使用探索到的應用程式Working with discovered apps

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

Cloud Discovery 儀表板的設計目的是讓您深入了解如何在組織中使用雲端應用程式。The Cloud Discovery dashboard is designed to give you more insight into how cloud apps are being used in your organization. 它提供了所要使用的應用程式種類、開啟的警示,以及組織中應用程式的風險層級摘要。It provides an at-a-glance overview of what kinds of apps are being used, your open alerts, and the risk levels of apps in your organization. 它也會示範誰是最上層應用程式使用者,並提供 App Headquarter 位置圖。It also shows you who your top app users are and provides an App Headquarter location map. Cloud Discovery 儀表板具有許多用於篩選資料的選項。The Cloud Discovery Dashboard has many options for filtering the data. 篩選可讓您使用容易了解的圖形,根據最感興趣的項目來產生特定檢視,讓您一目瞭然。Filtering allows you to generate specific views depending on what you're most interested in using easy-to-understand graphics to give you the full picture at a glance.

Cloud Discovery 儀表板

檢閱 Cloud Discovery 儀表板Review the Cloud Discovery Dashboard

了解 Cloud Discovery 應用程式的首要之務,就是檢閱 Cloud Discovery 儀表板中的下列資訊:The first thing you should do to get a general picture of your Cloud Discovery apps is review the following information in the Cloud Discovery Dashboard:

  1. 首先查看高階使用概觀中組織的整體雲端應用程式使用。First look at the overall cloud app use in your organization in the High-level usage overview.

  2. 接著,深入探討以查看組織中每個不同使用參數所使用的前幾個類別Then, dive one level deeper to see which are the top categories used in your org for each of the different use parameters. 您可以查看這項使用有多少是來自獲批准的應用程式。You can see how much of this usage is by Sanction apps.

  3. 進一步探討並查看 [探索到的應用程式]**** 索引標籤中特定類別的所有應用程式。Go even deeper and see all the apps in a specific category in the Discovered apps tab.

  4. 您可以查看前幾個使用者和來源 IP 位址,以識別哪些使用者是組織中雲端應用程式的最主要使用者。You can see the top users and source IP addresses to identify which users are the most dominant users of cloud apps in your organization.

  5. 根據 App Headquarters 地圖中的地理位置 (根據應用程式總部),查看探索到的應用程式如何分佈。Check how the discovered apps spread according to geographic location (according to their HQ) in the App Headquarters map.

  6. 最後,請不要忘記檢閱應用程式風險概觀中所探索應用程式的風險分數。Finally, don’t forget to review the risk score of the discovered app in the App risk overview. 檢查探索警示狀態來查看您應該調查未解決警示的數目。Check the discovery alerts status to see how many open alerts should you investigate.

深入探討探索到的應用程式Deep dive into Discovered apps

如果您想要深入探討 Cloud Discovery 所提供的資料,請使用篩選來檢閱具風險且常用的應用程式。If you want to deep dive into the data Cloud Discovery provides, use the filters to review which apps are risky and which are commonly used.

例如,如果您想要識別常用且具風險的雲端儲存體和共同作業應用程式,您可以使用 [探索到的應用程式] 頁面來篩選所需的應用程式。For example, if you want to identify commonly used risky cloud storage and collaboration apps, you can use the Discovered apps page to filter for the apps you want. 然後,您可以不批准或封鎖這些應用程式,如下所示:Then you can unsanction or block them as follows:

  1. 在 [探索到的應用程式]**** 頁面的 [依類別瀏覽]**** 下,同時選取 [雲端儲存體]**** 和 [共同作業]****。In the Discovered apps page, under Browse by category select both Cloud storage and Collaboration.

  2. 然後使用進階篩選,並將 [合規性風險因素]**** 設定為 [SOC 2]**** 等於 [False]****Then, use the Advanced filters and set Compliance risk factor to SOC 2 equals False

  3. 將 [使用量]**** 中的 [使用者]**** 設定為大於 50 位使用者,並將 [使用量]**** 中的 [交易]**** 設定為大於 100。For Usage, set Users to greater than 50 users and Usage for Transactions to greater than 100.

  4. 將 [安全性風險因素]**** 設定為 [待用資料加密]**** 等於 [不支援]****。Set the Security risk factor for Data at rest encryption equals Not supported. 然後設定 [風險分數]**** 等於或小於 6。Then set Risk score equals 6 or lower.

探索到的應用程式篩選

篩選結果之後,您可以不批准並封鎖這些應用程式,方法是使用 [大量動作] 核取方塊以一個動作不批准所有應用程式。After the results are filtered, you can unsanction and block them by using the bulk action checkbox to unsanction them all in one action. 當應用程式處於待批准狀態之後,您可以使用封鎖指令碼以防止在環境中使用這些應用程式。After they're unsanctioned, you can use a blocking script to block them from being used in your environment.

Cloud Discovery 讓您更加深入了解組織的雲端使用方式。Cloud discovery enables you to dive even deeper into your organization’s cloud usage. 您可以透過調查探索到的子網域來識別使用中的特定執行個體。You can identify specific instances that are in use by investigating the discovered subdomains.

例如,您可以區別不同的 SharePoint 網站。For example, you can differentiate between different SharePoint sites.

不過只有包含目標 URL 資料的防火牆與 Proxy 才支援此功能。This is supported only in firewalls and proxies that contain target URL data. 如需詳細資訊,請參閱支援的防火牆和 Proxy 中支援的設備清單。For more information, see the list of supported appliances in Supported firewalls and proxies.

子網域資訊

探索資源與自訂應用程式Discover resources and custom apps

Cloud Discovery 也可讓您深入了解 IaaS 和 PaaS 資源。Cloud Discovery also enables you to deep dive into your IaaS and PaaS resources. 您可以在裝載資源的平台上探索活動,檢視自我裝載應用程式及資源的資料存取,包括儲存體帳戶、基礎結構和裝載於 Azure、Google Cloud Platform 與 AWS 的自訂應用程式。You can discover activity across your resource-hosting platforms, viewing access to data across your self-hosted apps and resources including storage accounts, infrastructure and custom apps hosted on Azure, Google Cloud Platform, and AWS. 您不只能看到 IaaS 解決方案的整體使用情況,還能得知各處裝載的特定資源,以及資源的整體使用情況,以協助降低各個資源的風險。Not only can you see overall usage in your IaaS solutions, but you can get visibility into the specific resources that are hosted on each, and the overall usage of the resources, to help mitigate risk per resource.

舉例來說,您可以從 Cloud App Security 監視活動,像是有大量資料上傳時,您可以探索上傳的資源目標為何,並向下鑽研,查看執行活動的人是誰。For example, from Cloud App Security you can monitor activity such as if a lot of data is uploaded, you can discover what resource it is uploaded to and drill down to see who performed the activity.

注意

不過只有包含目標 URL 資料的防火牆與 Proxy 才支援此功能。This is supported only in firewalls and proxies that contain target URL data. 如需詳細資訊,請參閱支援的防火牆和 Proxy 中支援的設備清單。For more information, see the list of supported appliances in Supported firewalls and proxies.

若要檢視探索的資源:To view discovered resources:

  1. 在 Cloud App Security 入口網站中,依序選取 [探索]**** 和 [探索的資源]****。In the Cloud App Security portal, select Discover and then Discovered resources.

    [探索的資源] 功能表

  2. 在 [探索的資源] 頁面中,您可以向下鑽研各個資源,以查看發生的交易種類及存取者,還可向下鑽研以進一步調查使用者。In the Discovered resource page, you can drill down into each resource to see what kinds of transactions occurred, who accessed it, and then drill down to investigate the users even further.

    探索資源

  3. 如需自訂應用程式,您可以按一下該列最後方的三個點,然後選取 [新增自訂應用程式]****。For custom apps, you can click the three buttons at the end of the row and select Add custom app. 這樣做會開啟 [新增自訂應用程式]**** 視窗,讓您識別應用程式並為其命名,以包含在 Cloud Discovery 儀表板中。This will open the Add custom app window that lets you name and identify the app so it can be included in the Cloud Discovery dashboard.

產生 Cloud Discovery 執行報告Generate Cloud Discovery executive report

要取得影子 IT 在組織中使用情形的概覽,最好的辦法是產生 Cloud Discovery 執行報告。The best way to get an overview of Shadow IT use across your organization is by generating a Cloud Discovery executive report. 這份報告會找出最高的潛在風險,並協助您規劃工作流程以降低風險,並在風險解決之前加以管控。This report identifies the top potential risks and helps you plan a workflow to mitigate and manage risks until they're resolved.

產生 Cloud Discovery 執行報告:To generate a Cloud Discovery executive report:

  1. Cloud Discovery 儀表板中,按一下儀表板右上角的三個點,然後選取 [ 產生 Cloud Discovery 執行報告]。From the Cloud Discovery dashboard, click the three dots in the upper-right corner of the dashboard, and then select Generate Cloud Discovery executive report.
  2. (選擇性)變更報表名稱。Optionally, change the report name.
  3. 按一下 [產生] 。Click Generate.

排除實體Exclude entities

如有具雜訊但無關的系統使用者、IP 位址或電腦,或是非相關的應用程式,您可能想要從已經分析的 Cloud Discovery 資料中排除其資料。If you have system users, IP addresses, or machines that are noisy but uninteresting or apps that aren't relevant, you may want to exclude their data from the Cloud Discovery data that is analyzed. 例如,您可能想要排除源自 127.0.0.1 或本機主機的所有資訊。For example, you might want to exclude all information originating from 127.0.0.1 or local host.

建立一個排除項目︰To create an exclusion:

  1. 在入口網站的設定圖示下,選取 [Cloud Discovery 設定]****。In the portal, under the settings icon, select Cloud Discovery settings.

  2. 按一下 [排除實體]**** 索引標籤。Click the Exclude entities tab.

  3. 選擇 [已排除的使用者]****、[已排除的 IP 位址]**** 或 [已排除的電腦]**** 索引標籤,然後按一下 + 按鈕以新增排除內容。Choose either the Excluded users, Excluded IP addresses, or Excluded machines tab and click the + button to add your exclusion.

  4. 新增使用者別名、IP 位址或電腦名稱。Add a user alias, IP address, or machine name. 建議您新增為何排除這些內容的相關資訊。We recommend adding information about why the exclusion was made.

    排除使用者exclude user

管理連續報告Manage continuous reports

監視組織的 Cloud Discovery 記錄資料時,自訂連續報告提供更細微的資訊。Custom continuous reports provide you more granularity when monitoring your organization's Cloud Discovery log data. 透過建立自訂報告,或可篩選特定地理位置、網路和網站或組織單位。By creating custom reports, it's possible to filter on specific geographic locations, networks and sites, or organizational units. Cloud Discovery 報告選擇器預設只會顯示下列報告︰By default, only the following reports appear in your Cloud Discovery report selector:

  • 全域報告將記錄檔所含全部資料來源的所有資訊合併在入口網站中。The Global report consolidates all the information in the portal from all the data sources you included in your logs. 全域報告不包括來自 Microsoft Defender ATP 的資料。The global report doesn’t include data from Microsoft Defender ATP.

  • 資料來源特定報告只顯示特定資料來源的資訊。The Data source specific report displays only information from a specific data source.

建立新的連續報告:To create a new continuous report:

  1. 在入口網站的設定圖示下,選取 [Cloud Discovery 設定]****。In the portal, under the settings icon, select Cloud Discovery settings.

  2. 按一下 [連續報告]**** 索引標籤。Click the Continuous report tab.

  3. 按一下 [建立報告]**** 按鈕。Click the Create report button.

  4. 輸入報告名稱。Enter a report name.

  5. 選取您要包含的資料來源 (全部或特定)。Select the data sources you want to include (all or specific).

  6. 設定要對資料執行的篩選。Set the filters you want on the data. 這些篩選可以是 使用者群組ip 位址標記ip 位址範圍These filters can be User groups, IP address tags, or IP address ranges. 如需使用 IP 位址標記和 IP 位址範圍的詳細資訊,請參閱根據需求組織資料For more information on working with IP address tags and IP address ranges, see Organize the data according to your needs.

    建立自訂連續報告

注意

所有的自訂報告都有 1 GB 未壓縮資料的上限。All custom reports are limited to a maximum of 1 GB of uncompressed data. 如果資料量超過 1 GB,則前 1 GB 的資料將會輸出至報告。If there is more than 1 GB of data, the first 1 GB of data will be exported into the report.

刪除 Cloud Discovery 資料Deleting Cloud Discovery data

有數個原因讓您想要刪除 Cloud Discovery 資料。There are a number of reasons why you may want to delete your Cloud Discovery data. 我們建議您有下列情況時刪除︰We recommend deleting it in the following cases:

  • 如果您手動上傳記錄檔,而且長時間才以新記錄檔更新系統,卻不希望舊資料影響結果。If you manually uploaded log files and a long time passed before you updated the system with new log files and you don't want old data affecting your results.

  • 當您設定新的自訂資料檢視時,它只會從該時點開始套用至新的資料。When you set a new custom data view, it will apply only to new data from that point forward. 因此,您可能想要清除舊資料,然後再次上傳記錄檔,以便自訂資料檢視可取得記錄檔資料中的事件。So, you may want to erase old data and then upload your log files again to enable the custom data view to pick up events in the log file data.

  • 如果多個使用者或 IP 位址在離線一段時間後,最近又開始活動,則其活動會被識別為異常,且可能會提供您許多誤判違規。If many users or IP addresses recently started working again after being offline for some time, their activity will be identified as anomalous and may give you false positive violations.

刪除 Cloud Discovery 資料︰To delete Cloud Discovery data:

  1. 在入口網站的設定圖示下,選取 [Cloud Discovery 設定]****。In the portal, under the settings icon, select Cloud Discovery settings.

  2. 按一下 [刪除資料]**** 索引標籤。Click the Delete data tab.

    請務必確認您要刪除資料再繼續 - 此動作無法復原,且會刪除系統中的所有 Cloud Discovery 資料。It's important to be sure you want to delete data before continuing - it can't be undone and it deletes all Cloud Discovery data in the system.

  3. 按一下 [刪除] 按鈕。Click the Delete button.

    刪除資料delete data

    注意

    刪除程序需要幾分鐘,不會立即完成。The deletion process takes a few minutes and is not immediate.

下一步Next steps