您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

连接数据源Connect data sources

若要载入 Azure Sentinel,首先需要连接到数据源。To on-board Azure Sentinel, you first need to connect to your data sources. Azure Sentinel 随附许多适用于 Microsoft 解决方案的现成可用的连接器,提供实时集成(包括 Microsoft 威胁防护解决方案)和 Microsoft 365 源(包括 Office 365、Azure AD、Azure ATP 和 Microsoft Cloud App Security,等等)。Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, and Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more. 此外,内置的连接器可以拓宽非 Microsoft 解决方案的安全生态系统。In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. 也可以使用常用事件格式 Syslog 或 REST-API 将数据源与 Azure Sentinel 相连接。You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.

  1. 在菜单上,选择“数据连接器” 。On the menu, select Data connectors. 通过此页,可以查看 Azure Sentinel 提供的连接器及其状态的完整列表。This page lets you see the full list of connectors that Azure Sentinel provides and their status. 选择要连接的连接器,然后选择“打开连接器页” 。Select the connector you want to connect and select Open connector page.

    数据收集器

  2. 在特定连接器页上,确保已满足所有先决条件,并按照相关说明将数据连接到 Azure Sentinel。On the specific connector page, make sure you have fulfilled all the prerequisites and follow the instructions to connect the data to Azure Sentinel. 可能需要一段时间才能让日志开始与 Azure Sentinel 保持同步。It may take some time for the logs to start syncing with Azure Sentinel. 在连接后,可以在“收到的数据”图 中查看数据摘要,以及数据类型的连接状态。After you connect, you see a summary of the data in the Data received graph, and connectivity status of the data types.

    连接收集器

  3. 单击“后续步骤” 选项卡,以获取 Azure Sentinel 针对特定数据类型提供的现成内容的列表。Click the Next steps tab to get a list of out-of-the-box content Azure Sentinel provides for the specific data type.

    数据收集器

数据连接方法Data connection methods

Azure Sentinel 支持以下数据连接方法:The following data connection methods are supported by Azure Sentinel:

  • Microsoft 服务Microsoft services:
    Microsoft 服务原生是互连的。利用 Azure 基础服务的现成集成,只需单击几点鼠标就能连接以下解决方案:Microsoft services are connected natively, leveraging the Azure foundation for out-of-the box integration, the following solutions can be connected in a few clicks:

  • 通过 API 连接外部解决方案:可以使用联网数据源提供的 API 连接某些数据源。External solutions via API: Some data sources are connected using APIs that are provided by the connected data source. 一般情况下,大多数安全技术都会提供一组 API,通过这些 API 可以检索事件日志。这些 API 连接到 Azure Sentinel,收集特定的数据类型并将其发送到 Azure Log Analytics。Typically, most security technologies provide a set of APIs through which event logs can be retrieved.The APIs connect to Azure Sentinel and gather specific data types and send them to Azure Log Analytics. 通过 API 连接的设备包括:Appliances connected via API include:

  • 通过代理连接外部解决方案:可以通过代理使用 Syslog 协议将 Azure Sentinel 连接到可执行实时日志流式处理的其他所有数据源。External solutions via agent: Azure Sentinel can be connected to all other data sources that can perform real-time log streaming using the Syslog protocol, via an agent.
    大部分设备使用 Syslog 协议发送包含日志本身以及日志相关数据的事件消息。Most appliances use the Syslog protocol to send event messages that include the log itself and data about the log. 日志格式各不相同,但大部分设备支持通用事件格式 (CEF) 标准。The format of the logs varies, but most appliances support the Common Event Format (CEF) standard.
    基于 Log Analytics 代理的 Azure Sentinel 代理会将 CEF 格式的日志转换为可供 Log Analytics 引入的格式。The Azure Sentinel agent, which is based on the Log Analytics agent, converts CEF formatted logs into a format that can be ingested by Log Analytics. 根据设备类型,可以直接在设备上安装代理,或者在专用的 Linux 服务器上安装代理。Depending on the appliance type, the agent is installed either directly on the appliance, or on a dedicated Linux server. 适用于 Linux 的代理通过 UDP 从 Syslog 守护程序接收事件,但如果预期 Linux 计算机需要收集大量的 Syslog 事件,则会通过 TCP 将这些事件从 Syslog 守护程序发送到代理,然后从代理发送到 Log Analytics。The agent for Linux receives events from the Syslog daemon over UDP, but if a Linux machine is expected to collect a high volume of Syslog events, they are sent over TCP from the Syslog daemon to the agent and from there to Log Analytics.

代理连接选项Agent connection options

若要将外部设备连接到 Azure Sentinel,代理必须部署在专用计算机上(VM 或本地),以支持设备与 Azure Sentinel 之间的通信。To connect your external appliance to Azure Sentinel, the agent must be deployed on a dedicated machine (VM or on premises) to support the communication between the appliance and Azure Sentinel. 可以自动或手动部署代理。You can deploy the agent automatically or manually. 仅当专用计算机是在 Azure 中创建的新 VM 时,才能进行自动部署。Automatic deployment is only available if your dedicated machine is a new VM you are creating in Azure.

Azure 中的 CEF

或者,可以在现有的 Azure VM 上、在其他云中的 VM 上或者在本地计算机上手动部署代理。Alternatively, you can deploy the agent manually on an existing Azure VM, on a VM in another cloud, or on an on-premises machine.

本地 CEF

使用 Azure Sentinel 连接选项映射数据类型Map data types with Azure Sentinel connection options

数据类型Data type 如何连接How to connect 数据连接器?Data connector? 注释Comments
AWSCloudTrailAWSCloudTrail 连接 AWSConnect AWS VV
AzureActivityAzureActivity 连接 Azure 活动活动日志概述Connect Azure Activity and Activity logs overview VV
AuditLogsAuditLogs 连接 Azure ADConnect Azure AD VV
SigninLogsSigninLogs 连接 Azure ADConnect Azure AD VV
AzureFirewallAzureFirewall Azure 诊断Azure Diagnostics VV
InformationProtectionLogs_CLInformationProtectionLogs_CL Azure 信息保护报告Azure Information Protection reports
连接 Azure 信息保护Connect Azure Information Protection
VV 除数据类型外,这通常还使用 InformationProtectionEvents 函数。This usually uses the InformationProtectionEvents function in addition to the data type. 有关详细信息,请参阅如何修改报告和创建自定义查询For more information, see How to modify the reports and create custom queries
AzureNetworkAnalytics_CLAzureNetworkAnalytics_CL 流量分析架构 流量分析Traffic analytic schema Traffic analytics
CommonSecurityLogCommonSecurityLog 连接 CEFConnect CEF VV
OfficeActivityOfficeActivity 连接 Office 365Connect Office 365 VV
SecurityEventsSecurityEvents 连接 Windows 安全事件Connect Windows security events VV 有关不安全协议工作簿的信息,请参阅不安全协议工作簿设置For the Insecure Protocols workbooks, see Insecure protocols workbook setup
SyslogSyslog 连接 SyslogConnect Syslog VV
Microsoft Web 应用程序防火墙 (WAF) - (AzureDiagnostics)Microsoft Web Application Firewall (WAF) - (AzureDiagnostics) 连接 Microsoft Web 应用程序防火墙Connect Microsoft Web Application Firewall VV
SymantecICDx_CLSymantecICDx_CL 连接 SymantecConnect Symantec VV
ThreatIntelligenceIndicatorThreatIntelligenceIndicator 连接威胁智能Connect threat intelligence VV
VMConnectionVMConnection
ServiceMapComputer_CLServiceMapComputer_CL
ServiceMapProcess_CLServiceMapProcess_CL
Azure Monitor 服务映射Azure Monitor service map
Azure Monitor VM 见解载入Azure Monitor VM insights onboarding
启用 Azure Monitor VM 见解Enable Azure Monitor VM insights
使用单一 VM 载入Using Single VM On-boarding
通过 Policy 使用载入Using On-boarding Via Policy
XX VM 见解工作簿VM insights workbook
DnsEventsDnsEvents 连接 DNSConnect DNS VV
W3CIISLogW3CIISLog 连接 IIS 日志Connect IIS logs XX
WireDataWireData 连接 Wire DataConnect Wire Data XX
WindowsFirewallWindowsFirewall 连接 Windows 防火墙Connect Windows Firewall VV
AADIP SecurityAlertAADIP SecurityAlert 连接 Azure AD 标识保护Connect Azure AD Identity Protection VV
AATP SecurityAlertAATP SecurityAlert 连接 Azure ATPConnect Azure ATP VV
ASC SecurityAlertASC SecurityAlert 连接 Azure 安全中心Connect Azure Security Center VV
MCAS SecurityAlertMCAS SecurityAlert 连接 Microsoft Cloud App SecurityConnect Microsoft Cloud App Security VV
SecurityAlertSecurityAlert
Sysmon(事件)Sysmon (Event) 连接 SysmonConnect Sysmon
连接 Windows 事件Connect Windows Events
获取 Sysmon 分析程序Get the Sysmon Parser
XX 默认情况下,虚拟机上未安装 Sysmon 集合。Sysmon collection is not installed by default on virtual machines. 有关如何安装 Sysmon 代理的详细信息,请参阅 SysmonFor more information on how to install the Sysmon Agent, see Sysmon.
ConfigurationDataConfigurationData 自动执行 VM 清单Automate VM inventory XX
ConfigurationChangeConfigurationChange 自动执行 VM 跟踪Automate VM tracking XX
F5 BIG-IPF5 BIG-IP 连接 F5 BIG-IPConnect F5 BIG-IP XX
McasShadowItReportingMcasShadowItReporting XX
Barracuda_CLBarracuda_CL 连接 BarracudaConnect Barracuda VV

后续步骤Next steps