您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

连接 Azure DDoS 保护的数据Connect data from Azure DDoS Protection

分布式拒绝服务 (DDoS) 攻击尝试耗尽应用程序的资源,使应用程序对于合法用户不可用。Distributed denial of service (DDoS) attacks attempt to exhaust an application's resources, making the application unavailable to legitimate users. DDoS 攻击可能会将任何可通过 Internet 公开访问的终结点作为目标。DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Azure DDoS 保护与应用程序设计最佳做法相结合,为防范 DDoS 攻击提供了强大的防御。Azure DDoS protection, combined with application design best practices, provides a robust defense against DDoS attacks. 你可以将 Azure DDoS 保护日志连接到 Azure Sentinel,使你能够查看工作簿中的日志数据,使用它创建自定义警报,并将其合并以改善调查。You can connect Azure DDoS Protection logs to Azure Sentinel, enabling you to view log data in workbooks, use it to create custom alerts, and incorporate it to improve your investigations.

必备条件Prerequisites

连接到 Azure DDoS 保护Connect to Azure DDoS Protection

  1. 在 Azure Sentinel 导航菜单中,选择 " 数据连接器"。From the Azure Sentinel navigation menu, select Data connectors.

  2. 从数据连接器库中选择 " Azure DDoS 保护 ",并在预览窗格中选择 " 打开连接器 "。Select Azure DDoS Protection from the data connectors gallery, and then select Open Connector Page on the preview pane.

  3. 在要连接其日志的所有公共 IP 地址上启用 诊断日志Enable Diagnostic logs on all the public IP addresses whose logs you wish to connect:

    1. 选择 " 打开诊断设置" > "链接",然后从列表中选择 公共 IP 地址 资源。Select the Open Diagnostics settings > link, and choose a Public IP Address resource from the list.

    2. 选择“+ 添加诊断设置”。 Select + Add diagnostic setting.

    3. 在 " 诊断设置 " 屏幕中:In the Diagnostics settings screen:

      • 在 " 诊断设置名称 " 字段中输入名称。Enter a name in the Diagnostic setting name field.

      • 选中 " 发送到 Log Analytics " 复选框。Mark the Send to Log Analytics check box. 其中将显示两个新字段。Two new fields will be displayed below it. 选择相关 订阅 ,并 Log Analytics 工作区 (Azure Sentinel 所在的位置) 。Choose the relevant Subscription and Log Analytics Workspace (where Azure Sentinel resides).

      • 标记要引入其日志的规则类型的复选框。Mark the check boxes of the rule types whose logs you want to ingest. 建议 DDoSProtectionNotificationsDDoSMitigationFlowLogsDDoSMitigationReportsWe recommend DDoSProtectionNotifications, DDoSMitigationFlowLogs, and DDoSMitigationReports.

    4. 单击屏幕顶部的“保存”。 Click Save at the top of the screen. 对于已启用 DDoS 保护) (公共 IP 地址的任何其他防火墙,请重复此过程。Repeat this process for any additional firewalls (public IP addresses) for which you have enabled DDoS protection.

  4. 若要在 Azure DDoS 防护警报 Log Analytics 中使用相关架构,请搜索 AzureDiagnosticsTo use the relevant schema in Log Analytics for Azure DDoS Protection alerts, search for AzureDiagnostics.

备注

使用这个特定的数据连接器,在过去两周内引入数据时,数据连接器库中的连接状态 (指示器和数据类型) 名称旁的连接图标将显示为 " 已连接 (绿色) 。With this particular data connector, the connectivity status indicators (a color stripe in the data connectors gallery and connection icons next to the data type names) will show as connected (green) only if data has been ingested at some point in the past two weeks. 两周后,如果没有数据引入,连接器将显示为 "已断开连接"。Once two weeks have passed with no data ingestion, the connector will show as being disconnected. 数据经历的时间越多, 连接 状态就返回。The moment more data comes through, the connected status will return.

后续步骤Next steps

本文档介绍了如何将 Azure DDoS 保护日志连接到 Azure Sentinel。In this document, you learned how to connect Azure DDoS Protection logs to Azure Sentinel. 要详细了解 Azure Sentinel,请参阅以下文章:To learn more about Azure Sentinel, see the following articles: