解决 Linux 上的 Microsoft Defender for Endpoint 的缺失事件或警报问题Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux

适用于:Applies to:

本文提供了一些常规步骤,以减少安全中心门户中丢失的事件 警报。This article provides some general steps to mitigate missing events or alerts in the security center portal.

设备上 正确安装 Microsoft Defender for Endpoint 后 ,将在门户 中生成设备页面。Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal. 可以在设备页面的时间线选项卡或高级搜寻页面中查看所有记录的事件。You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. 本节将解决缺失某些或所有预期事件的情况。This section troubleshoots the case of some or all expected events are missing. 例如,如果缺少 所有 CreatedFile 事件。For instance, if all CreatedFile events are missing.

缺少网络和登录事件Missing network and login events

Microsoft Defender for Endpoint 利用 audit linux 中的框架跟踪网络和登录活动。Microsoft Defender for Endpoint utilized audit framework from linux to track network and login activity.

  1. 确保审核框架正常工作。Make sure audit framework is working.

    service auditd status
    

    预期输出:expected output:

    ● auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
    Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago
        Docs: man:auditd(8)
            https://github.com/linux-audit/audit-documentation
    Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
    Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Main PID: 16666 (auditd)
        Tasks: 25
    CGroup: /system.slice/auditd.service
            ├─16666 /sbin/auditd
            ├─16668 /sbin/audispd
            ├─16670 /usr/sbin/sedispatch
            └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
    
  2. 如果 auditd 标记为已停止,请启动它。If auditd is marked as stopped, start it.

    service auditd start
    

在 SLES 系统上,默认情况下可能会禁用 中的 SYSCALL 审核,并可以说明 auditd 缺少事件。On SLES systems, SYSCALL auditing in auditd might be disabled by default and can be accounted for missing events.

  1. 若要验证 SYSCALL 审核是否未禁用,请列出当前的审核规则:To validate that SYSCALL auditing is not disabled, list the current audit rules:

    sudo auditctl -l
    

    如果存在以下行,请将其删除或编辑它以允许 Microsoft Defender for Endpoint 跟踪特定的 SYSCALLs。if the following line is present, remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.

    -a task, never
    

    审核规则位于 /etc/audit/rules.d/audit.rulesaudit rules are located at /etc/audit/rules.d/audit.rules.

缺少文件事件Missing file events

文件事件通过框架 fanotify 收集。File events are collected with fanotify framework. 如果缺少某些或所有文件事件,请确保在设备上启用并且 fanotify 文件系统受 支持In case some or all file events are missing, make sure fanotify is enabled on the device and that the file system is supported.

列出计算机上具有以下项的文件系统:List the filesystems on the machine with:

df -Th