使用 Azure 資訊安全中心和 Azure Sentinel 的混合式安全性監視Hybrid Security Monitoring using Azure Security Center and Azure Sentinel

此參考架構說明如何使用 Azure 資訊安全中心和 Azure Sentinel 來監視內部部署和 Azure 作業系統工作負載的安全性設定和遙測資料。This reference architecture illustrates how to use Azure Security Center and Azure Sentinel to monitor the security configuration and telemetry of on-premises and Azure operating system workloads. 這包括 Azure Stack。This includes Azure Stack.

說明內部部署系統上已部署 Microsoft Monitoring Agent,以及將資料傳送至 Azure 資訊安全中心和 Azure Sentinel 的 Azure 虛擬機器的圖表

下載這個架構的 Visio 檔案Download a Visio file of this architecture.

此架構的典型使用案例包括:Typical uses for this architecture include:

  • 整合內部部署安全性和以 Azure 為基礎之工作負載的遙測監視的最佳作法Best practices for integrating on-premises security and telemetry monitoring with Azure-based workloads
  • 如何整合 Azure 資訊安全中心與 Azure StackHow to integrate Azure Security Center with Azure Stack
  • 如何整合 Azure 資訊安全中心與 Azure SentinelHow to integrate Azure Security Center with Azure Sentinel

架構Architecture

此架構由下列元件組成:The architecture consists of the following components:

  • Azure 資訊安全中心Azure Security Center. 這是 Microsoft 為所有 Azure 訂閱者提供的先進整合安全性管理平臺。This is an advanced, unified security-management platform that Microsoft offers to all Azure subscribers. 安全性中心會分割為雲端安全性狀態管理 (CSPM) 和雲端工作負載保護平臺 (CWPP) 。Security Center is segmented as a cloud security posture management (CSPM) and cloud workload protection platform (CWPP). CWPP 是由以工作負載為中心的安全性保護解決方案所定義,這些解決方案通常是以代理程式為基礎。CWPP is defined by workload-centric security protection solutions, which are typically agent-based. Azure 資訊安全中心可為內部部署和其他雲端中的 Azure 工作負載提供威脅防護,包括 Windows 和 Linux 虛擬機器 (Vm) 、容器、資料庫和物聯網 (IoT) 。Azure Security Center provides threat protection for Azure workloads, both on-premises and in other clouds, including Windows and Linux virtual machines (VMs), containers, databases, and Internet of Things (IoT). 啟用時,Log Analytics 代理程式會自動部署至 Azure 虛擬機器。When activated, the Log Analytics agent deploys automatically into Azure Virtual Machines. 針對內部部署 Windows 和 Linux 伺服器和 Vm,您可以手動部署代理程式、使用您組織的部署工具(例如 Microsoft Endpoint Protection Manager),或利用腳本式部署方法。For on-premises Windows and Linux servers and VMs, you can manually deploy the agent, use your organization's deployment tool, such as Microsoft Endpoint Protection Manager, or utilize scripted deployment methods. 「安全性中心」會開始評估所有 Vm、網路、應用程式和資料的安全性狀態。Security Center begins assessing the security state of all your VMs, networks, applications, and data.
  • Azure SentinelAzure Sentinel. 是雲端原生安全性資訊和事件管理 (SIEM) 和安全性協調流程自動化回應 (SOAR) 解決方案,使用先進的 AI 和安全性分析,協助您偵測、搜尋、預防和回應整個企業中的威脅。Is a cloud-native Security Information and Event Management (SIEM) and security orchestration automated response (SOAR) solution that uses advanced AI and security analytics to help you detect, hunt, prevent, and respond to threats across your enterprise.
  • Azure StackAzure Stack. 是一套產品,可將 Azure 服務和功能延伸至您選擇的環境,從資料中心到邊緣位置和遠端辦公室。Is a portfolio of products that extend Azure services and capabilities to your environment of choice, from the datacenter to edge locations and remote offices. 您與 Azure Stack 整合的系統通常會利用四部至十六部伺服器的機架,這些伺服器是由受信任的硬體合作夥伴所建立,並直接傳遞至您的資料中心。Systems that you integrate with Azure Stack typically utilize racks of four to sixteen servers, built by trusted hardware partners and delivered straight to your datacenter.
  • Azure 監視器Azure Monitor. 收集來自各種內部部署和 Azure 來源的監視遙測資料。Collects monitoring telemetry from a variety of on-premises and Azure sources. 管理工具(例如 Azure 資訊安全中心和 Azure 自動化中的工具)也會將記錄資料推送至 Azure 監視器。Management tools, such as those in Azure Security Center and Azure Automation, also push log data to Azure Monitor.
  • Log Analytics 工作區Log Analytics workspace. Azure 監視器會將記錄資料儲存在 Log Analytics 工作區,這是包含資料和設定資訊的容器。Azure Monitor stores log data in a Log Analytics workspace, which is a container that includes data and configuration information.
  • Log Analytics 代理程式Log Analytics agent. Log Analytics 代理程式會從 Azure、其他雲端提供者和內部部署中的客體作業系統和 VM 工作負載收集監視資料。The Log Analytics agent collects monitoring data from the guest operating system and VM workloads in Azure, other cloud providers, and on-premises. Log Analytics 代理程式支援 Proxy 設定,通常在此案例中,Microsoft Operations Management Suite (OMS) 閘道會作為 Proxy。The Log Analytics Agent supports Proxy configuration and, typically in this scenario, a Microsoft Operations Management Suite (OMS) Gateway acts as proxy.
  • 內部部署網路On-premises network. 這是設定為支援來自訂系統之 HTTPS 輸出的防火牆。This is the firewall configured to support HTTPS egress from defined systems.
  • 內部部署 Windows 和 Linux 系統On-premises Windows and Linux systems. 已安裝 Log Analytics 代理程式的系統。Systems with the Log Analytics Agent installed.
  • Azure Windows 和 Linux vmAzure Windows and Linux VMs. 安裝 Azure 資訊安全中心監視代理程式的系統。Systems on which the Azure Security Center monitoring agent is installed.

建議Recommendations

下列建議適用於大部分的案例。The following recommendations apply for most scenarios. 除非您有特定的需求會覆寫它們,否則請遵循下列建議。Follow these recommendations unless you have a specific requirement that overrides them.

Azure 資訊安全中心升級Azure Security Center upgrade

此參考架構會使用 Azure 資訊安全中心 來監視內部部署系統、Azure vm、Azure 監視器資源,甚至是其他雲端提供者所裝載的 vm。This reference architecture uses Azure Security Center to monitor on-premises systems, Azure VMs, Azure Monitor resources, and even VMs hosted by other cloud providers. 為了支援這項功能,需要 Azure 資訊安全中心 標準的收費層To support that functionality, the standard fee-based tier of Azure Security Center is needed. 建議您使用30天免費試用版來驗證您的需求。We recommend that you use the 30-day free trial to validate your requirements.

您可以在 這裡找到 Azure 資訊安全中心定價的詳細資料。Details about Azure Security Center pricing can be found here.

自訂的 Log Analytics 工作區Customized Log Analytics Workspace

Azure Sentinel 需要存取 Log Analytics 工作區。Azure Sentinel needs access to a Log Analytics workspace. 在此案例中,您無法搭配 Azure Sentinel 使用預設的 ASC Log Analytics 工作區。In this scenario, you can’t use the default ASC Log Analytics workspace with Azure Sentinel. 您必須建立自訂的工作區。You’ll need to create a customized workspace. 自訂工作區的資料保留是以工作區定價層為基礎,您可以在 這裡找到監視記錄的定價模型。Data retention for a customized workspace is based on the workspace pricing tier, and you can find pricing models for Monitor Logs here.

注意

除了中國和德國 (主權) 區域以外,Azure Sentinel 可以在工作區上的任何正式運作 (正式運作的) 區域中執行。Azure Sentinel can run on workspaces in any general availability (GA) region of Log Analytics except the China and Germany (Sovereign) regions. Azure Sentinel 產生的資料(例如事件、書簽和警示規則)(可能包含來自這些工作區的部分客戶資料),會儲存在歐洲 (適用于歐洲的工作區) (、適用于以澳大利亞為基礎的工作區) ,或在位於任何其他區域 (的「美國東部」) 。Data that Azure Sentinel generates, such as incidents, bookmarks, and alert rules, which may contain some customer data sourced from these workspaces, is saved either in Europe (for Europe-based workspaces), in Australia (for Australia-based workspaces), or in the East US (for workspaces located in any other region).

延展性考量Scalability considerations

適用于 Windows 和 Linux 的 Log Analytics 代理程式是設計來對 Vm 或實體系統的效能產生極低的影響。The Log Analytics Agent for Windows and Linux is designed to have very minimal impact on the performance of VMs or physical systems.

Azure 資訊安全中心操作程式不會干擾您的正常操作程式。Azure Security Center operational process won’t interfere with your normal operational procedures. 相反地,它會被動監視您的部署,並根據您啟用的安全性原則提供建議。Instead, it passively monitors your deployments and provides recommendations based on the security policies you enable.

管理性考量Manageability considerations

Azure 資訊安全中心角色Azure Security Center roles

資訊安全中心會評估資源的設定,以識別安全性問題和弱點,並在您獲指派資源所屬訂用帳戶或資源群組的擁有者、參與者或讀取者角色時,顯示與資源相關的資訊。Security Center assesses your resources’ configuration to identify security issues and vulnerabilities, and displays information related to a resource when you are assigned the role of owner, contributor, or reader for the subscription or resource group to which a resource belongs.

除了這些角色,有兩個特定的資訊安全中心角色:In addition to these roles, there are two specific Security Center roles:

  • 安全性讀取 者。Security Reader. 屬於此角色的使用者具有「安全性中心」的「唯讀」許可權。A user that belongs to this role has read only rights to Security Center. 使用者可以觀察建議、警示、安全性原則和安全性狀態,但無法進行變更。The user can observe recommendations, alerts, a security policy, and security states, but can’t make changes.

  • 安全性系統管理員。屬於此角色的使用者具有與安全性讀取者相同的許可權,而且也可以更新安全性原則,以及解除警示和建議。Security Admin. A user that belongs to this role has the same rights as the Security Reader, and also can update security policies, and dismiss alerts and recommendations. 一般而言,這些是管理工作負載的使用者。Typically, these are users that manage the workload.

  • 安全性角色、 安全性讀取 者和 安全性系統管理員 只能存取安全中心的存取權。The security roles, Security Reader and Security Admin, have access only in Security Center. 安全性角色無法存取其他 Azure 服務區域,例如儲存體、web、行動或 IoT。The security roles don’t have access to other Azure service areas, such as storage, web, mobile, or IoT.

Azure Sentinel 訂用帳戶Azure Sentinel subscription

  • 若要啟用 Azure Sentinel,您需要 Azure Sentinel 工作區所在之訂用帳戶的參與者權限。To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides.
  • 若要使用 Azure Sentinel,您需要工作區所屬資源群組的「參與者」或「讀者」許可權。To use Azure Sentinel, you need contributor or reader permissions on the resource group to which the workspace belongs.
  • Azure Sentinel 是付費服務。Azure Sentinel is a paid service. 如需詳細資訊,請參閱 Azure Sentinel 定價For more information, refer to Azure Sentinel pricing.

安全性考量Security considerations

安全性原則 定義了針對指定之訂用帳戶內的資源所建議的一組控制項。A security policy defines the set of controls that are recommended for resources within a specified subscription. 在 Azure 資訊安全中心中,您可以根據公司的安全性需求,以及每個訂用帳戶的應用程式類型或資料敏感度,來定義 Azure 訂用帳戶的原則。In Azure Security Center, you define policies for your Azure subscriptions according to your company's security requirements and the type of applications or data sensitivity for each subscription.

您在 Azure 資訊安全中心中啟用的安全性原則可驅動安全性建議與監視。The security policies that you enable in Azure Security Center drive security recommendations and monitoring. 若要深入瞭解安全性原則,請參閱 使用 Azure 資訊安全中心強化您的安全性原則。To learn more about security policies, refer to Strengthen your security policy with Azure Security Center. 您只能在 [管理] 或 [訂用帳戶] 群組層級指派 Azure 資訊安全中心中的安全性原則。You can assign security policies in Azure Security Center only at the management or subscription group levels.

注意

其中一部分的參考架構會詳細說明如何啟用 Azure 資訊安全中心來監視 Azure 資源、內部部署系統和 Azure Stack 系統。Part one of the reference architecture details how to enable Azure Security Center to monitor Azure resources, on-premises systems, and Azure Stack systems.

部署解決方案Deploy the solution

在 Azure 入口網站中建立 Log Analytics 工作區Create a Log Analytics workspace in Azure Portal

  1. 以具有安全性系統管理員許可權的使用者身分登入 Azure 入口網站。Sign into the Azure portal as a user with Security Admin privileges.
  2. 在 Azure 入口網站中,選取 [所有服務] 。In the Azure portal, select All services. 在資源清單中,輸入 Log AnalyticsIn the list of resources, enter Log Analytics. 當您開始輸入時,清單會根據您的輸入進行篩選。As you begin entering, the list filters based on your input. 選取 [Log Analytics 工作區]。Select Log Analytics workspaces.
  3. 選取 [Log Analytics] 頁面上的 [ 新增 ]。Select Add on the Log Analytics page.
  4. 提供新 Log Analytics 工作區的名稱,例如 ASC-SentinelWorkspaceProvide a name for the new Log Analytics workspace, such as ASC-SentinelWorkspace. 此名稱在所有 Azure 監視器訂用帳戶中必須是全域唯一的。This name must be globally unique across all Azure Monitor subscriptions.
  5. 如果預設選項不適當,請從下拉式清單中選取訂用帳戶。Select a subscription by selecting from the drop-down list if the default selection is not appropriate.
  6. 針對 資源群組,請選擇使用現有的資源群組,或建立新的資源群組。For Resource Group, choose to use an existing resource group or create a new one.
  7. 針對 [ 位置],選取可用的地理位置。For Location, select an available geolocation.
  8. 選取 [確定] 來完成設定。Select OK to complete the configuration. 為架構建立的新工作區New Workspace created for the architecture

啟用安全性中心Enable Security Center

當您仍以具有安全性系統管理員許可權的使用者身分登入 Azure 入口網站時,請在面板中選取 [ 安全中心 ]。While you're still signed into the Azure portal as a user with Security Admin privileges, select Security Center in the panel. 安全性中心-總覽 開啟:Security Center - Overview opens:

安全性中心總覽儀表板分頁開啟

針對任何先前未由您或其他訂用帳戶使用者上線的 Azure 訂用帳戶,安全性中心都會自動啟用免費層。Security Center automatically enables the Free tier for any of the Azure subscriptions not previously onboarded by you or another subscription user.

升級至標準層Upgrade to the Standard tier

重要

此參考架構會使用安全中心標準層的30天免費試用版。This reference architecture uses the 30-day free trial of Security Center Standard tier.

  1. 在 [資訊安全中心] 主功能表上,選取 [ 消費者入門]。On the Security Center main menu, select Getting Started.
  2. 選取 [ 立即升級 ] 按鈕。Select the Upgrade Now button. [安全性中心] 會列出您可以在標準層中使用的訂用帳戶和工作區。Security Center lists your subscriptions and workspaces that are eligible for use in the Standard tier.
  3. 您可以選取符合資格的工作區和訂用帳戶來啟動試用版。You can select eligible workspaces and subscriptions to start your trial. 選取先前建立的工作區( ASC-SentinelWorkspace)。Select the previously created workspace, ASC-SentinelWorkspace. 從下拉式功能表中。from the drop-down menu.
  4. 在 [安全性中心] 主功能表中,選取 [ 開始試用]。In the Security Center main menu, select Start trial.
  5. [ 安裝代理 程式] 對話方塊應該會顯示。The Install Agents dialog box should display.
  6. 選取 [ 安裝代理 程式] 按鈕。Select the Install Agents button. [ 安全性中心涵蓋範圍 ] 分頁隨即顯示,您應該會在 [ 標準涵蓋範圍 ] 索引標籤中看到您選取的訂閱。 顯示您的訂用帳戶應開啟的安全性涵蓋範圍分頁The Security Center - Coverage blade displays and you should observe your selected subscription in the Standard coverage tab. Security Coverage blade showing your subscriptions should be open

您現在已啟用自動布建和資訊安全中心會在所有支援的 Azure Vm 和您建立的任何新虛擬機器上,安裝適用于 Windows 的 Log Analytics 代理程式 (HealthService.exe) 和 omsagent for Linux。You've now enabled automatic provisioning and Security Center will install the Log Analytics Agent for Windows (HealthService.exe) and the omsagent for Linux on all supported Azure VMs and any new ones that you create. 雖然我們強烈建議自動布建,但您可以關閉此原則並以手動方式管理它。You can turn off this policy and manually manage it, although we strongly recommend automatic provisioning.

若要深入瞭解 Windows 和 Linux 提供的特定資訊安全中心功能,請參閱 機器的功能涵蓋範圍To learn more about the specific Security Center features available in Windows and Linux, refer to Feature coverage for machines.

啟用內部部署 Windows 電腦的 Azure 資訊安全中心監視Enable Azure Security Center monitoring of on-premises Windows computers

  1. 在 Azure 入口網站的 [資訊 安全中心-總覽 ] 分頁上,選取 [ 開始 ] 索引標籤。In the Azure Portal on the Security Center - Overview blade, select the Get Started tab.
  2. 選取 [新增非 Azure 電腦] 底下的 [設定]。Select Configure under Add new non-Azure computers. 您的 Log Analytics 工作區清單隨即顯示,且應包含 ASC-SentinelWorkspaceA list of your Log Analytics workspaces displays, and should include the ASC-SentinelWorkspace.
  3. 選取此工作區。Select this workspace. [ 直接代理程式 ] 分頁隨即開啟,並提供下載 Windows 代理程式的連結,以及您在設定代理程式時所要使用的工作區識別碼 (識別碼) 的金鑰。The Direct Agent blade opens with a link for downloading a Windows agent and keys for your workspace identification (ID) to use when you configure the agent.
  4. 選取適用於您電腦處理器類型的 [下載 Windows 代理程式] 連結以下載安裝檔。Select the Download Windows Agent link applicable to your computer processor type to download the setup file.
  5. 在 [ 工作區識別碼] 的右邊,選取 [ 複製],然後將識別碼貼到 [記事本] 中。To the right of Workspace ID, select Copy, and then paste the ID into Notepad.
  6. 在 [ 主要金鑰] 的右邊,選取 [ 複製],然後將金鑰貼到 [記事本] 中。To the right of Primary Key, select Copy, and then paste the key into Notepad.

安裝 Windows 代理程式Install the Windows agent

若要在目的電腦上安裝代理程式,請遵循下列步驟。To install the agent on the targeted computers, follow these steps.

  1. 將檔案複製到目的電腦,然後 執行安裝程式Copy the file to the target computer and then Run Setup.
  2. 在 [歡迎] 頁面上,選取 [下一步] 。On the Welcome page, select Next.
  3. 在 [授權條款] 頁面上,閱讀授權並選取 [我同意] 。On the License Terms page, read the license and then select I Agree.
  4. 在 [目的資料夾] 頁面上,變更或保留預設的安裝資料夾,然後選取 [下一步] 。On the Destination Folder page, change or keep the default installation folder and then select Next.
  5. 在 [代理程式安裝選項] 頁面上,選擇將代理程式連線至 Azure Log Analytics,然後選取 [下一步] 。On the Agent Setup Options page, choose to connect the agent to Azure Log Analytics and then select Next.
  6. 在 [Azure Log Analytics] 頁面上,貼上您在先前程序中複製到「記事本」中的 [工作區識別碼] 和 [工作區金鑰 (主要金鑰)] 。On the Azure Log Analytics page, paste the Workspace ID and Workspace Key (Primary Key) that you copied into Notepad in the previous procedure.
  7. 如果電腦應該向 Azure Government Cloud 中的 Log Analytics 工作區回報,請從 [Azure 雲端] 下拉式清單中選取 [Azure US Gov]。If the computer should report to a Log Analytics workspace in Azure Government cloud, select Azure US Government from the Azure Cloud drop-down list. 如果電腦需要透過 proxy 伺服器與 Log Analytics 服務通訊,請選取 [ Advanced],然後提供 proxy 伺服器的 URL 和埠號碼。If the computer needs to communicate through a proxy server to the Log Analytics service, select Advanced, and then provide the proxy server's URL and port number.
  8. 在您提供必要的設定之後,請選取 [下一步]After you provide the necessary configuration settings, select Next. 將代理程式連接至 Azure Log Analytics 工作區的 Log Analytics 代理程式安裝頁面Log Analytics Agent setup page for connecting agent to an Azure Log Analytics workspace
  9. 在 [安裝準備就緒] 頁面上,檢閱您的選擇,然後選取 [安裝] 。On the Ready to Install page, review your choices and then select Install.
  10. 在 [設定成功完成] 頁面上,選取 [完成] 。On the Configuration completed successfully page, select Finish.

完成時,Log Analytics 代理程式會顯示在 Windows 主控台中,您可以檢查您的設定,並確認代理程式已連線。When complete, the Log Analytics agent appears in Windows Control Panel, and you can review your configuration and verify that the agent is connected.

如需安裝和設定代理程式的詳細資訊,請參閱 在 Windows 電腦上安裝 Log Analytics 代理程式For further information about installing and configuring the agent, refer to Install Log Analytics agent on Windows computers.

Log Analytics 代理程式服務會收集事件和效能資料、執行工作,以及管理元件中定義的其他工作流程。The Log Analytics Agent service collects event and performance data, executes tasks, and other workflows defined in a management pack. 安全性中心藉由與 伺服器Microsoft Defender 進階威脅防護 (ATP) 整合,來擴充其雲端工作負載保護平臺。Security Center extends its cloud workload protection platforms by integrating with Microsoft Defender Advanced Threat Protection (ATP) for Servers. 兩者搭配運作下,可提供完整的端點偵測和回應 (EDR) 功能。Together, they provide comprehensive endpoint detection and response (EDR) capabilities.

如需 Microsoft Defender ATP 的詳細資訊,請參閱將 伺服器上架到 Microsoft DEFENDER atp 服務。For more information about Microsoft Defender ATP, refer to Onboard servers to the Microsoft Defender ATP service.

啟用內部部署 Linux 電腦的 Azure 資訊安全中心監視Enable Azure Security Center monitoring of on-premises Linux computers

  1. 如先前所述,返回 [ 消費者入門 ] 索引標籤。Return to the Getting Started tab as previously described.
  2. 選取 [新增非 Azure 電腦] 底下的 [設定]。Select Configure under Add new non-Azure computers. 您的 Log Analytics 工作區清單隨即顯示。A list of your Log Analytics workspaces displays. 此清單應包含您所建立的 ASC-SentinelWorkspaceThe list should include the ASC-SentinelWorkspace that you created.
  3. 在 [ 直接代理程式 ] 分頁的 [ 下載並上架代理程式 ] 底下,選取 [ 複製 ] 以複製 [ wget ] 命令。On the Direct Agent blade under DOWNLOAD AND ONBOARD AGENT FOR LINUX, select copy to copy the wget command.
  4. 開啟 [記事本],然後貼上此命令。Open Notepad and then paste this command. 將此檔案儲存至您可以從 Linux 電腦存取的位置。Save this file to a location that you can access from your Linux computer.

注意

在 Unix 和 Linux 作業系統上, wget 是從 web 下載非互動式檔案的工具。On Unix and Linux operating systems, wget is a tool for non-interactive file downloading from the web. 它支援 HTTPS、FTPs 和 proxy。It supports HTTPS, FTPs, and proxies.

Linux 代理程式使用 Linux Audit Daemon framework。The Linux agent uses the Linux Audit Daemon framework. 「安全性中心」可在 Log Analytics 代理程式內整合此架構的功能,讓您可以使用適用于 Linux 的 Log Analytics 代理程式,將審核記錄收集、擴充並匯總到事件中。Security Center integrates functionalities from this framework within the Log Analytics agent, which enables audit records to be collected, enriched, and aggregated into events by using the Log Analytics Agent for Linux. 資訊安全中心會持續新增新的分析,使用 Linux 信號偵測雲端和內部部署 Linux 機器上的惡意行為。Security Center continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines.

如需 Linux 警示的清單,請參閱警示的 參考表For a list of the Linux alerts, refer to the Reference table of alerts.

安裝 Linux 代理程式Install the Linux agent

若要在目標 Linux 電腦上安裝代理程式,請遵循下列步驟:To install the agent on the targeted Linux computers, follow these steps:

  1. 在您的 Linux 電腦上,開啟您先前儲存的檔案。On your Linux computer, open the file that you previously saved. 選取並複製整個內容,開啟終端機主控台,然後貼上命令。Select and copy the entire content, open a terminal console, and then paste the command.
  2. 安裝完成之後,您可以藉由執行 pgrep 命令來驗證是否已安裝 omsagentOnce the installation finishes, you can validate that the omsagent is installed by running the pgrep command. 此命令會傳回 omsagent 進程識別碼 (PID) 。The command will return the omsagent process identifier (PID). 您可以在:/var/opt/microsoft/omsagent/的「 工作區識別碼」/log/ 找到代理程式的記錄。You can find the logs for the agent at: /var/opt/microsoft/omsagent/"workspace id"/log/.

新的 Linux 電腦最多可能需要30分鐘的時間才會顯示在 [安全性中心] 中。It can take up to 30 minutes for the new Linux computer to display in Security Center.

啟用 Azure Stack Vm Azure 資訊安全中心監視Enable Azure Security Center monitoring of Azure Stack VMs

在您將 Azure 訂用帳戶上架之後,您可以藉由從 Azure Stack marketplace 新增 Azure 監視器、更新和設定管理 VM 擴充功能,讓資訊安全中心保護您在 azure stack 上執行的 vm。After you onboard your Azure subscription, you can enable Security Center to protect your VMs running on Azure Stack by adding the Azure Monitor, Update and Configuration Management VM extension from the Azure Stack marketplace. 若要這樣做:To do this:

  1. 如先前所述,返回 [ 消費者入門 ] 索引標籤。Return to the Getting Started tab as previously described.
  2. 選取 [新增非 Azure 電腦] 底下的 [設定]。Select Configure under Add new non-Azure computers. 您的 Log Analytics 工作區清單隨即顯示,並包含您所建立的 ASC-SentinelWorkspaceA list of your Log Analytics workspaces displays, and it should include the ASC-SentinelWorkspace that you created.
  3. 直接代理程式 分頁上有一個連結,可供您下載代理程式和工作區識別碼的金鑰,以在代理程式設定期間使用。On the Direct Agent blade there is a link for downloading the agent and keys for your workspace ID to use during agent configuration. 您不需要手動下載代理程式。You don’t need to download the agent manually. 在下列步驟中,它會安裝為 VM 擴充功能。It’ll be installed as a VM extension in the following steps.
  4. 在 [ 工作區識別碼] 的右邊,選取 [ 複製],然後將識別碼貼到 [記事本] 中。To the right of Workspace ID, select Copy, and then paste the ID into Notepad.
  5. 在 [ 主要金鑰] 的右邊,選取 [ 複製],然後將金鑰貼到 [記事本] 中。To the right of Primary Key, select Copy, and then paste the key into Notepad.

啟用 Azure Stack Vm 的 ASC 監視Enable ASC monitoring of Azure Stack VMs

Azure 資訊安全中心會使用與 Azure Stack 配套的 Azure 監視器、更新和設定管理 VM 擴充功能。Azure Security Center uses the Azure Monitor, Update and Configuration Management VM extension bundled with Azure Stack. 若要啟用 Azure 監視器、更新和設定管理 延伸模組,請遵循下列步驟:To enable the Azure Monitor, Update and Configuration Management extension, follow these steps:

  1. 在新的瀏覽器索引標籤上,登入您的 Azure Stack 入口網站。In a new browser tab, sign into your Azure Stack portal.
  2. 請參閱 [ 虛擬機器 ] 頁面,然後選取您想要使用「安全性中心」保護的虛擬機器。Refer to the Virtual machines page, and then select the virtual machine that you want to protect with Security Center.
  3. 選取 [擴充功能]。Select Extensions. 此 VM 上安裝的 VM 擴充功能清單隨即顯示。The list of VM extensions installed on this VM displays.
  4. 選取 [ 新增 ] 索引標籤。 新的資源 功能表分頁隨即開啟,並顯示可用的 VM 擴充功能清單。Select the Add tab. The New Resource menu blade opens and displays the list of available VM extensions.
  5. 選取 Azure 監視器、更新和設定管理 延伸模組,然後選取 [ 建立]。Select the Azure Monitor, Update and Configuration Management extension and then select Create. [ 安裝延伸 模組設定] 分頁隨即開啟。The Install extension configuration blade opens.
  6. 在 [安裝擴充功能] 組態刀鋒視窗上,貼上您在先前程序中複製到「記事本」中的 [工作區識別碼] 和 [工作區金鑰 (主要金鑰)] 。On the Install extension configuration blade, paste the Workspace ID and Workspace Key (Primary Key) that you copied into Notepad in the previous procedure.
  7. 當您完成提供必要的設定時,請選取 [確定]When you finish providing the necessary configuration settings, select OK.
  8. 擴充功能安裝完成後,其狀態會顯示為 [布建 成功]。Once the extension installation completes, its status will display as Provisioning Succeeded. VM 最多可能需要一小時的時間才會出現在「安全性中心」入口網站中。It might take up to one hour for the VM to appear in the Security Center portal.

如需安裝和設定 Windows 代理程式的詳細資訊,請參閱 使用安裝程式安裝代理程式。For more information about installing and configuring the agent for Windows, refer to Install the agent using setup wizard.

若要針對 Linux 代理程式的問題進行疑難排解,請參閱 如何排解適用于 linux 的 Log Analytics 代理程式問題For troubleshooting issues for the Linux agent, refer to How to troubleshoot issues with the Log Analytics agent for Linux.

您現在可於同一處監視您的 Azure VM 和非 Azure 電腦。Now you can monitor your Azure VMs and non-Azure computers in one place. Azure 計算 提供所有 vm 和電腦的總覽,以及建議。Azure Compute provides you with an overview of all VMs and computers along with recommendations. 每個資料行都代表一組建議,而色彩代表 Vm 或電腦,以及該建議的目前安全性狀態。Each column represents one set of recommendations, and the color represents the VMs or computers and the current security state for that recommendation. 安全性中心也會在安全性警示中提供這些電腦的任何偵測。Security Center also provides any detections for these computers in security alerts. 在計算分頁上監視的系統 ASC 清單ASC list of systems monitored on the Compute blade

[計算] 刀鋒視窗上顯示兩個類型的圖示:There are two types of icons represented on the Compute blade:

表示非 azure 受監視電腦的紫色電腦圖示 非 Azure 電腦Non-Azure computer

代表受 Azure 監視之電腦的藍色終端機圖示 Azure 電腦Azure computer

注意

參考架構的第二部分會從 Azure 資訊安全中心連接警示,並將其串流至 Azure Sentinel。Part two of the reference architecture will connect alerts from Azure Security Center and stream them into Azure Sentinel.

Azure Sentinel 的角色是從不同的資料來源內嵌資料,並在這些資料來源之間執行資料相互關聯。The role of Azure Sentinel is to ingest data from different data sources and perform data correlation across these data sources. Azure Sentinel 利用機器學習和 AI,更聰明地進行威脅搜尋、警示偵測和威脅回應。Azure Sentinel leverages machine learning and AI to make threat hunting, alert detection, and threat responses smarter.

若要將 Azure Sentinel 上線,您必須將其啟用,然後連線至您的資料來源。To onboard Azure Sentinel, you need to enable it, and then connect your data sources. Azure Sentinel 隨附許多適用于 Microsoft 解決方案的連接器,可供您使用,並提供即時整合,包括 Microsoft 資訊安全中心、Microsoft 威脅防護解決方案、Microsoft 365 來源 (包括 Office 365) 、Azure Active Directory (Azure AD) 、Azure ATP、Microsoft Cloud App Security 等等。Azure Sentinel comes with a number of connectors for Microsoft solutions, which are available out of the box and provide real-time integration, including Microsoft Security Center, Microsoft Threat Protection solutions, Microsoft 365 sources (including Office 365), Azure Active Directory (Azure AD), Azure ATP, Microsoft Cloud App Security, and more. 此外,還有適用於非 Microsoft 解決方案其更廣泛安全性生態系統的內建連接器。Additionally, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. 您也可以使用常見的事件格式、syslog 或具象狀態傳輸 API,將您的資料來源與 Azure Sentinel 連接。You can also use Common Event Format, syslog, or the Representational State Transfer API to connect your data sources with Azure Sentinel.

整合 Azure Sentinel 與 Azure 資訊安全中心的需求Requirements for integrating Azure Sentinel with Azure Security Center

  1. Microsoft Azure 訂用帳戶A Microsoft Azure Subscription
  2. 當您啟用 Azure 資訊安全中心時,不是預設工作區所建立的 Log Analytics 工作區。A Log Analytics workspace that isn't the default workspace created when you enable Azure Security Center.
  3. 已啟用安全中心標準層的 Azure 資訊安全中心。Azure Security Center with Security Center Standard tier enabled.

如果您已完成上一節,則所有三項需求都應該已準備就緒。All three requirements should be in place if you worked through the previous section.

全域必要條件Global prerequisites

  • 若要啟用 Azure Sentinel,您需要 Azure Sentinel 工作區所在之訂用帳戶的參與者權限。To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides.
  • 若要使用 Azure Sentinel,您需要工作區所屬資源群組的「參與者」或「讀者」許可權。To use Azure Sentinel, you need contributor or reader permissions on the resource group to which the workspace belongs.
  • 您可能需要額外的許可權,才能連接特定的資料來源。You might need additional permissions to connect specific data sources. 您不需要額外的許可權即可連接到 ASC。You don't need additional permissions to connect to ASC.
  • Azure Sentinel 是付費服務。Azure Sentinel is a paid service. 如需詳細資訊,請參閱 Azure Sentinel 定價For more information, refer to Azure Sentinel pricing.

啟用 Azure SentinelEnable Azure Sentinel

  1. 使用具有 ASC Sentinelworkspace 參與者許可權的使用者登入 Azure 入口網站。Sign into the Azure portal with a user that has contributor rights for ASC-Sentinelworkspace.
  2. 搜尋並選取 [Azure Sentinel]。Search for and select Azure Sentinel. 在 Azure 入口網站搜尋「Azure Sentinel」一詞In the Azure portal search for the term "Azure Sentinel"
  3. 選取 [新增] 。Select Add.
  4. 在 [ Azure Sentinel ] 分頁上,選取 [ ASC-Sentinelworkspace]。On the Azure Sentinel blade, select ASC-Sentinelworkspace.
  5. 在 Azure Sentinel 中,從 導覽 功能表中選取 [資料連線器]。In Azure Sentinel, select Data connectors from the navigation menu.
  6. 從資料連線器資源庫中,選取 [ Azure 資訊安全中心],然後選取 [ 開啟連接器頁面 ] 按鈕。From the data connectors gallery, select Azure Security Center, and select the Open connector page button. 在顯示 [開啟收集器] 頁面的 Azure Sentinel 中In Azure Sentinel showing the open Collectors page
  7. 在 [設定] 底下,選取您要讓警示串流至 Azure Sentinel 的訂 用帳戶旁[連線]Under Configuration, select Connect next to those subscriptions for which you want alerts to stream into Azure Sentinel. 只有當您有必要的許可權和 ASC 標準層訂用帳戶時,[ 連接] 按鈕才會提供使用。The Connect button will be available only if you have the required permissions and the ASC Standard tier subscription.
  8. 您現在應該會看到 連接狀態 為 [連線中 ]。You should now observe the Connection Status as Connecting. 連接之後,它會切換至 [ 已連線]。After connecting, it will switch to Connected.
  9. 確認連線之後,您可以關閉 ASC 資料連線器 設定並重新整理頁面,以觀察 Azure Sentinel 中的警示。After confirming the connectivity, you can close ASC Data Connector settings and refresh the page to observe alerts in Azure Sentinel. 記錄檔可能需要一些時間才會開始同步處理 Azure Sentinel。It might take some time for the logs to start syncing with Azure Sentinel. 連接之後,您會在 [收到的資料] 圖形中看到資料摘要,以及資料類型的連接狀態。After you connect, you'll observe a data summary in the Data received graph and the connectivity status of the data types.
  10. 您可以選取是否要 Azure 資訊安全中心中的警示自動產生 Azure Sentinel 的事件。You can select whether you want the alerts from Azure Security Center to automatically generate incidents in Azure Sentinel. 在 [ 建立事件] 底下,選取 [ 已啟用 ] 以開啟自動從警示建立事件的預設分析規則。Under Create incidents, select Enabled to turn on the default analytics rule that automatically creates incidents from alerts. 然後,您可以在 [作用中 規則] 索引標籤的 [分析] 下編輯此規則。You can then edit this rule under Analytics, in the Active rules tab.
  11. 若要在 Log Analytics 中針對 Azure 資訊安全中心警示使用相關的架構,請搜尋 SecurityAlertTo use the relevant schema in Log Analytics for the Azure Security Center alerts, search for SecurityAlert.

使用 Azure Sentinel 作為 SIEM 的其中一個優點是它會提供跨多個來源的資料相互關聯,讓您能夠對組織的安全性相關事件進行端對端可見度。One advantage of using Azure Sentinel as your SIEM is that it provides data correlation across multiple sources, which enables you to have an end-to-end visibility of your organization’s security-related events.

注意

若要瞭解如何提高資料的可見度並找出潛在威脅,請參閱 TechNet 資源庫上的 Azure 手冊,其中有一組資源,包括您可以在其中模擬攻擊的實驗室。To learn how to increase visibility in your data and identify potential threats, refer to Azure playbooks on TechNet Gallery, which has a collection of resources including a lab in which you can simulate attacks. 您不應該在生產環境中使用此實驗室。You should not use this lab in a production environment.

若要深入瞭解 Azure Sentinel,請參閱下列文章:To learn more about Azure Sentinel, refer to the following articles:

成本考量Cost considerations

參考資料References

Azure 監視器Azure Monitor

Azure 資訊安全中心Azure Security Center

Azure SentinelAzure Sentinel

Azure StackAzure Stack