Azure 高级威胁检测Azure advanced threat detection

Azure 通过 Azure Active Directory (Azure AD)、Azure Monitor 日志和 Azure 安全中心等服务提供内置的高级威胁检测功能。Azure offers built in advanced threat detection functionality through services such as Azure Active Directory (Azure AD), Azure Monitor logs, and Azure Security Center. 安全服务和功能的此集合提供了一种简单快速了解 Azure 部署运行状况的方法。This collection of security services and capabilities provides a simple and fast way to understand what is happening within your Azure deployments.

Azure 提供多种安全性配置和自定义选项,以满足应用部署的要求。Azure provides a wide array of options to configure and customize security to meet the requirements of your app deployments. 本文介绍如何满足这些要求。This article discusses how to meet these requirements.

Azure Active Directory 标识保护Azure Active Directory Identity Protection

“Azure AD 标识保护”是 Azure Active Directory Premium P2 版本中的一项功能,概述了可影响组织标识的风险检测和潜在漏洞。Azure AD Identity Protection is an Azure Active Directory Premium P2 edition feature that provides an overview of the risk detections and potential vulnerabilities that can affect your organization’s identities. 标识保护使用现有的 Azure AD 异常情况检测功能(可通过 Azure AD 异常活动报告获得),并引入了新的可以检测实时异常的风险检测类型。Identity Protection uses existing Azure AD anomaly-detection capabilities that are available through Azure AD Anomalous Activity Reports, and introduces new risk detection types that can detect real time anomalies.

“Azure AD 标识保护”示意图

标识保护使用自适应机器学习算法和启发式规则来检测异常行为以及可能表示标识已遭入侵的风险检测。Identity Protection uses adaptive machine learning algorithms and heuristics to detect anomalies and risk detections that might indicate that an identity has been compromised. 标识保护使用此数据生成报告和警报,以便可以调查这些风险检测并采取相应的补救或缓解措施。Using this data, Identity Protection generates reports and alerts so that you can investigate these risk detections and take appropriate remediation or mitigation action.

Azure Active Directory 标识保护不只是一个监视和报告工具。Azure Active Directory Identity Protection is more than a monitoring and reporting tool. 标识保护根据风险检测计算每个用户的用户风险级别,以便可以配置基于风险的策略来自动保护组织的标识。Based on risk detections, Identity Protection calculates a user risk level for each user, so that you can configure risk-based policies to automatically protect the identities of your organization.

除了 Azure Active Directory 与 EMS 提供的其他条件访问控制以外,这些基于风险的策略也可以自动阻止或提供自适应补救措施,包括重置密码和强制实施多重身份验证。These risk-based policies, in addition to other Conditional Access controls that are provided by Azure Active Directory and EMS, can automatically block or offer adaptive remediation actions that include password resets and multi-factor authentication enforcement.

“标识保护”功能Identity Protection capabilities

Azure Active Directory 标识保护不只是一个监视和报告工具。Azure Active Directory Identity Protection is more than a monitoring and reporting tool. 若要保护组织的标识,可以配置基于风险的策略,该策略可在达到指定风险级别时自动响应检测到的问题。To protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. 除了 Azure Active Directory 与 EMS 提供的条件访问控制以外,这些策略也可以自动阻止或启用自适应补救措施,包括重置密码和强制实施多重身份验证。These policies, in addition to other Conditional Access controls provided by Azure Active Directory and EMS, can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.

Azure 标识保护可帮助保护帐户和标识的一些示例包括:Examples of some of the ways that Azure Identity Protection can help secure your accounts and identities include:

检测风险检测和有风险的帐户Detecting risk detections and risky accounts

  • 使用机器学习和启发式规则检测 6 种风险检测类型。Detect six risk detection types using machine learning and heuristic rules.
  • 计算用户风险级别。Calculate user risk levels.
  • 提供自定义建议,通过突显漏洞来改善整体安全状况。Provide custom recommendations to improve overall security posture by highlighting vulnerabilities.

调查风险检测Investigating risk detections

  • 针对风险检测发送通知。Send notifications for risk detections.
  • 使用相关的上下文信息调查风险检测。Investigate risk detections using relevant and contextual information.
  • 提供基本工作流来跟踪调查。Provide basic workflows to track investigations.
  • 提供轻松使用补救措施,例如密码重置。Provide easy access to remediation actions such as password reset.

基于风险的条件访问策略Risk-based, conditional-access policies

  • 通过阻止登录或要求进行多重身份验证来减少有风险的登录。Mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges.
  • 阻止或保护有风险的用户帐户。Block or secure risky user accounts.
  • 要求用户注册多重身份验证。Require users to register for multi-factor authentication.

Azure AD 特权标识管理Azure AD Privileged Identity Management

使用 Azure Active Directory Privileged Identity Management (PIM),可以管理、控制和监视组织内的访问。With Azure Active Directory Privileged Identity Management (PIM), you can manage, control, and monitor access within your organization. 此功能包括访问 Azure AD 和其他 Microsoft 联机服务(如 Microsoft 365 或 Microsoft Intune)中的资源。This feature includes access to resources in Azure AD and other Microsoft online services, such as Microsoft 365 or Microsoft Intune.

Azure AD Privileged Identity Management 示意图

PIM 可帮助用户进行以下操作:PIM helps you:

  • 获取有关 Azure AD 管理员以及对 Microsoft 联机服务(例如 Microsoft 365 和 Intune)的实时 (JIT) 管理访问的警报和报告。Get alerts and reports about Azure AD administrators and just-in-time (JIT) administrative access to Microsoft online services, such as Microsoft 365 and Intune.

  • 获取有关管理员访问历史记录以及管理员分配更改的报告。Get reports about administrator access history and changes in administrator assignments.

  • 获取有关访问特权角色的警报。Get alerts about access to a privileged role.

Azure Monitor 日志Azure Monitor logs

Azure Monitor 日志是 Azure 基于云的 IT 管理解决方案,可帮助你管理和保护本地基础结构和云基础结构。Azure Monitor logs is a Azure cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. 因为 Azure Monitor 日志是作为基于云的服务实现的,因此在基础结构服务上进行极低的投资即可快速使其启动并运行。Because Azure Monitor logs is implemented as a cloud-based service, you can have it up and running quickly with minimal investment in infrastructure services. 自动提供新增安全功能,从而节省持续维护和升级成本。New security features are delivered automatically, saving ongoing maintenance and upgrade costs.

除自行提供有价值的服务外,Azure Monitor 日志还可与 System Center Operations Manager 等 System Center 组件集成,将现有安全管理投资扩展到云。In addition to providing valuable services on its own, Azure Monitor logs can integrate with System Center components, such as System Center Operations Manager, to extend your existing security management investments into the cloud. System Center 和 Azure Monitor 日志可协同工作来提供完整的混合管理体验。System Center and Azure Monitor logs can work together to provide a full hybrid management experience.

安全性与符合性总体情况Holistic security and compliance posture

Log Analytics 安全和审核仪表板借助内置搜索查询找到需要关注的重要问题,从而提供有关组织的 IT 安全态势的全面观点。The Log Analytics Security and Audit dashboard provides a comprehensive view into your organization’s IT security posture, with built-in search queries for notable issues that require your attention. 安全和审核仪表板是主屏幕,提供 Azure Monitor 日志中与安全相关的所有内容。The Security and Audit dashboard is the home screen for everything related to security in Azure Monitor logs. 它提供计算机安全状态的高级洞见。It provides high-level insight into the security state of your computers. 还可以查看过去 24 小时、7 天或任何自定义时间范围的所有事件。You can also view all events from the past 24 hours, 7 days, or any other custom timeframe.

Azure Monitor 日志有助于用户快速轻松了解任何环境中的总体安全情况,在 IT 操作的上下文中即可实现,这些操作包括软件更新评估、反恶意软件评估和配置基线。Azure Monitor logs help you quickly and easily understand the overall security posture of any environment, all within the context of IT Operations, including software update assessment, antimalware assessment, and configuration baselines. 可访问现成的安全日志数据,简化安全性和符合性审核过程。Security log data is readily accessible to streamline the security and compliance audit processes.

Log Analytics 安全和审核仪表板

Log Analytics 安全和审核仪表板有四个主要类别:The Log Analytics Security and Audit dashboard is organized into four major categories:

  • 安全域 :可进一步了解随时间推移的安全记录;访问恶意软件评估;更新评估;查看网络安全、身份和访问信息;查看具有安全事件的计算机;并快速访问 Azure 安全中心仪表板。Security Domains : Lets you further explore security records over time; access malware assessments; update assessments; view network security, identity, and access information; view computers with security events; and quickly access the Azure Security Center dashboard.

  • 值得注意的问题 :可快速识别未解决的问题数和问题的严重性。Notable Issues : Lets you quickly identify the number of active issues and the severity of the issues.

  • 检测(预览版) :当针对资源的攻击出现时显示安全警报,以便用户识别攻击模式。Detections (Preview) : Lets you identify attack patterns by displaying security alerts as they occur against your resources.

  • 威胁智能 :显示具有出站恶意 IP 通信的服务器总数、恶意威胁类型和 IP 位置的地图,以便用户识别攻击模式。Threat Intelligence : Lets you identify attack patterns by displaying the total number of servers with outbound malicious IP traffic, the malicious threat type, and a map of the IPs locations.

  • 常见安全查询 :列出了可用于监视环境的最常见安全查询。Common security queries : Lists the most common security queries that you can use to monitor your environment. 如果选择了任何查询,“搜索”窗格将打开并显示该查询的结果。When you select any query, the Search pane opens and displays the results for that query.

见解与分析Insight and analytics

Azure Monitor 日志的中心是由 Azure 托管的存储库。At the center of Azure Monitor logs is the repository, which is hosted by Azure.


通过配置数据源和向订阅添加解决方案,将连接的源中的数据收集到存储库。You collect data into the repository from connected sources by configuring data sources and adding solutions to your subscription.

Azure Monitor 日志仪表板

数据源和解决方案分别创建具有自身属性集的单独记录类型,但是用户仍可在对存储库的查询中同时对它们进行分析。Data sources and solutions each create separate record types with their own set of properties, but you can still analyze them together in queries to the repository. 可以使用相同的工具和方法来处理由不同的源收集的各种数据。You can use the same tools and methods to work with a variety of data that's collected by various sources.

与 Azure Monitor 日志的大部分交互都通过 Azure 门户完成,该门户可在任意浏览器中运行,并提供对配置设置和多个工具的访问权限,以对收集的数据进行分析和操作。Most of your interaction with Azure Monitor logs is through the Azure portal, which runs in any browser and provides you with access to configuration settings and multiple tools to analyze and act on collected data. 在门户中,可以使用:From the portal, you can use:

  • 日志搜索,可在其中构造查询以分析收集的数据。Log searches where you construct queries to analyze collected data.
  • 仪表板,可以使用最有价值搜索的图形视图对其进行自定义。Dashboards, which you can customize with graphical views of your most valuable searches.
  • 解决方案,可提供其他功能和分析工具。Solutions, which provide additional functionality and analysis tools.


解决方案向 Azure Monitor 日志添加功能。Solutions add functionality to Azure Monitor logs. 解决方案主要在云中运行,并提供对日志分析存储库所收集数据的分析。They primarily run in the cloud and provide analysis of data that's collected in the log analytics repository. 解决方案也可以定义要收集的新记录类型,可使用日志搜索或通过解决方案在日志分析仪表板中提供的其他用户界面对这些记录类型进行分析。Solutions might also define new record types to be collected that can be analyzed with log searches or by using an additional user interface that the solution provides in the log analytics dashboard.

安全和审核仪表板是这些类型的解决方案的一个示例。The Security and Audit dashboard is an example of these types of solutions.

自动化与控制:安全配置偏移警报Automation and control: Alert on security configuration drifts

Azure 自动化通过基于 PowerShell 并在云中运行的 Runbook 自动执行管理流程。Azure Automation automates administrative processes with runbooks that are based on PowerShell and run in the cloud. 也可在本地数据中心内的服务器上运行 Runbook 以管理本地资源。Runbooks can also be executed on a server in your local data center to manage local resources. Azure 自动化通过 PowerShell Desired State Configuration (DSC) 提供配置管理。Azure Automation provides configuration management with PowerShell Desired State Configuration (DSC).

Azure 自动化示意图

可以创建和管理在 Azure 中托管的 DSC 资源,并将其应用到云和本地系统。You can create and manage DSC resources that are hosted in Azure and apply them to cloud and on-premises systems. 完成此操作后,可以定义和自动强制执行其配置,或获取有关偏移的报告,以确保安全配置保留在策略中。By doing so, you can define and automatically enforce their configuration or get reports on drift to help ensure that security configurations remain within policy.

Azure 安全中心Azure Security Center

Azure 安全中心可帮助保护 Azure 资源。Azure Security Center helps protect your Azure resources. 它为 Azure 订阅提供集成的安全监控和策略管理。It provides integrated security monitoring and policy management across your Azure subscriptions. 在服务中,可以同时针对 Azure 订阅和资源组定义策略,以提供更大粒度。Within the service, you can define polices against both your Azure subscriptions and resource groups for greater granularity.

Azure 安全中心示意图

Microsoft 安全研究人员始终在不断地寻找威胁。Microsoft security researchers are constantly on the lookout for threats. 得益于 Microsoft 在云中和本地的广泛存在,他们可以访问大量的遥测数据。They have access to an expansive set of telemetry gained from Microsoft’s global presence in the cloud and on-premises. 由于能够广泛访问和收集各种数据集,Microsoft 可以通过本地消费者产品和企业产品以及联机服务发现新的攻击模式和趋势。This wide-reaching and diverse collection of datasets enables Microsoft to discover new attack patterns and trends across its on-premises consumer and enterprise products, as well as its online services.

因此,攻击者发布新的越来越复杂的方式时,安全中心就可以快速更新其检测算法。Thus, Security Center can rapidly update its detection algorithms as attackers release new and increasingly sophisticated exploits. 此方法可帮助你始终与变化莫测的威胁环境保持同步。This approach helps you keep pace with a fast-moving threat environment.


安全中心可以自动从 Azure 资源、网络以及连接的合作伙伴解决方案收集安全信息,对威胁进行检测。Security Center threat detection works by automatically collecting security information from your Azure resources, the network, and connected partner solutions. 分析该信息(需将多个来源的信息关联起来)即可确定威胁。It analyzes this information, correlating information from multiple sources, to identify threats.

安全中心会对安全警报进行重要性分类,并提供威胁处置建议。Security alerts are prioritized in Security Center along with recommendations on how to remediate the threat.

安全中心使用各种高级安全分析,远不止几种基于攻击特征的方法。Security Center employs advanced security analytics, which go far beyond signature-based approaches. 使用大数据的突破性技术和机器学习技术对整个云结构中的事件进行评估。Breakthroughs in big data and machine learning technologies are used to evaluate events across the entire cloud fabric. 高级分析可检测那些通过手动方式不可能发现的威胁,并预测攻击的演变方式。Advanced analytics can detect threats that would be impossible to identify through manual approaches and predicting the evolution of attacks. 接下来的部分会介绍这些安全分析类型。These security analytics types are covered in the next sections.

威胁情报Threat intelligence

Microsoft 可访问大量的全球威胁情报。Microsoft has access to an immense amount of global threat intelligence.

遥测数据的来源包括:Azure、Microsoft 365、Microsoft CRM Online、Microsoft Dynamics AX、、、Microsoft 数字犯罪部门 (DCU)、Microsoft 安全响应中心 (MSRC)。Telemetry flows in from multiple sources, such as Azure, Microsoft 365, Microsoft CRM online, Microsoft Dynamics AX,,, the Microsoft Digital Crimes Unit (DCU), and Microsoft Security Response Center (MSRC).


研究人员也会收到在主要的云服务提供商之间共享的威胁情报信息,并订阅来自第三方的威胁情报源。Researchers also receive threat intelligence information that is shared among major cloud service providers, and they subscribe to threat intelligence feeds from third parties. Azure 安全中心可能会在分析该信息后发出警报,提醒用户注意来自行为不端攻击者的威胁。Azure Security Center can use this information to alert you to threats from known bad actors. 示例包括:Some examples include:

  • 利用机器学习的力量 :Azure 安全中心有权访问大量有关云网络活动的数据,这些数据可用于检测针对 Azure 部署的威胁。Harnessing the power of machine learning : Azure Security Center has access to a vast amount of data about cloud network activity, which can be used to detect threats targeting your Azure deployments.

  • 暴力攻击检测 :机器学习可用于创建远程访问尝试的历史模式,从而检测针对安全外壳 (SSH)、远程桌面协议 (RDP) 和 SQL 端口的暴力攻击。Brute force detection : Machine learning is used to create a historical pattern of remote access attempts, which allows it to detect brute force attacks against Secure Shell (SSH), Remote Desktop Protocol (RDP), and SQL ports.

  • 出站 DDoS 和僵尸网络检测 :针对云资源的攻击的常见目标是使用这些资源的计算能力来执行其他攻击。Outbound DDoS and botnet detection : A common objective of attacks that target cloud resources is to use the compute power of these resources to execute other attacks.

  • 新行为分析服务器和 VM :服务器或虚拟机受到攻击后,攻击者将使用各种各样的技术在该系统上执行恶意代码,同时避免检测、确保持久性和避免安全控件。New behavioral analytics servers and VMs : After a server or virtual machine is compromised, attackers employ a wide variety of techniques to execute malicious code on that system while avoiding detection, ensuring persistence, and obviating security controls.

  • Azure SQL 数据库威胁检测 :Azure SQL 数据库威胁检测可以识别异常数据库活动,指示企图访问或利用数据库的异常的潜在有害尝试。Azure SQL Database Threat Detection : Threat detection for Azure SQL Database, which identifies anomalous database activities that indicate unusual and potentially harmful attempts to access or exploit databases.

行为分析Behavioral analytics

行为分析是一种技术,该技术会对数据进行分析并将数据与一系列已知模式对比。Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. 不过,这些模式不是简单的特征,However, these patterns are not simple signatures. 需要对大型数据集运用复杂的机器学习算法来确定,They are determined through complex machine learning algorithms that are applied to massive datasets.


模式也由分析专家通过仔细分析恶意行为来确定。The patterns are also determined through careful analysis of malicious behaviors by expert analysts. Azure 安全中心可以使用行为分析对虚拟机日志、虚拟网络设备日志、结构日志、故障转储和其他资源进行分析,确定受攻击的资源。Azure Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual machine logs, virtual network device logs, fabric logs, crash dumps, and other sources.

此外,模式与其他信号关联,以查看是否存在某个广泛传播活动的支持证据。In addition, patterns are correlated with other signals to check for supporting evidence of a widespread campaign. 此关联性也可用于确定那些符合已确定的攻击特征的事件。This correlation helps to identify events that are consistent with established indicators of compromise.

示例包括:Some examples include:

  • 可疑的进程执行 :为了执行恶意软件而不被检测到,攻击者会运用多种技巧。Suspicious process execution : Attackers employ several techniques to execute malicious software without detection. 例如,攻击者可能会为恶意软件取一个与合法的系统文件相同的名称,但却将这些文件置于其他位置,可能会使用与正常文件名类似的名称,或者会掩盖文件的实际扩展名。For example, an attacker might give malware the same names as legitimate system files but place these files in an alternate location, use a name that is similar to that of a benign file, or mask the file’s true extension. 安全中心会对进程行为建模,监视进程的执行情况,检测此类异常行为。Security Center models process behaviors and monitor process executions to detect outliers such as these.

  • 隐藏恶意软件和漏洞利用尝试 :复杂的恶意软件从不向磁盘写入内容,或者会加密存储在磁盘上的软件组件,借此逃避传统的反恶意软件产品的检测。Hidden malware and exploitation attempts : Sophisticated malware can evade traditional antimalware products by either never writing to disk or encrypting software components stored on disk. 但是,此类恶意软件可以通过使用内存分析检测到,因为恶意软件一运行就必然会在内存中留下踪迹。However, such malware can be detected by using memory analysis, because the malware must leave traces in memory to function. 当软件故障时,故障转储可捕获故障时的部分内存。When software crashes, a crash dump captures a portion of memory at the time of the crash. 通过分析故障转储中的内存,Azure 安全中心可以检测到用于利用软件漏洞、访问机密数据以及偷偷存留在受攻击计算机中而不影响计算机性能的技术。By analyzing the memory in the crash dump, Azure Security Center can detect techniques used to exploit vulnerabilities in software, access confidential data, and surreptitiously persist within a compromised machine without affecting the performance of your machine.

  • 横向移动和内部侦测 :为了留存在受攻击的网络中以及查找和获取有价值的数据,攻击者通常会尝试从受攻击的计算机横向移动到同一网络中的其他计算机。Lateral movement and internal reconnaissance : To persist in a compromised network and locate and harvest valuable data, attackers often attempt to move laterally from the compromised machine to others within the same network. 安全中心会监视进程和登录活动,从而发现是否有人尝试在网络中扩大攻击者据点,例如是否存在远程命令执行、网络探测及帐户枚举。Security Center monitors process and login activities to discover attempts to expand an attacker’s foothold within the network, such as remote command execution, network probing, and account enumeration.

  • 恶意 PowerShell 脚本 :攻击者出于各种目的,使用 PowerShell 在目标虚拟机上执行恶意代码。Malicious PowerShell scripts : PowerShell can be used by attackers to execute malicious code on target virtual machines for various purposes. 安全中心会检查 PowerShell 活动中是否存在可疑活动的证据。Security Center inspects PowerShell activity for evidence of suspicious activity.

  • 传出攻击 :攻击者通常会以云资源为目标,目的是使用这些资源发起更多攻击。Outgoing attacks : Attackers often target cloud resources with the goal of using those resources to mount additional attacks. 例如,可以通过受攻击的虚拟机对其他虚拟机发起暴力攻击,可以发送垃圾邮件,也可以扫描 Internet 上的开放端口和其他设备。Compromised virtual machines, for example, might be used to launch brute force attacks against other virtual machines, send spam, or scan open ports and other devices on the internet. 将机器学习应用到网络流量以后,安全中心即可检测到出站网络通信何时超出标准。By applying machine learning to network traffic, Security Center can detect when outbound network communications exceed the norm. 检测到垃圾邮件时,安全中心还会将异常的电子邮件流量与 Microsoft 365 提供的情报信息关联起来,确定该邮件到底是恶意邮件,还是合法的电子邮件促销活动。When spam is detected, Security Center also correlates unusual email traffic with intelligence from Microsoft 365 to determine whether the mail is likely nefarious or the result of a legitimate email campaign.

异常检测Anomaly detection

Azure 安全中心也通过异常检测确定威胁。Azure Security Center also uses anomaly detection to identify threats. 与行为分析(依赖于已知的从大型数据集派生的模式)相比,异常检测更“个性化”,注重特定于用户部署的基线。In contrast to behavioral analytics (which depends on known patterns derived from large data sets), anomaly detection is more “personalized” and focuses on baselines that are specific to your deployments. 运用机器学习确定部署的正常活动,并生成规则,以定义可能表示安全事件的异常条件。Machine learning is applied to determine normal activity for your deployments, and then rules are generated to define outlier conditions that could represent a security event. 下面是一个示例:Here’s an example:

  • 入站 RDP/SSH 暴力破解攻击 :部署中的有些虚拟机可能很忙,每天需要处理大量的登录,而其他虚拟机可能只有寥寥数个登录。Inbound RDP/SSH brute force attacks : Your deployments might have busy virtual machines with many logins each day and other virtual machines that have few, if any, logins. Azure 安全中心可以确定这些虚拟机的基线登录活动,并通过机器学习定义正常登录活动。Azure Security Center can determine baseline login activity for these virtual machines and use machine learning to define around the normal login activities. 如果与为登录相关特性定义的基线之间存在任何差异,则可能会生成警报。If there is any discrepancy with the baseline defined for login related characteristics, an alert might be generated. 同样,是否具有显著性由机器学习决定。Again, machine learning determines what is significant.

连续威胁情报监视Continuous threat intelligence monitoring

Azure 安全中心与全世界的安全性研究和数据科学团队合作,持续监视威胁态势的变化情况。Azure Security Center operates with security research and data science teams throughout the world that continuously monitor for changes in the threat landscape. 其中包括以下计划:This includes the following initiatives:

  • 威胁情报监视 :威胁情报包括现有的或新出现的威胁的机制、指示器、含义和可操作建议。Threat intelligence monitoring : Threat intelligence includes mechanisms, indicators, implications, and actionable advice about existing or emerging threats. 此信息在安全社区共享,Microsoft 会持续监视内部和外部源提供的威胁情报源。This information is shared in the security community, and Microsoft continuously monitors threat intelligence feeds from internal and external sources.

  • 信号共享 :安全团队的见解会跨 Microsoft 的一系列云服务和本地服务、服务器、客户端终结点设备进行共享和分析。Signal sharing : Insights from security teams across the broad Microsoft portfolio of cloud and on-premises services, servers, and client endpoint devices are shared and analyzed.

  • Microsoft 安全专家 :持续接触 Microsoft 的各个工作在专业安全领域(例如取证和 Web 攻击检测)的团队。Microsoft security specialists : Ongoing engagement with teams across Microsoft that work in specialized security fields, such as forensics and web attack detection.

  • 检测优化 :针对实际的客户数据集运行相关算法,安全研究人员与客户一起验证结果。Detection tuning : Algorithms are run against real customer data sets, and security researchers work with customers to validate the results. 通过检出率和误报率优化机器学习算法。True and false positives are used to refine machine learning algorithms.

将这些措施结合起来,形成新的改进型检测方法,让用户能够即时受益。These combined efforts culminate in new and improved detections, which you can benefit from instantly. 用户不需采取任何措施。There’s no action for you to take.

高级威胁检测功能:其他 Azure 服务Advanced threat detection features: Other Azure services

虚拟机:Microsoft 反恶意软件Virtual machines: Microsoft antimalware

适用于 Azure 的 Microsoft 反恶意软件是一个针对应用程序和租户环境所提供的单一代理解决方案,可在后台运行而无需人工干预。Microsoft antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. 可以根据应用程序工作负荷的需求,选择默认的基本安全性或高级的自定义配置(包括反恶意软件监视)来部署保护。You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring. Azure 反恶意软件是为 Azure 虚拟机提供的安全选项,自动安装在所有 Azure PaaS 虚拟机上。Azure antimalware is a security option for Azure virtual machines that's automatically installed on all Azure PaaS virtual machines.

Microsoft 反恶意软件核心功能Microsoft antimalware core features

以下是用于部署和启用应用程序的 Microsoft 反恶意软件的 Azure 功能:Here are the features of Azure that deploy and enable Microsoft antimalware for your applications:

  • 实时保护 :监视云服务中和虚拟机上的活动,检测并阻止恶意软件的执行。Real-time protection : Monitors activity in cloud services and on virtual machines to detect and block malware execution.

  • 计划的扫描 :定期执行有针对性的扫描,检测恶意软件(包括主动运行的程序)。Scheduled scanning : Periodically performs targeted scanning to detect malware, including actively running programs.

  • 恶意软件消除 :自动针对检测到的恶意软件采取措施,例如删除或隔离恶意文件以及清除恶意注册表项。Malware remediation : Automatically acts on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.

  • 签名更新 :自动安装最新的保护签名(病毒定义),确保按预定的频率保持最新保护状态。Signature updates : Automatically installs the latest protection signatures (virus definitions) to ensure that protection is up to date on a pre-determined frequency.

  • 反恶意软件引擎更新 :自动更新 Microsoft 反恶意软件引擎。Antimalware Engine updates : Automatically updates the Microsoft Antimalware Engine.

  • 反恶意软件平台更新 :自动更新 Microsoft 反恶意软件平台。Antimalware platform updates : Automatically updates the Microsoft antimalware platform.

  • 主动保护 :将检测到的威胁和可疑资源的遥测元数据报告给 Azure,以确保针对不断演变的威胁局势做出快速响应,并通过 Microsoft 主动保护系统启用实时同步签名传递。Active protection : Reports telemetry metadata about detected threats and suspicious resources to Azure to ensure rapid response to the evolving threat landscape, enabling real-time synchronous signature delivery through the Microsoft active protection system.

  • 示例报告 :将示例提供并报告给 Microsoft 反恶意软件服务,帮助改善服务并实现故障排除。Samples reporting : Provides and reports samples to the Microsoft antimalware service to help refine the service and enable troubleshooting.

  • 排除项 :允许应用程序和服务管理员配置特定的文件、进程以及驱动器,以便出于性能和其他原因将其从保护和扫描中排除。Exclusions : Allows application and service administrators to configure certain files, processes, and drives for exclusion from protection and scanning for performance and other reasons.

  • 反恶意软件事件收集 :在操作系统事件日志中记录反恶意软件服务的运行状况、可疑活动及采取的补救措施,并将这些数据收集到客户的 Azure 存储帐户。Antimalware event collection : Records the antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them into the customer’s Azure storage account.

Azure SQL 数据库威胁检测Azure SQL Database Threat Detection

Azure SQL 数据库威胁检测是内置于 Azure SQL 数据库服务的新安全智能功能。Azure SQL Database Threat Detection is a new security intelligence feature built into the Azure SQL Database service. 全天候了解、分析及检测异常数据库活动,Azure SQL 数据库威胁检测可识别针对数据库的潜在威胁。Working around the clock to learn, profile, and detect anomalous database activities, Azure SQL Database Threat Detection identifies potential threats to the database.

发生可疑数据库活动时,安全监管员或其他指定的管理员可以获取相关即时通知。Security officers or other designated administrators can get an immediate notification about suspicious database activities as they occur. 每个通知提供可疑活动的详细信息,以及如何进一步调查和缓解威胁的建议。Each notification provides details of the suspicious activity and recommends how to further investigate and mitigate the threat.

目前,Azure SQL 数据库威胁检测可检测潜在的漏洞和 SQL 注入攻击,以及异常的数据库访问模式。Currently, Azure SQL Database Threat Detection detects potential vulnerabilities and SQL injection attacks, and anomalous database access patterns.

在收到威胁检测的电子邮件通知后,用户可以通过邮件中的深层链接来导航和查看相关审核记录。Upon receiving a threat-detection email notification, users are able to navigate and view the relevant audit records through a deep link in the mail. 此链接可打开审核查看器或预配置的审核 Excel 模板,该模板显示发生可疑事件时的相关审核记录,具体如下所示:The link opens an audit viewer or a preconfigured auditing Excel template that shows the relevant audit records around the time of the suspicious event, according to the following:

  • 具有异常数据库活动的数据库/服务器的审核存储。Audit storage for the database/server with the anomalous database activities.

  • 用于在事件发生时编写审核日志的相关审核存储表。Relevant audit storage table that was used at the time of the event to write the audit log.

  • 事件发生后的审核时间记录。Audit records of the hour immediately following the event occurrence.

  • 事件发生时具有类似事件 ID 的审核记录(对于某些检测程序可选)。Audit records with a similar event ID at the time of the event (optional for some detectors).

SQL 数据库威胁检测程序使用以下检测方法之一:SQL Database threat detectors use one of the following detection methodologies:

  • 确定性检测 :检测 SQL 客户端查询中与已知攻击匹配的可疑模式(基于规则)。Deterministic detection : Detects suspicious patterns (rules based) in the SQL client queries that match known attacks. 此方法具有高检测率和低误报率,但是覆盖率有限,因为它属于“原子检测”类别。This methodology has high detection and low false positive, but limited coverage because it falls within the category of “atomic detections.”

  • 行为检测 :检测异常活动,这些活动是最近 30 天内未显示的数据库中的异常行为。Behavioral detection : Detects anomalous activity, which is abnormal behavior in the database that was not seen during the most recent 30 days. SQL 客户端异常活动的示例有失败登录或查询次数激增、提取大量数据、异常的 canonical 查询或访问数据库所用的 IP 地址不常见。Examples of SQL client anomalous activity can be a spike of failed logins or queries, a high volume of data being extracted, unusual canonical queries, or unfamiliar IP addresses used to access the database.

应用程序网关 Web 应用程序防火墙Application Gateway Web Application Firewall

Web 应用程序防火墙 (WAF)Azure 应用程序网关的一项功能,它为使用应用程序网关实现标准应用程序传递控制功能的 Web 应用程序提供保护。Web Application Firewall (WAF) is a feature of Azure Application Gateway that provides protection to web applications that use an application gateway for standard application delivery control functions. 为此,Web 应用程序防火墙保护这些应用程序,免受开放 Web 应用程序安全计划 (OWASP) 前 10 个常见的 Web 漏洞中大多数漏洞的威胁。Web Application Firewall does this by protecting them against most of the Open Web Application Security Project (OWASP) top 10 common web vulnerabilities.

应用程序网关 Web 应用程序防火墙示意图

保护包括:Protections include:

  • SQL 注入保护。SQL injection protection.

  • 跨站点脚本保护。Cross site scripting protection.

  • 常见 Web 攻击保护,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含攻击。Common Web Attacks Protection, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack.

  • 防止 HTTP 协议违反行为的保护。Protection against HTTP protocol violations.

  • 防止 HTTP 协议异常行为(例如缺少主机用户代理和接受标头)的保护。Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.

  • 防止自动程序、爬网程序和扫描程序。Prevention against bots, crawlers, and scanners.

  • 检测常见应用程序错误配置(即 Apache、IIS 等)。Detection of common application misconfigurations (that is, Apache, IIS, and so on).

在应用程序网关配置 WAF 可提供以下优点:Configuring WAF at your application gateway provides the following benefits:

  • 无需修改后端代码即可保护 Web 应用程序免受 Web 漏洞和攻击的威胁。Protects your web application from web vulnerabilities and attacks without modification of the back-end code.

  • 在应用程序网关背后同时保护多个 Web 应用程序。Protects multiple web applications at the same time behind an application gateway. 应用程序网关支持最多托管 20 个网站。An application gateway supports hosting up to 20 websites.

  • 使用应用程序网关 WAF 日志生成的实时报告,针对攻击监视 Web 应用程序。Monitors web applications against attacks by using real-time reports that are generated by application gateway WAF logs.

  • 有助于满足符合性要求。Helps meet compliance requirements. 某些符合性控件要求 WAF 解决方案保护所有面向 Internet 的终结点。Certain compliance controls require all internet-facing endpoints to be protected by a WAF solution.

异常检测 API:使用 Azure 机器学习生成Anomaly Detection API: Built with Azure Machine Learning

异常情况检测 API 是有助于检测时序数据中的各种异常模式的 API。The Anomaly Detection API is an API that's useful for detecting a variety of anomalous patterns in your time series data. API 将异常分数分配给时序中的每个数据点,这些分数可用于生成警报、通过仪表板进行监视或与出票系统连接。The API assigns an anomaly score to each data point in the time series, which can be used for generating alerts, monitoring through dashboards, or connecting with your ticketing systems.

异常检测 API 可以检测时序数据中以下类型的异常:The Anomaly Detection API can detect the following types of anomalies on time series data:

  • 峰值和低值 :监视服务中的登录失败次数或电子商务网站中的结账次数时,异常的峰值和低值指示安全攻击或服务中断。Spikes and dips : When you're monitoring the number of login failures to a service or number of checkouts in an e-commerce site, unusual spikes or dips could indicate security attacks or service disruptions.

  • 正值和负值趋势 :监视计算中的内存使用情况时,可用内存逐渐减少表示存在内存泄漏的可能性。Positive and negative trends : When you're monitoring memory usage in computing, shrinking free memory size indicates a potential memory leak. 对于服务队列长度监视,持续上升的趋势表示可能存在软件问题。For service queue length monitoring, a persistent upward trend might indicate an underlying software issue.

  • 级别更改和动态值范围的更改 :监视器会监视服务升级后服务延迟中的级别更改或升级后较低级别的异常。Level changes and changes in dynamic range of values : Level changes in latencies of a service after a service upgrade or lower levels of exceptions after upgrade can be interesting to monitor.

基于机器学习的 API 支持:The machine learning-based API enables:

  • 灵活可靠的检测 :通过异常情况检测模型,用户能配置敏感性设置并在周期性和非周期性数据集中检测异常。Flexible and robust detection : The anomaly detection models allow users to configure sensitivity settings and detect anomalies among seasonal and non-seasonal data sets. 用户可以调整异常检测模型,以便按照需要调整检测 API 的敏感度。Users can adjust the anomaly detection model to make the detection API less or more sensitive according to their needs. 这意味着可选择使用或不使用周期模式来检测具有不同可见度的数据异常。This would mean detecting the less or more visible anomalies in data with and without seasonal patterns.

  • 可缩放的及时检测 :对于数百万动态更改数据集,如果使用由专家的专业知识设置的预设置阈值进行监视的传统方法,成本高且不可缩放。Scalable and timely detection : The traditional way of monitoring with present thresholds set by experts' domain knowledge are costly and not scalable to millions of dynamically changing data sets. 此 API 中的异常情况检测模型经过学习,并通过历史数据和实时数据自动优化模型。The anomaly detection models in this API are learned, and models are tuned automatically from both historical and real-time data.

  • 可操作的主动检测 :慢速趋势和级别更改检测可应用于早期异常情况检测。Proactive and actionable detection : Slow trend and level change detection can be applied for early anomaly detection. 检测到的早期异常信号可用于指导人员调查问题区域并对其采取措施。The early abnormal signals that are detected can be used to direct humans to investigate and act on the problem areas. 此外,可基于此异常情况检测 API 服务开发根本原因分析模型和警报工具。In addition, root cause analysis models and alerting tools can be developed on top of this anomaly-detection API service.

异常情况检测 API 是针对各种方案(例如服务运行状况和 KPI 监视、IoT、性能监视和网络流量监视)的高效解决方案。The anomaly-detection API is an effective and efficient solution for a wide range of scenarios, such as service health and KPI monitoring, IoT, performance monitoring, and network traffic monitoring. 以下是一些可使用此 API 的常见方案:Here are some popular scenarios where this API can be useful:

  • IT 部门需要可及时跟踪事件、错误代码、使用情况日志和性能(CPU、内存等)的工具。IT departments need tools to track events, error code, usage log, and performance (CPU, memory, and so on) in a timely manner.

  • 在线商务网站需要跟踪客户活动、页面查看次数、点击次数等。Online commerce sites want to track customer activities, page views, clicks, and so on.

  • 公用事业公司需要跟踪水、天然气、电和其他资源的用量。Utility companies want to track consumption of water, gas, electricity, and other resources.

  • 设施或建筑管理服务需要监视温度、湿度、人流量等。Facility or building management services want to monitor temperature, moisture, traffic, and so on.

  • IoT/制造商需要使用时序传感器数据监视工作流、质量等。IoT/manufacturers want to use sensor data in time series to monitor work flow, quality, and so on.

  • 客户服务中心等服务提供商需要监视服务需求趋势、事件量、等候队列长度等。Service providers, such as call centers, need to monitor service demand trend, incident volume, wait queue length, and so on.

  • 业务分析部门需要实时监视业务 KPI(如销售量、客户满意度或定价)的异常变化。Business analytics groups want to monitor business KPIs' (such as sales volume, customer sentiments, or pricing) abnormal movement in real time.

Cloud App SecurityCloud App Security

Cloud App Security 是 Microsoft Cloud Security 堆栈的一个重要组成部分。Cloud App Security is a critical component of the Microsoft Cloud Security stack. 这是一种综合解决方案,可帮助向云迁移的组织充分利用云应用程序。It's a comprehensive solution that can help your organization as you move to take full advantage of the promise of cloud applications. 通过提升的活动可见性保持掌控能力。It keeps you in control, through improved visibility into activity. 它还有助于增强跨云应用程序的对关键数据的保护能力。It also helps increase the protection of critical data across cloud applications.

借助有助于发现影子 IT、评估风险、强制实施策略、调查活动和阻止威胁的工具,组织可以更安全地移到云端,同时保持对关键数据的控制。With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization can more safely move to the cloud while maintaining control of critical data.

类别Category 说明Description
发现Discover 使用 Cloud App Security 发现影子 IT。Uncover shadow IT with Cloud App Security. 通过在云环境中发现应用、活动、用户、数据和文件,获得可见性。Gain visibility by discovering apps, activities, users, data, and files in your cloud environment. 发现连接到云的第三方应用。Discover third-party apps that are connected to your cloud.
调查Investigate 通过使用云取证工具深入了解网络中的风险应用、特定用户和文件,从而调查云应用。Investigate your cloud apps by using cloud forensics tools to deep-dive into risky apps, specific users, and files in your network. 从云中收集的数据中查找模式。Find patterns in the data collected from your cloud. 生成报告以监视云。Generate reports to monitor your cloud.
控制Control 通过设置策略和警报实现对网络云流量的最大控制,从而降低风险。Mitigate risk by setting policies and alerts to achieve maximum control over network cloud traffic. 使用 Cloud App Security 将用户迁移到安全的经过批准的替代云应用。Use Cloud App Security to migrate your users to safe, sanctioned cloud app alternatives.
保护Protect 使用 Cloud App Security 批准或阻止应用程序,强制执行数据丢失防护、控制权限和共享,以及生成自定义报告和警报。Use Cloud App Security to sanction or prohibit applications, enforce data loss prevention, control permissions and sharing, and generate custom reports and alerts.
控制Control 通过设置策略和警报实现对网络云流量的最大控制,从而降低风险。Mitigate risk by setting policies and alerts to achieve maximum control over network cloud traffic. 使用 Cloud App Security 将用户迁移到安全的经过批准的替代云应用。Use Cloud App Security to migrate your users to safe, sanctioned cloud app alternatives.

Cloud App Security 示意图

Cloud App Security 通过以下方式将可见性与云集成:Cloud App Security integrates visibility with your cloud by:

  • 使用 Cloud Discovery 映射并确定组织使用的云环境和云应用。Using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.

  • 批准和禁止云中的应用。Sanctioning and prohibiting apps in your cloud.

  • 为实现连接到的应用的可见性和管理,使用利用提供程序 API 的、易于部署的应用连接器。Using easy-to-deploy app connectors that take advantage of provider APIs, for visibility and governance of apps that you connect to.

  • 通过设置策略并不断对其进行微调,实现持续控制。Helping you have continuous control by setting, and then continually fine-tuning, policies.

从这些源收集数据时,Cloud App Security 会对其运行复杂的分析。On collecting data from these sources, Cloud App Security runs sophisticated analysis on it. 它会立即向你发出有关异常活动的警报,帮助你获得对云环境的深度了解。It immediately alerts you to anomalous activities, and gives you deep visibility into your cloud environment. 可以在 Cloud App Security 中配置策略,并使用它来保护云环境中的所有内容。You can configure a policy in Cloud App Security and use it to protect everything in your cloud environment.

通过 Azure 市场的第三方高级威胁检测功能Third-party Advanced Threat Detection capabilities through the Azure Marketplace

Web 应用程序防火墙Web Application Firewall

Web 应用程序防火墙会检查入站 Web 流量,并阻止 SQL 注入、跨站点脚本、恶意软件上传和应用程序 DDoS 攻击及其他针对 Web 应用程序的攻击。Web Application Firewall inspects inbound web traffic and blocks SQL injections, cross-site scripting, malware uploads, application DDoS attacks, and other attacks targeted at your web applications. 它还会检查后端 Web 服务器的响应,实现针对数据丢失预防 (DLP)。It also inspects the responses from the back-end web servers for data loss prevention (DLP). 集成的访问控制引擎使管理员能够为身份验证、授权和核算 (AAA) 创建精细的访问控制策略,这将增强组织的身份验证和用户控制。The integrated access control engine enables administrators to create granular access control policies for authentication, authorization, and accounting (AAA), which gives organizations strong authentication and user control.

Web 应用程序防火墙提供以下优点:Web Application Firewall provides the following benefits:

  • 检测并阻止 SQL 注入、跨站点脚本、恶意软件上传、应用程序 DDoS 或任何其他针对应用程序的攻击。Detects and blocks SQL injections, Cross-Site Scripting, malware uploads, application DDoS, or any other attacks against your application.

  • 身份验证和访问控制。Authentication and access control.

  • 扫描出站流量以检测敏感数据,并可屏蔽或阻止信息泄露。Scans outbound traffic to detect sensitive data and can mask or block the information from being leaked out.

  • 使用缓存、压缩和其他流量优化功能,加快 Web 应用程序内容的传送。Accelerates the delivery of web application contents, using capabilities such as caching, compression, and other traffic optimizations.

后续步骤Next steps