教學課程:回應安全性事件Tutorial: Respond to security incidents

資訊安全中心會使用進階的分析和威脅情報,持續分析混合式雲端工作負載,提醒您發生惡意活動。Security Center continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you to malicious activity. 此外,您可以將警示從其他的安全性產品和服務整合到資訊安全中心,並以您自己的指標或情報來源作為基礎建立自訂警示。In addition, you can integrate alerts from other security products and services into Security Center, and create custom alerts based on your own indicators or intelligence sources. 一旦有警示產生,您便需要迅速採取行動來進行調查並加以修復。Once an alert is generated, swift action is needed to investigate and remediate. 在本教學課程中,您將了解如何:In this tutorial, you will learn how to:

  • 將安全性警示分級Triage security alerts
  • 進一步調查,以判斷安全性事件的根本原因及範圍Investigate further to determine the root cause and scope of a security incident
  • 搜尋安全性資料以協助調查Search security data to aid in investigation

如果您沒有 Azure 訂用帳戶,請在開始前建立免費帳戶If you don’t have an Azure subscription, create a free account before you begin.

必要條件Prerequisites

若要逐步執行本教學課程中涵蓋的功能,您必須是在資訊安全中心的標準定價層。To step through the features covered in this tutorial, you must be on Security Center’s Standard pricing tier. 您可以免費試用資訊安全中心標準層。You can try Security Center Standard at no cost. 若要深入了解,請參閱價格頁面To learn more, see the pricing page. 將 Azure 訂用帳戶上架到資訊安全中心標準定價層快速入門會為您逐步解說如何升級至「標準」定價層。The quickstart Onboard your Azure subscription to Security Center Standard walks you through how to upgrade to Standard.

將安全性警示分級Triage security alerts

資訊安全中心可讓您統一檢視所有安全性警示。Security Center provides a unified view of all security alerts. 安全性警示會依嚴重性來設定順位,並視情況將相關警示合併到一個安全性事件。Security alerts are ranked based on the severity and when possible related alerts are combined into a security incident. 在為警示和事件分級時,您應該:When triaging alerts and incidents, you should:

  • 將無需任何其他動作的警示關閉,例如,若警示為誤判Dismiss alerts for which no additional action is required, for example if the alert is a false positive
  • 採取行動來修復已知的攻擊,例如封鎖惡意 IP 位址的網路流量Act to remediate known attacks, for example blocking network traffic from a malicious IP address
  • 判斷需要進一步調查的警示Determine alerts that require further investigation
  1. 在 [資訊安全中心] 主功能表上,選取 [偵測] 下的 [安全性警訊]:On the Security Center main menu under DETECTION, select Security alerts:

    安全性警示

  2. 在警示清單中對某個安全性事件 (此為警示集合) 按一下,以深入了解此事件。In the list of alerts, click on a security incident, which is a collection of alerts, to learn more about this incident. [偵測到安全性事件] 隨即開啟。Security incident detected opens.

    安全性事件

  3. 在這個畫面上,您會在上方看到安全性事件描述,以及屬於此事件的警示清單。On this screen you have the security incident description on top, and the list of alerts that are part of this incident. 按一下您要進一步調查的警示,以取得詳細資訊。Click on the alert that you want to investigate further to obtain more information.

    安全性事件

    警示類型可能會有所不同,如需警示類型的詳細資訊及可能的補救步驟,請閱讀了解 Azure 資訊安全中心的安全性警示The type of alert can vary, read Understanding security alerts in Azure Security Center for more details about the type of alert, and potential remediation steps. 對於可安全關閉的警示,您可以滑鼠右鍵按一下警示,並選取 [關閉] 選項:For alerts that can be safely dismissed, you can right click on the alert and select the option Dismiss:

    警示

  4. 如果惡意活動的根本原因和範圍不明時,請繼續進行下一個步驟以進一步調查。If the root cause and scope of the malicious activity is unknown, proceed to the next step to investigate further.

調查警示或事件Investigate an alert or incident

  1. 在 [安全性警示] 頁面上,按一下 [開始調查] 按鈕 (如果您已啟動,名稱會變更為 [繼續調查])。On the Security alert page, click Start investigation button (if you already started, the name changes to Continue investigation).

    調查

    調查地圖會以圖形來表示連線到此安全性警示或事件的實體。The investigation map is a graphical representation of the entities that are connected to this security alert or incident. 按一下地圖中的實體,該實體的相關資訊就會顯示新的實體,並展開地圖。By clicking on an entity in the map, the information about that entity will show new entities, and the map expands. 地圖中選取的實體會在頁面的右側窗格中將其屬性反白顯示。The entity that is selected in the map has its properties highlighted in the pane on the right side of the page. 每個索引標籤上的可用資訊會根據選取的實體而有所不同。The information available on each tab will vary according to the selected entity. 在調查流程中,檢閱所有相關資訊以深入了解攻擊者的移動路線。During the investigation process, review all relevant information to better understand the attacker’s movement.

  2. 如果您需要更多證據,或必須對調查期間找到的實體進一步調查時,請繼續進行下一個步驟。If you need more evidence, or must further investigate entities that were found during the investigation, proceed to the next step.

搜尋資料以進行調查Search data for investigation

您可以使用資訊安全中心內的搜尋功能,來尋找更多關於遭入侵系統的證據,以及尋找屬於調查一部分之實體的詳細資料。You can use search capabilities in Security Center to find more evidence of compromised systems, and more details about the entities that are part of the investigation.

若要執行搜尋,請開啟 [資訊安全中心] 儀表板,按一下左側瀏覽窗格中的 [搜尋],選取您要搜尋之實體所在的工作區,輸入搜尋查詢,然後按一下 [搜尋] 按鈕。To perform a search open the Security Center dashboard, click Search in the left navigation pane, select the workspace that contains the entities that you want to search, type the search query, and click the search button.

清除資源Clean up resources

此集合中的其他快速入門和教學課程會以本快速入門為基礎。Other quickstarts and tutorials in this collection build upon this quickstart. 如果您打算繼續處理後續的快速入門和教學課程,請繼續執行標準層,並保持將自動佈建維持為啟用狀態。If you plan to continue on to work with subsequent quickstarts and tutorials, continue running the Standard tier and keep automatic provisioning enabled. 如果您不打算繼續,或是要返回免費層:If you do not plan to continue or wish to return to the Free tier:

  1. 返回 [資訊安全中心] 主功能表,並選取 [安全性原則]。Return to the Security Center main menu and select Security Policy.
  2. 選取您需要返回免費層的訂用帳戶或原則。Select the subscription or policy that you want to return to Free. [安全性原則] 隨即開啟。Security policy opens.
  3. 在 [原則元件] 下,選取 [定價層]。Under POLICY COMPONENTS, select Pricing tier.
  4. 選取 [免費] 以將訂用帳戶從標準層變更為免費層。Select Free to change subscription from Standard tier to Free tier.
  5. 選取 [ 儲存]。Select Save.

如果您需要停用自動佈建:If you wish to disable automatic provisioning:

  1. 返回 [資訊安全中心] 主功能表,並選取 [安全性原則]。Return to the Security Center main menu and select Security policy.
  2. 選取您想要停用自動佈建的訂用帳戶。Select the subscription that you wish to disable automatic provisioning.
  3. 在 [安全性原則 - 資料收集] 下,選取 [上架] 底下的 [關閉] 以停用自動佈建。Under Security policy – Data Collection, select Off under Onboarding to disable automatic provisioning.
  4. 選取 [ 儲存]。Select Save.

注意

停用自動佈建不會從已佈建代理程式的 Azure VM 移除 Microsoft Monitoring Agent。Disabling automatic provisioning does not remove the Microsoft Monitoring Agent from Azure VMs where the agent has been provisioned. 停用自動佈建會限制對資源的安全性監視。Disabling automatic provisioning limits security monitoring for your resources.

後續步驟Next steps

在此教學課程中,您已了解在回應安全性事件時要使用的資訊安全中心功能,例如:In this tutorial, you learned about Security Center features to be used when responding to a security incident, such as:

  • 安全性事件,此為資源相關警示的彙總Security incident which is an aggregation of related alerts for a resource
  • 調查地圖,此地圖會以圖形來表示連線到安全性警示或事件的實體Investigation map which is a graphical representation of the entities connected to a security alert or incident
  • 搜尋功能,用以尋找更多關於遭入侵系統的證據Search capabilities to find more evidence of compromised systems

若要深入了解資訊安全中心的調查功能,請參閱:To learn more about Security Center's investigation feature see: