安全控制 V2:日志记录和威胁检测Security Control V2: Logging and Threat Detection

日志记录和威胁检测涵盖了相关控制措施用于检测 Azure 上的威胁以及启用、收集和存储 Azure 服务的审核日志。Logging and Threat Detection covers controls for detecting threats on Azure and enabling, collecting, and storing audit logs for Azure services. 这包括使用控制措施实现检测、调查和修正过程,通过 Azure 服务中的本机威胁检测生成高质量的警报;它还包括使用 Azure Monitor 收集日志、时间同步和日志保留。This includes enabling detection, investigation, and remediation processes with controls to generate high quality alerts with native threat detection in Azure services; it also includes collecting logs with Azure Monitor, time synchronization, and log retention.

LT-1:为 Azure 资源启用威胁检测LT-1: Enable threat detection for Azure resources

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
LT-1LT-1 6.76.7 AU-3、AU-6、AU-12、SI-4AU-3, AU-6, AU-12, SI-4

确保正在监视不同类型的 Azure 资产,以发现潜在的威胁和异常情况。Ensure you are monitoring different types of Azure assets for potential threats and anomalies. 专注于获取高质量警报以减少误报,便于分析人员进行分类整理。Focus on getting high quality alerts to reduce false positives for analysts to sort through. 警报可能源自日志数据、代理或其他数据。Alerts can be sourced from log data, agents, or other data.

使用 Azure 安全中心内置的威胁检测功能,该功能基于监视 Azure 服务遥测和分析服务日志。Use the Azure Security Center built-in threat detection capability, which is based on monitoring Azure service telemetry and analyzing service logs. 数据是使用 Log Analytics 代理收集的,该代理从系统中读取各种与安全相关的配置和事件日志,然后将数据复制到工作区进行分析。Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the system and copies the data to your workspace for analysis.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

LT-2:启用 Azure 标识和访问管理的威胁检测LT-2: Enable threat detection for Azure identity and access management

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
LT-2LT-2 6.86.8 AU-3、AU-6、AU-12、SI-4AU-3, AU-6, AU-12, SI-4

Azure AD 提供以下用户日志,可在 Azure AD 报表中查看它们,也可将其与 Azure Monitor 或其他 SIEM/监视工具集成,来实现更复杂的监视和分析用例:Azure AD provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:

  • 登录 - 在登录报告中,可了解托管应用程序的使用情况和用户登录活动。Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.

  • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中的任何资源(例如添加或删除用户、应用、组、角色和策略)所做的更改。Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

  • 风险登录 - 风险登录是指可能由非用户帐户合法拥有者进行的登录尝试。Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Azure 安全中心还可针对某些可疑活动发出警报,这些活动包括失败的身份验证尝试次数太多,以及帐户已在订阅中遭到弃用。Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription. 除了基本的安全卫生监视,Azure 安全中心的威胁防护模块还可从单个 Azure 计算资源(例如虚拟机、容器、应用服务)、数据资源(例如 SQL 数据库和存储)以及 Azure 服务层中收集信息更丰富的安全警报。In addition to the basic security hygiene monitoring, Azure Security Center’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. 通过此功能可查看单个资源中的帐户异常情况。This capability allows you to see account anomalies inside the individual resources.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

LT-3:为 Azure 网络活动启用日志记录LT-3: Enable logging for Azure network activities

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
LT-3LT-3 9.3、12.2、12.5、12.89.3, 12.2, 12.5, 12.8 AU-3、AU-6、AU-12、SI-4AU-3, AU-6, AU-12, SI-4

启用并收集网络安全组 (NSG) 资源日志、NSG 流日志、Azure 防火墙日志和 Web 应用程序防火墙 (WAF) 日志进行安全分析,从而支持事件调查、威胁搜寻和安全警报生成。Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. 可将流日志发送到 Azure Monitor Log Analytics 工作区,然后使用流量分析提供见解。You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. 确保正在收集 DNS 查询日志,以帮助关联其他网络数据。Ensure you are collecting DNS query logs to assist in correlating other network data.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

LT-4:为 Azure 资源启用日志记录LT-4: Enable logging for Azure resources

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
LT-4LT-4 6.2、6.3、8.86.2, 6.3, 8.8 AU-3、AU-12AU-3, AU-12

为 Azure 资源启用日志记录,以满足合规性、威胁检测、搜寻和事件调查的要求。Enable logging for Azure resources to meet the requirements for compliance, threat detection, hunting, and incident investigation.

可使用 Azure 安全中心和 Azure Policy 在 Azure 资源上实现资源日志和日志数据收集,以访问审核、安全性和资源日志。You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting on Azure resources for access to audit, security, and resource logs. 活动日志自动可用,包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

责任:共享Responsibility: Shared

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

基础结构和终结点安全性Infrastructure and endpoint security

LT-5:集中管理和分析安全日志LT-5: Centralize security log management and analysis

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
LT-5LT-5 6.5、6.66.5, 6.6 AU-3、SI-4AU-3, SI-4

集中记录存储和分析来实现关联。Centralize logging storage and analysis to enable correlation. 对于每个日志源,请确保已分配数据所有者、访问指南、存储位置、用于处理和访问数据的工具以及数据保留要求。For each log source, ensure you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.

确保正在将 Azure 活动日志集成到中央日志记录。Ensure you are integrating Azure activity logs into your central logging. 通过 Azure Monitor 引入日志,以聚合终结点设备、网络资源和其他安全系统生成的安全数据。Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期存档存储。In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

此外,启用数据并将其加入第三方 SIEM。In addition, enable and onboard data to a third-party SIEM.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

LT-6:配置日志存储保留期LT-6: Configure log storage retention

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
LT-6LT-6 6.46.4 AU-3、AU-11AU-3, AU-11

根据合规性、法规和业务要求配置日志保留。Configure your log retention according to your compliance, regulation, and business requirements.

在 Azure Monitor 中,可根据组织的合规性规则设置 Log Analytics 工作区保持期。In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. 将 Azure 存储帐户或 Log Analytics 工作区帐户用于长期存储和存档存储。Use Azure Storage or Log Analytics workspace accounts for long-term and archival storage.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

LT-7:使用批准的时间同步源LT-7: Use approved time synchronization sources

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
LT-7LT-7 6.16.1 AU-8AU-8

Microsoft 会维护大多数 Azure PaaS 和 SaaS 服务的时间源。Microsoft maintains time sources for most Azure PaaS and SaaS services. 对于虚拟机,除非有特定要求,否则请使用 Microsoft 默认 NTP 服务器进行时间同步。For your virtual machines, use Microsoft default NTP server for time synchronization unless you have a specific requirement. 如果需要建立自己的网络时间协议 (NTP) 服务器,请务必保护 UDP 服务端口 123 的安全。If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123.

Azure 中资源生成的所有日志都提供了时间戳,且默认指定时区。All logs generated by resources within Azure provide time stamps with the time zone specified by default.

责任:共享Responsibility: Shared

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):