您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

连接 Windows 安全事件Connect Windows security events

利用安全事件连接器,你可以将 Windows 系统中的所有安全事件( (服务器和工作站,物理和虚拟) )流式传输到 Azure Sentinel 工作区。The Security Events connector lets you stream all security events from your Windows systems (servers and workstations, physical and virtual) to your Azure Sentinel workspace. 这样,你便可以在仪表板中查看 Windows 安全事件,并在创建自定义警报时使用它们来改进调查,使你能够更深入地了解组织的网络并扩展安全操作功能。This enables you to view Windows security events in your dashboards, to use them in creating custom alerts, and to rely on them to improve your investigations, giving you more insight into your organization's network and expanding your security operations capabilities. 你可以从以下集合中选择要进行流式处理的事件: You can select which events to stream from among the following sets:

  • 所有事件 -所有 Windows 安全性和 AppLocker 事件。All events - All Windows security and AppLocker events.

  • 用于 审核的标准 事件集。Common - A standard set of events for auditing purposes. 此集中包含完整的用户审核记录。A full user audit trail is included in this set. 例如,它包含用户登录和用户注销事件 (事件 Id 4624,4634) 。For example, it contains both user sign-in and user sign-out events (event IDs 4624, 4634). 此外还有审核操作,如安全组更改、关键域控制器 Kerberos 操作和其他类型的事件,以及已接受的最佳实践。There are also auditing actions such as security group changes, key domain controller Kerberos operations, and other types of events in line with accepted best practices.

    常见 事件集可能包含某些不太常见的事件类型。The Common event set may contain some types of events that aren't so common. 这是因为, 公共 集的主要点是将事件量减少到更易管理的级别,同时仍保持完整的审核跟踪功能。This is because the main point of the Common set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability.

  • 最小 -一小部分事件,可能表明存在潜在威胁。Minimal - A small set of events that might indicate potential threats. 此集不包含完整的审核跟踪。This set does not contain a full audit trail. 它仅介绍可能表明发生了成功的破坏的事件,并仅涵盖了出现率较低的其他重要事件。It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence. 例如,它包含 (事件 Id 4624,4625) 成功和失败的用户登录,但它不包含 (4634) 的注销信息,这一点对于审核是无意义的,但它的数量相对较高。For example, it contains successful and failed user logons (event IDs 4624, 4625), but it doesn't contain sign-out information (4634) which, while important for auditing, is not meaningful for breach detection and has relatively high volume. 此集的大部分数据量都包含登录事件和进程创建事件 (事件 ID 4688) 。Most of the data volume of this set is comprised of sign-in events and process creation events (event ID 4688).

  • -无安全性或 AppLocker 事件。None - No security or AppLocker events. (此设置用于禁用连接器。 ) (This setting is used to disable the connector.)

    以下列表提供了每个组的安全和应用锁定程序事件 Id 的完整细目:The following list provides a complete breakdown of the Security and App Locker event IDs for each set:

    事件集Event set 收集的事件 IdCollected event IDs
    最少Minimal 1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,8222,1102, 4624, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737, 4739, 4740, 4754, 4755, 4756, 4767, 4799, 4825, 4946, 4948, 4956, 5024, 5033, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222
    通用Common 1、299、300、324、340、403、404、410、411、412、413、431、500、501、1100、1102、1107、1108、4608、4610、4611、4614、、、、、、、、4622,4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,、4733、4732、4735、4737、4738、4739、4740、4742、4744、4745、4746、4750、4751、4752、4754、4755、4756、4757、4760、4761、4762、4764、、、、、、、、4767,4768,4771,4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,,5140,5145,5632,6144,6145,6272,6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004,,,,1, 299, 300, 324, 340, 403, 404, 410, 411, 412, 413, 431, 500, 501, 1100, 1102, 1107, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4634, 4647, 4648, 4649, 4657, 4661, 4662, 4663, 4665, 4666, 4667, 4688, 4670, 4672, 4673, 4674, 4675, 4689, 4697, 4700, 4702, 4704, 4705, 4716, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4733, 4732, 4735, 4737, 4738, 4739, 4740, 4742, 4744, 4745, 4746, 4750, 4751, 4752, 4754, 4755, 4756, 4757, 4760, 4761, 4762, 4764, 4767, 4768, 4771, 4774, 4778, 4779, 4781, 4793, 4797, 4798, 4799, 4800, 4801, 4802, 4803, 4825, 4826, 4870, 4886, 4887, 4888, 4893, 4898, 4902, 4904, 4905, 4907, 4931, 4932, 4933, 4946, 4948, 4956, 4985, 5024, 5033, 5059, 5136, 5137, 5140, 5145, 5632, 6144, 6145, 6272, 6273, 6278, 6416, 6423, 6424, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222, 26401, 30004

备注

可从 Azure 安全中心或 Azure Sentinel 配置单个工作区上下文中的安全事件集合,但不能同时配置两者。Security Events collection within the context of a single workspace can be configured from either Azure Security Center or Azure Sentinel, but not both. 如果要在已从 Azure 安全中心获得 Azure Defender 警报的工作区中加入 Azure Sentinel,并将设置为收集安全事件,则有两个选择:If you are onboarding Azure Sentinel in a workspace that is already getting Azure Defender alerts from Azure Security Center, and is set to collect Security Events, you have two options:

  • 保留 Azure 安全中心的安全事件集合不变。Leave the Security Events collection in Azure Security Center as is. 你将能够在 Azure Sentinel 以及 Azure Defender 中查询和分析这些事件。You will be able to query and analyze these events in Azure Sentinel as well as in Azure Defender. 但是,你将不能监视连接器的连接状态或在 Azure Sentinel 中更改其配置。You will not, however, be able to monitor the connector's connectivity status or change its configuration in Azure Sentinel. 如果这对你很重要,请考虑第二种选择。If this is important to you, consider the second option.

  • 在 Azure 安全中心中禁用安全事件集合,然后才在 Azure Sentinel 中添加安全事件连接器。Disable Security Events collection in Azure Security Center, and only then add the Security Events connector in Azure Sentinel. 与第一种选择一样,你将能够在 Azure Sentinel 和 Azure Defender/ASC 中查询和分析事件,但现在你将能够监视连接器的连接状态或在且仅在 Azure Sentinel 中更改其配置。As with the first option, you will be able to query and analyze events in both Azure Sentinel and Azure Defender/ASC, but you will now be able to monitor the connector's connectivity status or change its configuration in - and only in - Azure Sentinel.

设置 Windows 安全事件连接器Set up the Windows Security Events connector

若要在 Azure Sentinel 中收集 Windows 安全事件:To collect your Windows security events in Azure Sentinel:

  1. 在 Azure Sentinel 导航菜单中,选择 " 数据连接器"。From the Azure Sentinel navigation menu, select Data connectors. 在连接器列表中,单击 " 安全事件",然后单击右下角的 " 打开连接器" 页面 按钮。From the list of connectors, click on Security Events, and then on the Open connector page button on the lower right. 然后按照本部分的其余部分所述,按照 " 说明 " 选项卡下的屏幕说明操作。Then follow the on-screen instructions under the Instructions tab, as described through the rest of this section.

  2. 验证您是否具有相应的权限,如连接器页上的 " 先决条件 " 部分中所述。Verify that you have the appropriate permissions as described under the Prerequisites section on the connector page.

  3. 下载并安装 Log Analytics 代理 (在要将安全事件流式传输到 Azure Sentinel 的计算机上也称为 MICROSOFT MONITORING AGENT 或 MMA) 。Download and install the Log Analytics agent (also known as the Microsoft Monitoring Agent or MMA) on the machines for which you want to stream security events into Azure Sentinel.

    对于 Azure 虚拟机:For Azure Virtual Machines:

    1. 单击 "在 Azure Windows 虚拟机上安装代理",然后单击下面显示的链接。Click on Install agent on Azure Windows Virtual Machine, and then on the link that appears below.
    2. 对于要连接的每个虚拟机,请在右侧显示的列表中单击其名称,然后单击 " 连接"。For each virtual machine that you want to connect, click on its name in the list that appears on the right, and then click Connect.

    对于非 Azure Windows 计算机 (物理、虚拟本地或其他云中的虚拟) :For non-Azure Windows machines (physical, virtual on-prem, or virtual in another cloud):

    1. 单击 "在 非 Azure Windows 计算机上安装代理",然后单击下面显示的链接。Click on Install agent on non-Azure Windows Machine, and then on the link that appears below.
    2. 单击 " Windows 计算机" 下右侧显示的相应下载链接。Click on the appropriate download links that appear on the right, under Windows Computers.
    3. 使用下载的可执行文件,在所选的 Windows 系统上安装代理,并使用上面所述的下载链接下显示的 工作区 ID 和密钥 对其进行配置。Using the downloaded executable file, install the agent on the Windows systems of your choice, and configure it using the Workspace ID and Keys that appear below the download links mentioned above.

    备注

    若要允许没有必要 internet 连接的 Windows 系统仍将事件流式传输到 Azure Sentinel,请在单独的计算机上下载并安装 OMS 网关 ,并使用右下方的链接充当代理。To allow Windows systems without the necessary internet connectivity to still stream events to Azure Sentinel, download and install the OMS Gateway on a separate machine, using the link on the lower right, to act as a proxy. 你仍需要在要收集其事件的每个 Windows 系统上安装 Log Analytics 代理。You will still need to install the Log Analytics agent on each Windows system whose events you want to collect.

    有关此方案的详细信息,请参阅 Log Analytics 网关 文档For more information on this scenario, see the Log Analytics gateway documentation.

    有关其他安装选项和更多详细信息,请参阅 Log Analytics 代理 文档For additional installation options and further details, see the Log Analytics agent documentation.

  4. 选择要流式传输 ("所有"、"通用" 或 "最小") 的事件集。Select which event set (All, Common, or Minimal) you want to stream.

  5. 单击“更新”。Click Update.

  6. 若要在 Windows 安全事件 Log Analytics 中使用相关架构,请 SecurityEvent 在 "查询" 窗口中键入。To use the relevant schema in Log Analytics for Windows security events, type SecurityEvent in the query window.

验证连接Validate connectivity

在 Log Analytics 中开始显示日志之前,可能需要大约20分钟的时间。It may take around 20 minutes until your logs start to appear in Log Analytics.

为异常 RDP 登录检测配置安全事件连接器Configure the Security events connector for anomalous RDP login detection

重要

异常 RDP 登录检测目前为公共预览版。Anomalous RDP login detection is currently in public preview. 此功能不附带服务级别协议,不建议将其用于生产工作负载。This feature is provided without a service level agreement, and it's not recommended for production workloads. 有关详细信息,请参阅 Microsoft Azure 预览版补充使用条款For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Azure Sentinel 可以将机器学习 (ML) 应用于安全事件数据,以确定 RDP) 登录活动的异常远程桌面协议 (。Azure Sentinel can apply machine learning (ML) to Security events data to identify anomalous Remote Desktop Protocol (RDP) login activity. 方案包括:Scenarios include:

  • 异常 ip -在过去30天内,ip 地址很少或从未被观察到Unusual IP - the IP address has rarely or never been observed in the last 30 days

  • 寻常的地理位置-IP 地址、城市、国家和 ASN 在过去30天内几乎不会被观察到Unusual geo-location - the IP address, city, country, and ASN have rarely or never been observed in the last 30 days

  • 新用户 -从 IP 地址和地理位置登录的新用户,这两者或其中一项都不会根据之前30天的数据查看。New user - a new user logs in from an IP address and geo-location, both or either of which were not expected to be seen based on data from the 30 days prior.

配置说明Configuration instructions

  1. 必须通过 安全事件 数据连接器 (事件 ID 4624) 收集 RDP 登录数据。You must be collecting RDP login data (Event ID 4624) through the Security events data connector. 请确保选择了除 "无" 之外的 事件集 以流式传输到 Azure Sentinel。Make sure you have selected an event set besides "None" to stream into Azure Sentinel.

  2. 在 Azure Sentinel 门户中,单击 " 分析",然后单击 " 规则模板 " 选项卡。选择 " (预览") 异常 RDP 登录检测 规则,并将 " 状态 " 滑块移动到 " 已启用"。From the Azure Sentinel portal, click Analytics, and then click the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.

    备注

    由于机器学习算法需要30天的数据来构建用户行为的基准配置文件,因此必须在检测到任何事件之前,先允许收集30天的安全事件数据。As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Security events data to be collected before any incidents can be detected.

后续步骤Next steps

本文档介绍了如何将 Windows 安全事件连接到 Azure Sentinel。In this document, you learned how to connect Windows security events to Azure Sentinel. 要详细了解 Azure Sentinel,请参阅以下文章:To learn more about Azure Sentinel, see the following articles: