您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

连接数据源Connect data sources

一旦你启用了 Azure Sentinel,你需要做的第一件事就是连接数据源。Once you have enabled Azure Sentinel, the first thing you need to do is connect your data sources. Azure Sentinel 附带了多个 Microsoft 解决方案连接器,并提供实时集成,包括 Microsoft 365 Defender (以前的 Microsoft 威胁防护) 解决方案,Microsoft 365 源 (包括 Office 365) 、Azure AD、Microsoft Defender for Identity (以前的 Azure ATP) 、Microsoft Cloud App Security 等。Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Cloud App Security, and more. 此外,内置的连接器可以拓宽非 Microsoft 解决方案的安全生态系统。In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. 也可以使用常用事件格式 (CEF)、Syslog 或 REST-API 将数据源与 Azure Sentinel 相连接。You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Azure Sentinel.

  1. 在菜单上,选择“数据连接器”。On the menu, select Data connectors. 通过此页,可以查看 Azure Sentinel 提供的连接器及其状态的完整列表。This page lets you see the full list of connectors that Azure Sentinel provides and their status. 选择要连接的连接器,然后选择“打开连接器页”。Select the connector you want to connect and select Open connector page.

    数据连接器库

  2. 在特定连接器页上,确保已满足所有先决条件,并按照相关说明将数据连接到 Azure Sentinel。On the specific connector page, make sure you have fulfilled all the prerequisites and follow the instructions to connect the data to Azure Sentinel. 可能需要一段时间才能让日志开始与 Azure Sentinel 保持同步。It may take some time for the logs to start syncing with Azure Sentinel. 在连接后,可以在“收到的数据”图中查看数据摘要,以及数据类型的连接状态。After you connect, you see a summary of the data in the Data received graph, and connectivity status of the data types.

    配置数据连接器

  3. 单击“后续步骤”选项卡,以获取 Azure Sentinel 针对特定数据类型提供的现成内容的列表。Click the Next steps tab to get a list of out-of-the-box content Azure Sentinel provides for the specific data type.

    连接器的后续步骤

数据连接方法Data connection methods

Azure Sentinel 支持以下数据连接方法:The following data connection methods are supported by Azure Sentinel:

代理连接选项Agent connection options

若要将外部设备连接到 Azure Sentinel,代理必须部署在专用计算机上(VM 或本地),以支持设备与 Azure Sentinel 之间的通信。To connect your external appliance to Azure Sentinel, the agent must be deployed on a dedicated machine (VM or on premises) to support the communication between the appliance and Azure Sentinel. 可以自动或手动部署代理。You can deploy the agent automatically or manually. 仅当专用计算机是在 Azure 中创建的新 VM 时,才能进行自动部署。Automatic deployment is only available if your dedicated machine is a new VM you are creating in Azure.

Azure 中的 CEF

或者,可以在现有的 Azure VM 上、在其他云中的 VM 上或者在本地计算机上手动部署代理。Alternatively, you can deploy the agent manually on an existing Azure VM, on a VM in another cloud, or on an on-premises machine.

本地 CEF

使用 Azure Sentinel 连接选项映射数据类型Map data types with Azure Sentinel connection options

Data typeData type 如何连接How to connect 数据连接器?Data connector? 注释Comments
AWSCloudTrailAWSCloudTrail 连接 AWSConnect AWS
AzureActivityAzureActivity 连接 Azure 活动活动日志概述Connect Azure Activity and Activity logs overview
AuditLogsAuditLogs 连接 Azure ADConnect Azure AD
SigninLogsSigninLogs 连接 Azure ADConnect Azure AD
AzureFirewallAzureFirewall Azure 诊断Azure Diagnostics
InformationProtectionLogs_CLInformationProtectionLogs_CL Azure 信息保护报告Azure Information Protection reports
连接 Azure 信息保护Connect Azure Information Protection
除数据类型外,这通常还使用 InformationProtectionEvents 函数。This usually uses the InformationProtectionEvents function in addition to the data type. 有关详细信息,请参阅如何修改报告和创建自定义查询For more information, see How to modify the reports and create custom queries
AzureNetworkAnalytics_CLAzureNetworkAnalytics_CL 流量分析架构 流量分析Traffic analytic schema Traffic analytics
CommonSecurityLogCommonSecurityLog 连接 CEFConnect CEF
OfficeActivityOfficeActivity 连接 Office 365Connect Office 365
SecurityEventsSecurityEvents 连接 Windows 安全事件Connect Windows security events 有关不安全协议工作簿的信息,请参阅不安全协议工作簿设置For the Insecure Protocols workbooks, see Insecure protocols workbook setup
SyslogSyslog 连接 SyslogConnect Syslog
Microsoft Web 应用程序防火墙 (WAF) - (AzureDiagnostics)Microsoft Web Application Firewall (WAF) - (AzureDiagnostics) 连接 Microsoft Web 应用程序防火墙Connect Microsoft Web Application Firewall
SymantecICDx_CLSymantecICDx_CL 连接 SymantecConnect Symantec
ThreatIntelligenceIndicatorThreatIntelligenceIndicator 连接威胁智能Connect threat intelligence
VMConnectionVMConnection
ServiceMapComputer_CLServiceMapComputer_CL
ServiceMapProcess_CLServiceMapProcess_CL
Azure Monitor 服务映射Azure Monitor service map
Azure Monitor VM 见解载入Azure Monitor VM insights onboarding
启用 Azure Monitor VM 见解Enable Azure Monitor VM insights
使用单一 VM 载入Using Single VM On-boarding
通过 Policy 使用载入Using On-boarding Via Policy
VM 见解工作簿VM insights workbook
DnsEventsDnsEvents 连接 DNSConnect DNS
W3CIISLogW3CIISLog 连接 IIS 日志Connect IIS logs
WireDataWireData 连接 Wire DataConnect Wire Data
WindowsFirewallWindowsFirewall 连接 Windows 防火墙Connect Windows Firewall
AADIP SecurityAlertAADIP SecurityAlert 连接 Azure AD 标识保护Connect Azure AD Identity Protection
AATP SecurityAlertAATP SecurityAlert 将 Microsoft Defender For Identity (以前的 Azure ATP) Connect Microsoft Defender for Identity (formerly Azure ATP)
ASC SecurityAlertASC SecurityAlert 从 Azure 安全中心连接 Azure Defender 警报Connect Azure Defender alerts from Azure Security Center
MCAS SecurityAlertMCAS SecurityAlert 连接 Microsoft Cloud App SecurityConnect Microsoft Cloud App Security
SecurityAlertSecurityAlert
Sysmon(事件)Sysmon (Event) 连接 SysmonConnect Sysmon
连接 Windows 事件Connect Windows Events
获取 Sysmon 分析程序Get the Sysmon Parser
默认情况下,虚拟机上未安装 Sysmon 集合。Sysmon collection is not installed by default on virtual machines. 有关如何安装 Sysmon 代理的详细信息,请参阅 SysmonFor more information on how to install the Sysmon Agent, see Sysmon.
ConfigurationDataConfigurationData 自动执行 VM 清单Automate VM inventory
ConfigurationChangeConfigurationChange 自动执行 VM 跟踪Automate VM tracking
F5 BIG-IPF5 BIG-IP 连接 F5 BIG-IPConnect F5 BIG-IP
McasShadowItReportingMcasShadowItReporting
Barracuda_CLBarracuda_CL 连接 BarracudaConnect Barracuda

后续步骤Next steps