您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

通过安全中心的集成式 EDR 解决方案 Microsoft Defender for Endpoint 来保护终结点Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint

Microsoft Defender for Endpoint 是一种整体的、云交付的终结点安全解决方案。Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. 主要功能如下:Its main features are:

  • 基于风险的漏洞管理和评估Risk-based vulnerability management and assessment
  • 攻击面减少Attack surface reduction
  • 基于行为的、由云提供支持的保护Behavioral based and cloud-powered protection
  • 终结点检测和响应 (EDR)Endpoint detection and response (EDR)
  • 自动调查和补救Automatic investigation and remediation
  • 托管搜寻服务Managed hunting services

提示

这款终结点检测和响应 (EDR) 产品最初以 Windows Defender ATP 的名称推出,在 2019 年重命名为 Microsoft Defender ATP 。Originally launched as Windows Defender ATP, this Endpoint Detection and Response (EDR) product was renamed in 2019 as Microsoft Defender ATP.

在 Ignite 2020,我们推出了 Microsoft Defender XDR 套件,并将这款 EDR 组件重命名为 Microsoft Defender for Endpoint。At Ignite 2020, we launched the Microsoft Defender XDR suite and this EDR component was renamed Microsoft Defender for Endpoint.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布 (GA)Generally available (GA)
定价:Pricing: 需要用于服务器的 Azure DefenderRequires Azure Defender for servers
支持的平台:Supported platforms: • 运行 Windows 的 Azure 计算机• Azure machines running Windows
• 运行 Windows 的 Azure Arc 计算机• Azure Arc machines running Windows
用于检测的受支持 Windows 版本:Supported versions of Windows for detection: • Windows Server 2019、2016、2012 R2 和 2008 R2 SP1• Windows Server 2019, 2016, 2012 R2, and 2008 R2 SP1
Windows 虚拟桌面 (WVD)Windows Virtual Desktop (WVD)
Windows 10 企业版多会话(前身为企业版虚拟桌面 (EVD))Windows 10 Enterprise multi-session (formerly Enterprise for Virtual Desktops (EVD)
不支持的操作系统:Unsupported operating systems: • Windows 10(EVD 或 WVD 除外)• Windows 10 (other than EVD or WVD)
• Linux• Linux
所需角色和权限:Required roles and permissions: 启用/禁用集成:“安全管理员”或“所有者” To enable/disable the integration: Security admin or Owner
查看安全中心内的 MDATP 警报:“安全读取者”、“读取者”、“资源组参与者”、“资源组所有者”、“安全管理员”、“订阅所有者”或“订阅参与者” To view MDATP alerts in Security Center: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security admin, Subscription owner, or Subscription Contributor
云:Clouds: 是 商业云Commercial clouds
是 US GovUS Gov
否 China Gov,其他 GovChina Gov, Other Gov

安全中心内的 Microsoft Defender for Endpoint 功能Microsoft Defender for Endpoint features in Security Center

Microsoft Defender for Endpoint 提供:Microsoft Defender for Endpoint provides:

  • 高级入侵后检测传感器。Advanced post-breach detection sensors. 适用于 Windows 计算机的 Defender for Endpoint 传感器可收集大量行为信号。Defender for Endpoint's sensors for Windows machines collect a vast array of behavioral signals.

  • 基于分析的、由云提供支持的入侵后检测。Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint 可快速应对不断变化的威胁。Defender for Endpoint quickly adapts to changing threats. 它使用高级分析和大数据。It uses advanced analytics and big data. Defender for Endpoint 借助 Intelligent Security Graph 的强大功能得以增强,并结合 Windows、Azure 和 Office 中的信号来检测未知威胁。It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. 它提供可以采取措施的警报,并可让你快速做出响应。It provides actionable alerts and enables you to respond quickly.

  • 威胁智能Threat intelligence. Defender for Endpoint 在识别攻击者工具、方法和过程时生成警报。Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. 它使用 Microsoft 威胁猎人和安全团队生成的,并由合作伙伴提供的情报补充的数据。It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

通过将 Defender for Endpoint 与安全中心集成,可受益于以下附加功能:By integrating Defender for Endpoint with Security Center, you'll benefit from the following additional capabilities:

  • 自动加入。Automated onboarding. 安全中心会自动为安全中心监视的所有 Windows 服务器启用 Microsoft Defender for Endpoint 传感器。Security Center automatically enables the Microsoft Defender for Endpoint sensor for all Windows servers monitored by Security Center.

  • 单一虚拟管理平台。Single pane of glass. 安全中心控制台显示 Microsoft Defender for Endpoint 警报。The Security Center console displays Microsoft Defender for Endpoint alerts. 若要进一步调查,请使用 Microsoft Defender for Endpoint 本身的门户页面,其中提供其他信息,如警报流程树和事件图。To investigate further, use Microsoft Defender for Endpoint's own portal pages where you'll see additional information such as the alert process tree and the incident graph. 此外,还可以看到详细的机器时间线,其中显示了最长六个月的历史时段的每种行为。You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.

    Microsoft Defender for Endpoint 自带安全中心

对 Microsoft Defender for Endpoint 租户有哪些要求?What are the requirements for the Microsoft Defender for Endpoint tenant?

使用 Azure 安全中心监视服务器时,系统会自动创建 Microsoft Defender for Endpoint 租户。When you use Azure Security Center to monitor your servers, a Microsoft Defender for Endpoint tenant is automatically created.

  • 位置: Defender for Endpoint 收集的数据存储在租户所在的地理位置(在预配期间确定)。Location: Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. 客户数据(采用假名)也可能存储在美国的中央存储和处理系统中。Customer data - in pseudonymized form - may also be stored in the central storage and processing systems in the United States. 配置位置后,无法对其进行更改。After you've configured the location, you can't change it. 如果自己有 Microsoft Defender for Endpoint 许可,并且需要将数据移动到其他位置,请联系 Microsoft 支持部门重置租户。If you have your own license for Microsoft Defender for Endpoint and need to move your data to another location, contact Microsoft Support to reset the tenant.
  • 移动订阅: 如果在 Azure 租户之间移动了 Azure 订阅,还需要执行一些手动预备步骤,然后安全中心才会部署 Defender for Endpoint。Moving subscriptions: If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Security Center will deploy Defender for Endpoint. 有关完整的详细信息,请联系 Microsoft 支持人员For full details, contact Microsoft support.

启用 Microsoft Defender for Endpoint 集成Enable the Microsoft Defender for Endpoint integration

先决条件Prerequisites

确认计算机满足 Defender for Endpoint 的必需要求:Confirm that your machine meets the necessary requirements for Defender for Endpoint:

  1. 确保已根据需要将计算机连接到 Azure:Ensure the machine is connected to Azure as required:

  2. 启用适用于服务器的 Azure Defender。Enable Azure Defender for servers. 请参阅快速入门:启用 Azure DefenderSee Quickstart: Enable Azure Defender.

  3. 如果已在服务器上许可并部署了 Microsoft Defender for Endpoint,请使用脱离 Windows 服务器中所述的过程将其删除。If you've already licensed and deployed Microsoft Defender for Endpoints on your servers, remove it using the procedure described in Offboard Windows servers.

  4. 如果已在 Azure 租户之间移动订阅,还需要执行一些手动预备步骤。If you've moved your subscription between Azure tenants, some manual preparatory steps are also required. 有关完整的详细信息,请联系 Microsoft 支持人员For full details, contact Microsoft support.

启用集成Enable the integration

  1. 从安全中心的菜单中选择“定价和设置”,然后选择要更改的订阅。From Security Center's menu, select Pricing & settings and select the subscription you want to change.

  2. 选择“威胁检测”。Select Threat detection.

  3. 选择“允许 Microsoft Defender for Endpoint 访问我的数据”,然后选择“保存” 。Select Allow Microsoft Defender for Endpoint to access my data, and select Save.

    启用 Azure 安全中心与 Microsoft 的 EDR 解决方案 Microsoft Defender for Endpoint 的集成

    Azure 安全中心会自动将服务器加入 Microsoft Defender for Endpoint。Azure Security Center will automatically onboard your servers to Microsoft Defender for Endpoint. 加入过程可能最多需要 24 小时。Onboarding might take up to 24 hours.

访问 Microsoft Defender for Endpoint 门户Access the Microsoft Defender for Endpoint portal

  1. 确保用户帐户具有必需权限。Ensure the user account has the necessary permissions. 有关详细信息,请参阅向 Microsoft Defender 安全中心分配用户访问权限Learn more in Assign user access to Microsoft Defender Security Center.

  2. 检查代理或防火墙是否阻止匿名流量。Check whether you have a proxy or firewall that is blocking anonymous traffic. Defender for Endpoint 传感器从系统上下文进行连接,因此必须允许匿名流量。The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. 若要确保访问 Defender for Endpoint 门户不受阻碍,请按照在代理服务器中启用对服务 URL 的访问中的说明进行操作。To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in Enable access to service URLs in the proxy server.

  3. 打开 Microsoft Defender 安全中心门户Open the Microsoft Defender Security Center portal. 有关该门户的功能和图标的详细信息,请参阅 Microsoft Defender 安全中心门户概述Learn more about the portal's features and icons, in Microsoft Defender Security Center portal overview.

发送测试警报Send a test alert

若要生成良性的 Microsoft Defender for Endpoint 测试警报,请执行以下操作:To generate a benign Microsoft Defender for Endpoint test alert:

  1. 创建文件夹“C:\test-MDATP-test”。Create a folder 'C:\test-MDATP-test'.

  2. 使用远程桌面访问计算机。Use Remote Desktop to access your machine.

  3. 打开命令行窗口。Open a command-line window.

  4. 在提示符下,复制并运行以下命令。At the prompt, copy and run the following command. 命令提示符窗口将自动关闭。The Command Prompt window will close automatically.

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'
    

    命令提示符窗口,其中显示用于生成测试警报的命令。

  5. 如果该命令成功,Azure 安全中心仪表板和 Microsoft Defender for Endpoint 门户中会显示一条新警报。If the command is successful, you'll see a new alert on the Azure Security Center dashboard and the Microsoft Defender for Endpoint portal. 此警报可能要在几分钟之后才显示。This alert might take a few minutes to appear.

  6. 若要在安全中心查看该警报,请转到“安全警报” > “可疑的 PowerShell 命令行” 。To review the alert in Security Center, go to Security alerts > Suspicious PowerShell CommandLine.

  7. 在调查窗口中,选择相应的链接转到 Microsoft Defender for Endpoint 门户。From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.

    提示

    此警报由“信息”严重性触发。The alert is triggered with Informational severity.

集成了安全中心的 Microsoft Defender for Endpoint 的常见问题解答FAQ for Security Center's integrated Microsoft Defender for Endpoint

Microsoft Defender for Endpoint 有哪些许可要求?What are the licensing requirements for Microsoft Defender for Endpoint?

适用于服务器的 Azure Defender 附带的 Defender for Endpoint 无需额外付费。Defender for Endpoint is included at no additional cost with Azure Defender for servers. 或者,可以为 50 台及以上数量的计算机单独购买许可。Alternatively, it can be purchased separately for 50 machines or more.

如果我已有 Microsoft Defender for Endpoint 许可证,能否获得 Azure Defender 的折扣?If I already have a license for Microsoft Defender for Endpoint can I get a discount for Azure Defender?

如果你已获得 Microsoft Defender for Endpoint 的许可证,则无需为 Azure Defender 许可证的相应部分付费。If you've already got a license for Microsoft Defender for Endpoint, you won't have to pay for that part of your Azure Defender license.

若要确认折扣,请联系安全中心的支持团队,并提供相关工作区 ID、区域和每个相关许可证的许可证信息。To confirm your discount, contact Security Center's support team and provide the relevant workspace ID, region, and license information for each relevant license.

如何从第三方 EDR 工具进行切换?How do I switch from a third-party EDR tool?

有关从非 Microsoft 终结点解决方案进行切换的完整说明,请参阅 Microsoft Defender for Endpoint 文档:迁移概述Full instructions for switching from a non-Microsoft endpoint solution are available in the Microsoft Defender for Endpoint documentation: Migration overview.

后续步骤Next steps