适用于 Azure 流量管理器的 Azure 安全基线Azure security baseline for Azure Traffic Manager

适用于 Azure 流量管理器的 Azure 安全基线包含有助于改进部署安全状况的建议。The Azure Security Baseline for Azure Traffic Manager contains recommendations that will help you improve the security posture of your deployment. 此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance. 内容按“安全控制”分组,这些控制按适用于 Azure 流量管理器的 Azure 安全基准和相关指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Traffic Manager. 已排除了不适用于 Azure 流量管理器的控制。Controls not applicable to Azure Traffic Manager have been excluded.

若要了解 Azure 流量管理器如何完全映射到 Azure 安全基准,请参阅完整的 Azure 流量管理器安全基线映射文件To see how Azure Traffic Manager completely maps to the Azure Security Benchmark, see the full Azure Traffic Manager security baseline mapping file.

日志记录和监视Logging and monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:活动日志是一种 Azure 平台日志,可用于深入了解订阅级别的事件。Guidance: The Activity log is an Azure platform log that provides insight into subscription-level events. 将日志发送到 Log Aalytics 工作区、Azure 事件中心或 Azure 存储帐户进行存档。Send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. 活动日志提供有关在控制平面级别对 Azure 流量管理器资源执行的操作的见解。Activity logs provide insight into the operations that were performed on your Azure Traffic Manager resources at the control plane level. 通过使用 Azure 活动日志数据,可以确定在控制平面级别针对流量管理器资源执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Traffic Manager profiles.

通过 Azure Monitor 引入日志,以聚合终结点设备、网络资源和其他安全系统生成的安全数据。Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. 或者,可以启用数据并将其加入 Azure Sentinel 或第三方 SIEM。Alternatively, you can enable and on-board data to Azure Sentinel or a third-party SIEM.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:在流量管理器内启用资源日志记录。Guidance: Enable resource logging within Traffic Manager. 这些是流量管理器配置文件的诊断资源日志和访问日志数据。These are diagnostic resource logs and access log data for a Traffic Manager profile. 此外,流量管理器还基于每个配置文件提供特定指标。Additionally, Traffic Manager provides the certain metrics on a per profile basis.

在 Azure Monitor 内启用诊断设置,以访问审核日志、安全日志和诊断日志。Enable diagnostic settings within Azure Monitor for access to audit, security, and diagnostic logs. 活动日志自动可用,包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指南:在 Azure Monitor 中,根据组织的合规性规则设置 Log Analytics 工作区保持期。Guidance: In Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. 将 Azure 存储帐户用于长期存储和存档存储。Use Azure Storage accounts for long-term and archival storage.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视日志中的异常行为,并定期查看结果。Guidance: Analyze and monitor logs for anomalous behavior and regularly review the results. 使用 Azure Monitor 和 Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitor and a Log Analytics workspace to review logs and perform queries on log data.

或者,可以启用数据并将其加入 Azure Sentinel 或第三方 SIEM。Alternatively, you can enable and on-board data to Azure Sentinel or a third-party SIEM.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:除了处理和显示来自流量管理器的指标外,Azure Monitor 还允许客户配置和接收与这些指标关联的警报。Guidance: In addition to processing and displaying metrics from Traffic Manager, Azure Monitor enables customers to configure and receive alerts associated with these metrics. 你可以选择这些指标需要满足什么条件才会发生警报、需要以何频率监视这些条件,以及应当如何向你发送警报。You can choose what conditions need to be met in these metrics for an alert to occur, how often those conditions need to be monitored, and how the alerts should be sent to you.

使用 Azure 安全中心和 Log Analytics 工作区监视安全日志和事件中的异常活动并发出警报。Use Azure Security Center with Log Analytics workspace for monitoring and alerting on anomalous activity found in security logs and events.

或者,可以启用数据并将其加入 Azure Sentinel。Alternatively, you can enable and on-board data to Azure Sentinel.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

标识和访问控制Identity and access control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指南:借助基于 Azure 角色的访问控制 (Azure RBAC),可以通过角色分配管理对 Azure 资源的访问。Guidance: Azure role-based access control (Azure RBAC) allows you to manage access to Azure resources through role assignments. 可以将这些角色分配给用户、组、服务主体和托管标识。You can assign these roles to users, groups, service principals, and managed identities. 某些资源具有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点或查询这些角色。There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal.

在 Resource Manager 中,只要配置流量管理器配置文件的人员具有终结点的读取访问权限,任何订阅的终结点就都可添加到流量管理器中。In Resource Manager, endpoints from any subscription can be added to Traffic Manager, as long as the person configuring the Traffic Manager profile has read access to the endpoint.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

此外,为了帮助你跟踪专用管理帐户,你可以使用 Azure 安全中心或内置的 Azure 策略提供的建议,例如:Additionally, to help you keep track of dedicated administrative accounts, you can use recommendations from Azure Security Center or built-in Azure Policies, such as:

  • 应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription
  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription
  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

还可以通过使用 Azure AD Privileged Identity Management 和 Azure 资源管理器来启用即时访问权限。You can also enable a Just-In-Time access by using Azure AD Privileged Identity Management and Azure Resource Manager.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:Azure 流量管理器支持使用 Azure Active Directory 进行 SSO 身份验证。Guidance: Azure Traffic Manager supports SSO authentication with Azure Active Directory. 通过使用组织的预先存在的标识为服务启用 SSO,减少用户必须管理的标识和凭据的数量。Reduce the number of identities and credentials users must manage by enabling SSO for the service with your organization's pre-existing identities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory 多重身份验证,并遵循 Azure 安全中心标识和访问管理的建议。Guidance: Enable Azure Active Directory Multi-Factor Authentication and follow Azure Security Center Identity and Access Management recommendations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:对于需要提升的权限的管理任务,请使用安全的 Azure 托管工作站(也称为特权访问工作站,简称 PAW)。Guidance: Use a secure, Azure-managed workstation (also known as a Privileged Access Workstation, or PAW) for administrative tasks that require elevated privileges.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:当环境中出现可疑或不安全的活动时,可使用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 生成日志和警报。Guidance: Use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.

此外,还可使用 Azure AD 风险检测来查看有关风险用户行为的警报和报告。In addition, use Azure AD risk detection to view alerts and reports on risky user behavior.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources only from approved locations

指导:使用 Azure AD 命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Azure AD named locations to allow access only from specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指南:Azure AD 提供日志来帮助发现过时的帐户。Guidance: Azure AD provides logs to help discover stale accounts. 此外,请使用 Azure AD 标识和访问评审来有效管理组成员身份、对企业应用程序的访问以及角色分配。In addition, use Azure AD identity and access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right users have continued access.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:你有权访问 Azure AD 登录活动、审核和风险事件日志源,因此可以与任何 SIEM/监视工具集成。Guidance: You have access to Azure AD sign-in activity, audit, and risk event log sources, which allow you to integrate with any SIEM/monitoring tool.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 你可以在 Log Analytics 工作区中配置所需的警报。You can configure desired alerts within Log Analytics workspace.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.6:使用 Azure RBAC 管理对资源的访问4.6: Use Azure RBAC to manage access to resources

指南:借助基于 Azure 角色的访问控制 (Azure RBAC),可以通过角色分配管理对 Azure 资源的访问。Guidance: Azure role-based access control (Azure RBAC) allows you to manage access to Azure resources through role assignments. 可以将这些角色分配给用户、组、服务主体和托管标识。You can assign these roles to users, groups, service principals, and managed identities. 某些资源具有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点或查询这些角色。There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal.

在 Resource Manager 中,只要配置流量管理器配置文件的人员具有终结点的读取访问权限,任何订阅的终结点就都可添加到流量管理器中。In Resource Manager, endpoints from any subscription can be added to Traffic Manager, as long as the person configuring the Traffic Manager profile has read access to the endpoint.

Azure 流量管理器具有一个名为“流量管理器参与者”的预定义 Azure 角色,该角色可以分配给用户。Azure Traffic Manager has a predefined Azure role called "Traffic Manager Contributor", which can be assigned to users.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以便创建要在 Azure 流量管理器以及其他关键或相关资源发生更改时触发的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to Azure Traffic Manager as well as other critical or related resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 来查询和发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance: Use Azure Resource Graph to query for and discover all resources (such as compute, storage, network, ports, and protocols etc.) in your subscriptions. 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources in your subscriptions.

尽管可以通过 Azure Resource Graph 浏览器发现经典 Azure 资源,但我们强烈建议你今后创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Azure Resource Graph Explorer, it is highly recommended to create and use Azure Resource Manager resources going forward.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:使用“策略名称”、“描述”和“类别”可根据分类以符合逻辑的方式组织资产。Guidance: Use Policy Name, Description, and Category to logically organize assets according to a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指南:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪 Azure 资产。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

此外,使用 Azure Policy 对可使用以下内置策略定义在客户订阅中创建的资源类型施加限制:In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

还可以创建自定义 Azure Policy 定义,以限制更精细的资源设置。You can also create custom Azure Policy definitions to restrict more granular resource settings.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准 Azure 资源的清单6.4: Define and maintain an inventory of approved Azure resources

指导:根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance: Create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

使用 Azure Resource Graph 查询和发现订阅中的资源。Use Azure Resource Graph to query for and discover resources within their subscriptions. 确保环境中的所有 Azure 资源均已获得批准。Ensure that all Azure resources present in the environment are approved.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

还可以创建自定义 Azure Policy 定义,以限制更精细的资源设置。You can also create custom Azure Policy definitions to restrict more granular resource settings.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过对“Azure 管理”应用配置“阻止访问”,配置 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

安全配置Secure configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 为 Azure 流量管理器定义并实施标准安全配置。Guidance: Define and implement standard security configurations for Azure Traffic Manager with Azure Policy. 在“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施恢复服务保管库的配置。Use Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to audit or enforce the configuration of your Recovery Services vaults.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:在“Microsoft.Network”命名空间中使用内置的 Azure Policy 定义和 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:在“Microsoft.Network”命名空间中使用内置的 Azure Policy 定义和 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy“[审核]”、“[拒绝]”和“[不存在则部署]”自动强制实施 Azure 资源的配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware defense.

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:已在支持 Azure 服务(例如 Azure 流量管理器)的底层主机上启用 Azure 反恶意软件,但是该软件不针对客户内容运行。Guidance: Azure Anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Traffic Manager), however it does not run on customer content.

你需要负责预先扫描要上传到非计算 Azure 资源的任何内容。It is your responsibility to pre-scan any content being uploaded to non-compute Azure resources. Azure 无法访问客户数据,因此无法代表你对客户内容执行反恶意软件扫描。Azure cannot access customer data, and therefore cannot conduct anti-malware scans of customer content on your behalf.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:为组织制定事件响应指南。Guidance: Develop an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理和管理从检测到事件后审查的各个阶段。Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Guidance: Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果或分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytically used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记订阅,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It's your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 查明弱点和差距,并根据需要修改你的响应计划。Identify weak points and gaps and then revise your response plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了你的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议,以便确定 Azure 资源的风险。Guidance: Export your Azure Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Azure Sentinel。You can use the Azure Security Center data connector to stream the alerts to Azure Sentinel.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心的工作流自动化功能,针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use workflow automation feature Azure Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Azure 政策。Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Azure policies. 使用 Azure 红队演练策略和执行,并针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试。Use Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps