 在 Azure Policy 菜单中,选择“定义”并按名称进行搜索。From the Azure Policy menu, select Definitions and search for them by name.
  2. 在相关的 Azure Policy 页中,选择“分配”。From the relevant Azure Policy page, select Assign. 分配 Azure Policy

  3. 打开每个选项卡,并根据需要设置参数:Open each tab and set the parameters as desired:

    1. 在“基础信息”选项卡中,设置策略的范围。In the Basics tab, set the scope for the policy. 若要使用集中式管理,请将策略分配给包含将使用工作流自动化配置的订阅的管理组。To use centralized management, assign the policy to the Management Group containing the subscriptions that will use the workflow automation configuration.

    2. 在“参数”选项卡中,设置资源组和数据类型详细信息。In the Parameters tab, set the resource group and data type details.

      提示

      每个参数都有一个说明可用选项的工具提示。Each parameter has a tooltip explaining the options available to you.

      使用 Azure Policy 的“参数”选项卡 (1),可以访问与安全中心的工作流自动化页面 (2) 类似的配置选项。Azure Policy's parameters tab (1) provides access to similar configuration options as Security Center's workflow automation page (2). 比较工作流自动化和 Azure Policy 中的参数

    3. (可选)若要将此分配应用于现有订阅,请打开“修正”选项卡,然后选择用于创建修正任务的选项。Optionally, to apply this assignment to existing subscriptions, open the Remediation tab and select the option to create a remediation task.

  4. 查看“摘要”页,并选择“创建”。Review the summary page and select Create.

数据类型架构Data types schemas

若要查看传递到逻辑应用实例的安全警报或建议事件的原始事件架构,请访问工作流自动化数据类型架构To view the raw event schemas of the security alerts or recommendations events passed to the Logic App instance, visit the Workflow automation data types schemas. 如果你没有使用上述安全中心的内置逻辑应用连接器,而是使用逻辑应用的通用 HTTP 连接器,这将非常有用,而且你可根据需要使用事件 JSON 架构手动分析它。This can be useful in cases where you are not using Security Center's built-in Logic App connectors mentioned above, but instead are using Logic App's generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.

工作流自动化的常见问题解答FAQ for workflow automation

工作流自动化是否支持任何业务连续性或灾难恢复 (BCDR) 场景?Does workflow automation support any business continuity or disaster recovery (BCDR) scenarios?

针对目标资源正遇到故障或其他灾难的 BCDR 场景准备环境时,组织应负责根据 Azure 事件中心、Log Analytics 工作区和逻辑应用中的指南建立备份,防止数据丢失。When preparing your environment for BCDR scenarios, where the target resource is experiencing an outage or other disaster, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic App.

对于处于活动状态的每个自动化,建议创建相同(禁用)的自动化,并将其存储在其他位置。For every active automation, we recommend you create an identical (disabled) automation and store it in a different location. 发生中断时,可以启用这些备份自动化并维护正常操作。When there's an outage, you can enable these backup automations and maintain normal operations.

详细了解 Azure 逻辑应用的业务连续性和灾难恢复Learn more about Business continuity and disaster recovery for Azure Logic Apps.

后续步骤Next steps

在本文中,你学习了如何创建逻辑应用、如何在安全中心自动执行这些应用以及如何手动运行它们。In this article, you learned about creating Logic Apps, automating their execution in Security Center, and running them manually.

如需查看相关材料,请参阅:For related material, see: