如何調查異常偵測警示How to investigate anomaly detection alerts

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

Microsoft Cloud App Security 提供惡意活動的安全性偵測和警示。Microsoft Cloud App Security provides security detections and alerts for malicious activities. 本指南的目的是為您提供每個警示的一般和實用資訊,以協助您進行調查和補救工作。The purpose of this guide is to provide you with general and practical information on each alert, to help with your investigation and remediation tasks. 本指南中包含觸發警示之條件的一般資訊。Included in this guide is general information about the conditions for triggering alerts. 不過,請務必注意,因為異常偵測在本質上並不具決定性,所以只有當有偏離此標準的行為時,才會觸發這些偵測。However, it is important to note that since anomaly detections are non-deterministic by nature, they are only triggered when there's behavior that deviates from the norm. 最後,某些警示可能處於預覽狀態,因此請定期查看已更新之警示狀態的官方檔。Finally, some alerts may be in preview, so regularly review the official documentation for updated alert status.

MITRE ATT & CKMITRE ATT&CK

為了說明並讓您更輕鬆地對應 Cloud App Security 警示和熟悉的 MITRE ATT CK 對照表之間的關聯性 & ,我們已依對應的 MITRE ATT CK 戰術來分類警示 & 。To explain and make it easier to map the relationship between Cloud App Security alerts and the familiar MITRE ATT&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT&CK tactic. 這個額外的參考可讓您更容易瞭解在觸發 Cloud App Security 警示時可能使用的可疑攻擊技巧。This additional reference makes it easier to understand the suspected attacks technique potentially in use when a Cloud App Security alert is triggered.

本指南提供有關調查和補救下列類別中 Cloud App Security 警示的資訊。This guide provides information about investigating and remediating Cloud App Security alerts in the following categories.

安全性警訊分類Security alert classifications

在適當的調查之後,所有 Cloud App Security 警示都可以分類為下列其中一種活動類型:Following proper investigation, all Cloud App Security alerts can be classified as one of the following activity types:

  • **真肯定 (TP) **:已確認惡意活動的警示。True positive (TP): An alert on a confirmed malicious activity.
  • **良性真肯定 (B-TP) **:可疑但不是惡意活動的警示,例如滲透測試或其他經授權的可疑動作。Benign true positive (B-TP): An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
  • **假的 (FP) **:非惡意活動的警示。False positive (FP): An alert on a non-malicious activity.

一般調查步驟General investigation steps

在套用建議的動作之前,您應該使用下列一般指導方針來調查任何類型的警示,以更清楚地瞭解潛在的威脅。You should use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.

  • 檢查使用者的 調查優先順序分數 ,並與組織的其餘部分比較。Review the user's investigation priority score and compare with the rest of the organization. 這可協助您識別組織中的哪些使用者會造成最大的風險。This will help you identify which users in your organization pose the greatest risk.
  • 如果您識別 TP,請參閱所有使用者的活動,以瞭解影響。If you identify a TP, review all the user's activities to gain an understanding of the impact.
  • 請參閱所有使用者活動,以瞭解其他入侵指標,並探索影響的來源與範圍。Review all user activity for other indicators of compromise and explore the source and scope of impact. 例如,請參閱下列使用者裝置資訊,並與已知的裝置資訊進行比較:For example, review the following user device information and compare with known device information:
    • 作業系統和版本Operating system and version
    • 瀏覽器和版本Browser and version
    • IP 位址和位置IP address and location

初始存取警示Initial access alerts

本節說明警示,指出惡意執行者可能正嘗試在您的組織中獲得初始據點。This section describes alerts indicating that a malicious actor may be attempting to gain an initial foothold into your organization.

來自匿名 IP 位址的活動Activity from anonymous IP address

說明Description

由 Microsoft 威脅情報或貴組織識別為匿名 proxy IP 位址的 IP 位址活動。Activity from an IP address that has been identified as an anonymous proxy IP address by Microsoft Threat Intelligence or by your organization. 這些 proxy 可以用來隱藏裝置的 IP 位址,並可用於惡意活動。These proxies can be used to hide a device's IP address and may be used for malicious activities.

TpB-TPFPTP, B-TP, or FP?

這項偵測會使用機器學習演算法來減少 B-TP 事件,例如,組織中的使用者廣泛使用的錯誤標記 IP 位址。This detection uses a machine learning algorithm that reduces B-TP incidents, such as mis-tagged IP addresses that are widely used by users in the organization.

  1. TP:如果您可以確認已從匿名或 TOR IP 位址執行活動。TP: If you're able to confirm that the activity was performed from an anonymous or TOR IP address.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. B-TP:如果已知使用者在其職責範圍內使用匿名 IP 位址,則為。B-TP: If a user is known to use anonymous IP addresses in the scope of their duties. 例如,當安全性分析師代表組織進行安全性或滲透測試時。For example, when a security analyst conducts security or penetration tests on behalf of the organization.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  • 檢查所有使用者活動和警示,以取得其他洩漏跡象。Review all user activity and alerts for additional indicators of compromise. 例如,如果警示後面接著另一個可疑的警示,例如 使用者) 可疑的收件匣轉寄 警示 (不尋常的檔案下載,這通常表示攻擊者正在嘗試竊取資料。For example, if the alert was followed by another suspicious alert, such as a Unusual file download (by user) or a Suspicious inbox forwarding alert, that often indicates that an attacker is attempting to exfiltrate data.

罕見國家/地區的活動Activity from infrequent country

可能指出惡意活動的國家/地區活動。Activity from a country/region that could indicate malicious activity. 此原則會分析您的環境,並在從不是最近或未由組織中的任何使用者造訪的位置偵測到活動時觸發警示。This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or was never visited by any user in the organization.

根據預設,原則會設定為只包含成功的登入活動,但可以設定為包含任何登入活動。By default, the policy is configured to include only successful sign-in activities but can be configured to include any sign-in activities. 原則可以進一步設定為使用者子集的範圍,也可以排除知道傳送到遠端位置的使用者。The policy can be further scoped to a subset of users or can exclude users known to travel to remote locations.

學習期間Learning period

偵測異常位置需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Detecting anomalous locations requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作Recommended action:

    1. 暫止使用者、重設其密碼,並找出安全地重新啟用帳戶的正確時間。Suspend the user, reset their password, and identify the right time to safely re-enable the account.
    2. 選擇性:使用 Power Automate 建立腳本,以將偵測到的使用者從不頻繁的位置和其管理員進行連線,以驗證其活動。Optional: Create a playbook using Power Automate to contact users detected as connecting from infrequent locations, and their managers, to verify their activity.
  2. B-TP:如果已知使用者在此位置。B-TP: If a user is known to be at this location. 例如,當經常移動且目前位於指定位置的使用者時。For example, when a user who travels frequently and is currently in the specified location.

    建議的動作Recommended action:

    1. 關閉警示,並修改原則以排除使用者。Dismiss the alert and modify the policy to exclude the user.
    2. 建立經常出差的使用者群組、將群組匯入 Cloud App Security,並將此警示中的使用者排除Create a user group for frequent travelers, import the group into Cloud App Security, and exclude the users from this alert
    3. 選擇性:使用 Power Automate 建立腳本,以將偵測到的使用者從不頻繁的位置和其管理員進行連線,以驗證其活動。Optional: Create a playbook using Power Automate to contact users detected as connecting from infrequent locations, and their managers, to verify their activity.

了解漏洞的範圍Understand the scope of the breach

  • 檢查哪些資源可能已遭入侵,例如可能的資料下載。Review which resource may have been compromised, such as potential data downloads.

可疑 IP 位址的活動Activity from suspicious IP addresses

來自 IP 位址的活動,由 Microsoft 威脅情報或您的組織識別為有風險。Activity from an IP address that has been identified as risky by Microsoft Threat Intelligence or by your organization. 這些 IP 位址已識別為牽涉到惡意活動,例如殭屍網路命令和 control (C&C) ,而且可能表示遭盜用的帳戶。These IP addresses were identified as being involved in malicious activities, such as botnet command and control (C&C), and may indicate a compromised account.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. B-TP:如果已知使用者在其職責範圍內使用該 IP 位址。B-TP: If a user is known to use the IP address in the scope of their duties. 例如,當安全性分析師代表組織進行安全性或滲透測試時。For example, when a security analyst conducts security or penetration tests on behalf of the organization.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查活動記錄,並從相同的 IP 位址搜尋活動。Review the activity log and search for activities from the same IP address.
  2. 檢查哪些資源可能已遭入侵,例如可能的資料下載或系統管理修改。Review which resource may have been compromised, such as potential data downloads or administrative modifications.
  3. 建立安全分析師的群組,以主動觸發這些警示,並將其從原則中排除。Create a group for security analysts voluntarily triggering these alerts and exclude them from the policy.

不可能的移動Impossible Travel

在一段時間內,位於不同位置的相同使用者活動,比這兩個位置之間的預期行進時間短。Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. 這可能表示認證缺口,不過,使用者的實際位置也可能被遮罩,例如使用 VPN。This can indicate a credential breach, however, it's also possible that the user's actual location is masked, for example, by using a VPN.

若要改善精確度,並只在發現缺口有強烈的徵兆時發出警示,Cloud App Security 在組織中的每一位使用者建立基準,並且只會在偵測到不尋常的行為時發出警示。To improve accuracy and alert only when there is a strong indication of a breach, Cloud App Security establishes a baseline on each user in the organization and will alert only when the unusual behavior is detected. 不可能的移動策略可以針對您的需求進行微調。The impossible travel policy can be fine-tuned to your requirements.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

這項偵測使用的機器學習演算法會忽略明顯的 B-TP 條件,例如,當旅遊雙方的 IP 位址都被視為安全時,就會受信任,並排除在觸發不可能的旅遊偵測。This detection uses a machine learning algorithm that ignores obvious B-TP conditions, such as when the IP addresses on both sides of the travel are considered safe, the travel is trusted and excluded from triggering the Impossible travel detection. 例如,如果兩個邊被 標記為公司,則會被視為安全的。For example, both sides are considered safe if they are tagged as corporate. 但是,如果只將行進一端的 IP 位址視為安全,就會正常觸發偵測。However, if the IP address of only one side of the travel is considered safe, the detection is triggered as normal.

  1. TP:如果您可以確認使用者不太可能發生不可能的移動警示中的位置。TP: If you're able to confirm that the location in the impossible travel alert is unlikely for the user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP (未偵測到使用者旅遊) :如果您可以確認使用者最近前往警示中所述的目的地。FP (Undetected user travel): If you're able to confirm that the user recently traveled to the destination mentioned detailed in the alert. 例如,如果使用者在飛機模式下的電話仍保持連線至您公司網路上的 Exchange Online 等服務,則在移動到不同的位置時。For example, if a user's phone that is in airplane mode remains connected to services such as Exchange Online on your corporate network while traveling to a different location. 當使用者到達新的位置時,電話會連線到 Exchange Online 來觸發不可能的移動警示。When the user arrives at the new location, the phone connects to Exchange Online triggering the impossible travel alert.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

  3. FP (未標記的 vpn) :如果您可以確認 IP 位址範圍是來自獲批准 VPN。FP (Untagged VPN): If you're able to confirm that the IP address range is from a sanctioned VPN.

    建議的動作:關閉警示,並 將 vpn 的 ip 位址範圍新增 至 Cloud App Security,然後使用它來標記 VPN 的 ip 位址範圍。Recommended action: Dismiss the alert and add the VPN's IP address range to Cloud App Security and then use it to tag the VPN's IP address range.

了解漏洞的範圍Understand the scope of the breach

  1. 請參閱活動記錄,以瞭解相同位置和 IP 位址中類似的活動。Review the activity log to gain an understanding of similar activities in the same location and IP address.
  2. 如果您看到使用者執行了其他具風險的活動,例如從新位置下載大量的檔案,則這會是可能遭到入侵的強大指示。If you see that the user performed other risky activities, such as downloading a large volume of files from a new location, this would be a strong indication of a possible compromise.
  3. 新增公司 VPN 和 IP 位址範圍。Add corporate VPN's and IP Address ranges.
  4. 使用 Power Automate 建立腳本,並聯絡使用者的管理員,看看使用者是否合法移動。Create a playbook using Power Automate and contact the user's manager to see if the user is legitimately traveling.
  5. 請考慮為每分鐘的組織旅遊報表建立一個已知的旅行資料庫,並使用它來交叉參考旅遊活動。Consider creating a known traveler database for up to the minute organizational travel reporting and use it to cross-reference travel activity.

誤導的 OAuth 應用程式名稱Misleading OAuth app name

誤導的 OAuth 應用程式名稱會識別具有類似拉丁字母之字元的應用程式,例如外鍵。Misleading OAuth app name identifies apps with characters, such as foreign letters, that resemble Latin letters. 這可能表示嘗試將惡意應用程式偽裝為已知且受信任的應用程式,讓攻擊者可以欺騙使用者下載其惡意應用程式。This can indicate an attempt to disguise a malicious app as a known and trusted app so that attackers can deceive users into downloading their malicious app.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認應用程式是否有誤導的名稱。TP: If you're able to confirm that the app has a misleading name.

    建議動作:檢查此應用程式所要求的許可權層級,以及哪些使用者已授與存取權。Recommended action: Review the level of permission requested by this app and which users granted access. 根據您的調查,您可以選擇禁止存取此應用程式。Based on your investigation you can choose to ban access to this app.

若要禁止存取應用程式,請在 [ OAuth 應用程式 ] 頁面上,按一下您想要禁止的應用程式出現在其中的資料列,然後按一下 [禁止] 圖示。To ban access to the app, on the OAuth apps page, on the row in which the app you want to ban appears, click on the ban icon. - 您可以選擇是否要告訴使用者,其安裝及授權的應用程式已遭禁止。You can choose if you want to tell users the app they installed and authorized has been banned. 此通知可讓使用者知道應用程式將被停用,因此他們無法存取連線的應用程式。The notification lets users know the app will be disabled and they won't have access to the connected app. 如果您不想要告知使用者,可在此對話方塊中取消選取 [通知先前授與此遭禁應用程式存取權的使用者]****。If you don't want them to know, unselect Notify users who granted access to this banned app in the dialog. - 建議您讓應用程式使用者知道其應用程式將被禁止使用。It's recommended that you let the app users know their app is about to be banned from use.

  1. FP:如果您要確認應用程式是否有誤導的名稱,但在組織中有合法的商務用途。FP: If you're to confirm that the app has a misleading name but has a legitimate business use in the organization.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

OAuth 應用程式的誤導發行者名稱Misleading publisher name for an OAuth app

OAuth 應用程式的誤導 OAuth 發行者名稱會識別具有像拉丁字母等字元的應用程式。Misleading OAuth publisher name for an OAuth app identifies apps with characters, such as foreign letters, that resemble Latin letters. 這可能表示嘗試將惡意應用程式偽裝為已知且受信任的應用程式,讓攻擊者可以欺騙使用者下載其惡意應用程式。This can indicate an attempt to disguise a malicious app as a known and trusted app so that attackers can deceive users into downloading their malicious app.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認應用程式是否有誤導的發行者名稱。TP: If you're able to confirm that the app has a misleading publisher name.

    建議動作:檢查此應用程式所要求的許可權層級,以及哪些使用者已授與存取權。Recommended action: Review the level of permission requested by this app and which users granted access. 根據您的調查,您可以選擇禁止存取此應用程式。Based on your investigation you can choose to ban access to this app.

  2. FP:如果您要確認應用程式有誤導的發行者名稱,但是合法的發行者。FP: If you're to confirm that the app has a misleading publisher name but is a legitimate publisher.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 在 [ OAuth 應用 程式] 頁面上,按一下應用程式以開啟 應用程式選單,然後按一下 [ 相關活動]。On the OAuth apps page, click on the app to open the App drawer, and then click Related activity. 這會開啟針對應用程式所執行的活動篩選的 活動記錄 頁面。This opens the Activity log page filtered for activities performed by the app. 請記住,有些應用程式會執行已註冊為由使用者執行的活動。Keep in mind that some apps perform activities that are registered as having been performed by a user. 這些活動會自動從活動記錄中的結果中篩選出來。These activities are automatically filtered out of the results in the activity log. 如需使用活動記錄進行進一步調查,請參閱活動記錄For further investigation using the activity log, see Activity log.
  2. 如果您懷疑應用程式是可疑的,建議您在不同的應用程式存放區中調查應用程式的名稱和發行者。If you suspect that an app is suspicious, we recommended that you investigate the app's name and publisher in different app stores. 檢查應用程式商店時,請將焦點放在下列類型的應用程式:When checking app stores, focus on the following types of apps:
    • 下載次數較少的應用程式。Apps with a low number of downloads.
    • 具有低評等或分數或不良意見的應用程式。Apps with a low rating or score or bad comments.
    • 具有可疑發行者或網站的應用程式。Apps with a suspicious publisher or website.
    • 最近尚未更新的應用程式。Apps that have not been recently updated. 這可能表示已再不支援該應用程式。This might indicate an app that is no longer supported.
    • 具有不相關之權限的應用程式。Apps that have irrelevant permissions. 這可能表示該應用程式有風險。This might indicate that an app is risky.
  3. 如果您仍然懷疑應用程式是可疑的,您可以在線上研究應用程式名稱、發行者和 URL。If you still suspect that an app is suspicious, you can research the app name, publisher, and URL online.

執行警示Execution alerts

本節說明警示,指出惡意執行者可能嘗試在您的組織中執行惡意程式碼。This section describes alerts indicating that a malicious actor may be attempting to run malicious code in your organization.

多個儲存體刪除活動Multiple storage deletion activities

在單一會話中的活動指出,相較于所學到的基準,使用者執行了不尋常的雲端儲存體或資料庫從資源(例如 Azure blob、AWS S3 值區或 Cosmos DB)刪除。Activities in a single session indicating that a user performed an unusual number of cloud storage or database deletions from resources such as Azure blobs, AWS S3 buckets, or Cosmos DB when compared to the baseline learned. 這可能表示您的組織嘗試缺口。This can indicate an attempted breach of your organization.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您要確認刪除未獲授權。TP: If you're to confirm that the deletions were unauthorized.

    建議的動作:暫停使用者、重設其密碼,並掃描所有裝置是否有惡意威脅。Recommended action: Suspend the user, reset their password, and scan all devices for malicious threats. 請參閱所有使用者活動,以瞭解是否有其他入侵指標,並探索影響範圍。Review all user activity for other indicators of compromise and explore the scope of impact.

  2. FP:如果在調查之後,您就可以確認系統管理員已獲授權執行這些刪除活動。FP: If after your investigation, you're able to confirm that the administrator was authorized to perform these deletion activities.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 請聯繫使用者並確認活動。Contact the user and confirm the activity.
  2. 檢查活動記錄檔中是否有其他入侵指標,並查看誰進行了變更。Review the activity log for other indicators of compromise and see who made the change.
  3. 請檢查使用者對其他服務的變更活動。Review that user's activities for changes to other services.

多個 VM 建立活動Multiple VM creation activities

在單一會話中的活動指出,相較于已學到的基準,使用者執行了不尋常的 VM 建立動作數目。Activities in a single session indicating that a user performed an unusual number of VM creation actions when compared to the baseline learned. 在違反的雲端基礎結構上建立多個 VM 時,可能表示嘗試從您的組織內執行加密編譯的作業。Multiple VM creations on a breached Cloud infrastructure could indicate an attempt to run crypto mining operations from within your organization.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

若要在發現缺口有強烈的徵兆時,才改善精確度和警示,此偵測會在組織中的每個環境上建立基準,以減少 B TP 事件,例如系統管理員已合法建立比所建立基準更多的 vm,而且只會在偵測到異常行為時發出警示。To improve accuracy and alert only when there is a strong indication of a breach, this detection establishes a baseline on each environment in the organization to reduce B-TP incidents, such as an administrator legitimately created more VMs than the established baseline, and only alert when the unusual behavior is detected.

  • TP:如果您可以確認建立活動不是由合法的使用者執行。TP: If you're able to confirm that the creation activities were not performed by a legitimate user.

    建議的動作:暫停使用者、重設其密碼,並掃描所有裝置是否有惡意威脅。Recommended action: Suspend the user, reset their password, and scan all devices for malicious threats. 請參閱所有使用者活動,以瞭解是否有其他入侵指標,並探索影響範圍。Review all user activity for other indicators of compromise and explore the scope of impact. 此外,請洽詢使用者、確認其合法的動作,然後確定您停用或刪除任何遭入侵的 Vm。In addition, contact the user, confirm their legitimate actions, and then make sure you disable or delete any compromised VMs.

  • B-TP:如果調查之後,您就可以確認系統管理員已獲授權執行這些建立活動。B-TP: If after your investigation, you're able to confirm that the administrator was authorized to perform these creation activities.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查所有使用者活動中是否有其他入侵跡象。Review all user activity for other indicators of compromise.
  2. 檢查使用者所建立或修改的資源,並確認它們是否符合您組織的原則。Review the resources created or modified by the user and verify that they conform with your organization's policies.

雲端區域 (預覽) 的可疑建立活動Suspicious creation activity for cloud region (preview)

這項活動指出,相較于所學到的基準,使用者在不尋常的 AWS 區域中執行了不尋常的資源建立動作。Activities indicating that a user performed an unusual resource creation action in an uncommon AWS region when compared to the baseline learned. 在罕見的雲端區域中建立資源可能表示嘗試執行惡意活動,例如從您的組織內加密的挖掘作業。Resource creation in uncommon cloud regions could indicate an attempt to perform a malicious activity such as crypto mining operations from within your organization.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

為了改善精確度和警示,只有在發現缺口有強式指出時,此偵測會在組織中的每個環境上建立基準,以減少 B TP 事件。To improve accuracy and alert only when there is a strong indication of a breach, this detection establishes a baseline on each environment in the organization to reduce B-TP incidents.

  • TP:如果您可以確認建立活動不是由合法的使用者執行。TP: If you're able to confirm that the creation activities were not performed by a legitimate user.

    建議的動作:暫停使用者、重設其密碼,並掃描所有裝置是否有惡意威脅。Recommended action: Suspend the user, reset their password, and scan all devices for malicious threats. 請參閱所有使用者活動,以瞭解是否有其他入侵指標,並探索影響範圍。Review all user activity for other indicators of compromise and explore the scope of impact. 此外,請洽詢使用者、確認其合法的動作,然後確定您停用或刪除任何遭入侵的雲端資源。In addition, contact the user, confirm their legitimate actions, and then make sure you disable or delete any compromised cloud resources.

  • B-TP:如果調查之後,您就可以確認系統管理員已獲授權執行這些建立活動。B-TP: If after your investigation, you're able to confirm that the administrator was authorized to perform these creation activities.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查所有使用者活動中是否有其他入侵跡象。Review all user activity for other indicators of compromise.
  2. 檢查建立的資源,並確認它們是否符合您組織的原則。Review the resources created and verify that they conform with your organization's policies.

持續性警示Persistence alerts

本節說明警示,指出惡意執行者可能嘗試在您的組織中維護其據點。This section describes alerts indicating that a malicious actor may be attempting to maintain their foothold in your organization.

離職使用者執行的活動Activity performed by terminated user

由終止的使用者執行的活動可能表示仍有公司資源存取權的離職員工正在嘗試執行惡意活動。Activity performed by a terminated user can indicate that a terminated employee who still has access to corporate resources is trying to perform a malicious activity. Cloud App Security 分析組織中的使用者,並在終止的使用者執行活動時觸發警示。Cloud App Security profiles users in the organization and triggers an alert when a terminated user performs an activity.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認終止的使用者仍然可以存取特定的公司資源,並且正在執行活動。TP: If you're able to confirm that the terminated user still has access to certain corporate resources and is performing activities.

    建議的動作:停用使用者。Recommended action: Disable the user.

  2. B-TP:如果您能夠判斷使用者已暫時停用,或已刪除並重新註冊。B-TP: If you're able to determine that the user was temporarily disabled or was deleted and re-registered.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 交叉參照 HR 記錄,以確認使用者已終止。Cross-reference HR records to confirm that user is terminated.
  2. 確認 Azure Active Directory (Azure AD) 使用者帳戶是否存在。Validate the existence of the Azure Active Directory (Azure AD) user account.

    注意

    如果使用 Azure AD Connect,請驗證內部部署 Active Directory 物件,並確認成功的同步處理週期。If using Azure AD Connect, validate the on-premises Active Directory object and confirm a successful sync cycle.

  3. 識別終止的使用者有權存取並解除委任帳戶的所有應用程式。Identify all apps that the terminated user had access to and decommission the accounts.
  4. 更新解除委任程式。Update decommissioning procedures.

CloudTrail 記錄服務的可疑變更Suspicious change of CloudTrail logging service

在單一會話中的活動,表示使用者對 AWS CloudTrail 記錄服務執行了可疑的變更。Activities in a single session indicating that, a user performed suspicious changes to the AWS CloudTrail logging service. 這可能表示您的組織嘗試缺口。This can indicate an attempted breach of your organization. 停用 CloudTrail 時,不會再記錄操作變更。When disabling CloudTrail, operational changes are no longer be logged. 攻擊者可以在避免 CloudTrail audit 事件的情況下執行惡意活動,例如修改從私用到公用的 S3 bucket。An attacker can perform malicious activities while avoiding a CloudTrail audit event, such as modifying an S3 bucket from private to public.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作:暫止使用者、重設其密碼,以及反轉 CloudTrail 活動。Recommended action: Suspend the user, reset their password, and reverse the CloudTrail activity.

  2. FP:如果您可以確認使用者是否已合法停用 CloudTrail 服務。FP: If you're able to confirm that the user legitimately disabled the CloudTrail service.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查活動記錄檔中是否有其他入侵指標,並查看誰對 CloudTrail 服務進行了變更。Review the activity log for other indicators of compromise and see who made the change to the CloudTrail service.
  2. 選用:使用 Power Automate 建立腳本,以聯繫使用者及其管理員來驗證他們的活動。Optional: Create a playbook using Power Automate to contact users and their managers to verify their activity.

使用者) (可疑的電子郵件刪除活動Suspicious email deletion activity (by user)

在單一會話中的活動,表示使用者已執行可疑的電子郵件刪除。Activities in a single session indicating that, a user performed suspicious email deletions. 這可能表示嘗試違反您的組織,例如嘗試刪除與垃圾郵件相關的電子郵件,以嘗試遮罩作業的攻擊者。This can indicate an attempted breach of your organization, such as attackers attempting to mask operations by deleting emails related to spam activities.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP:如果您可以確認使用者是否已合法建立刪除訊息的規則。FP: If you're able to confirm that the user legitimately created a rule to delete messages.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  • 請參閱所有使用者活動,以取得額外的入侵指標,例如 可疑的收件匣轉寄 警示,然後再按不 可能的移動 警示。Review all user activity for additional indicators of compromise such as the Suspicious inbox forwarding alert followed by an Impossible Travel alert. 尋找:Look for:

    1. 新的 SMTP 轉送規則,如下所示:New SMTP forwarding rules, as follows:
      • 檢查是否有惡意轉送規則名稱。Check for malicious forwarding rule names. 規則名稱可能會與簡單名稱不同,例如「轉寄所有電子郵件」和「自動轉寄」或詐騙名稱,例如單純可見的「」。Rule names can vary from simple names, such as "Forward All Emails" and "Auto forward", or deceptive names, such as a barely visible ".". 轉寄規則名稱甚至可以是空的,而且轉送收件者可以是單一電子郵件帳戶或整個清單。Forwarding rule names can even be empty, and the forwarding recipient can be a single email account or an entire list. 惡意規則也可以隱藏在使用者介面中。Malicious rules can also be hidden from the user interface. 一旦偵測到,您就可以使用這篇實用的 blog 文章 ,以瞭解如何從信箱刪除隱藏的規則。Once detected, you can use this helpful blog post on how to delete hidden rules from mailboxes.
      • 如果您偵測到無法辨識的轉送規則至未知的內部或外部電子郵件地址,您可以假設收件匣帳戶遭到入侵。If you detect an unrecognized forwarding rule to an unknown internal or external email address, you can assume that the inbox account was compromised.
    2. 新的收件匣規則,例如「全部刪除」、「將訊息移至另一個資料夾」,或是具有隱匿命名慣例的收件匣規則,例如「...」。New inbox rules, such as "delete all", "move messages to another folder", or those with obscure naming conventions, for example "…".
    3. 已傳送的電子郵件增加。An increase in sent emails.

可疑的收件匣操作規則Suspicious inbox manipulation rule

活動指出攻擊者取得使用者的收件匣存取權,並建立可疑的規則。Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. 從使用者的收件匣操作規則(例如刪除或移動訊息或資料夾)可能會嘗試從您的組織竊取資訊。Manipulation rules, such as deleting or moving messages, or folders, from a user's inbox may be an attempt to exfiltrate information from your organization. 同樣地,他們也可以指出嘗試操作使用者所看到的資訊,或使用其收件匣來散發垃圾郵件、網路釣魚電子郵件或惡意程式碼。Similarly, they can indicate an attempt to manipulate information that a user sees or to use their inbox to distribute spam, phishing emails, or malware. 當使用者的收件匣上偵測到可疑的收件匣操作規則時,Cloud App Security 分析您的環境並觸發警示。Cloud App Security profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. 這可能表示使用者的帳戶遭到入侵。This may indicate that the user's account is compromised.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認已建立惡意的收件匣規則,且該帳戶遭到入侵。TP: If you're able to confirm that a malicious inbox rule was created and the account was compromised.

    建議的動作:暫停使用者、重設其密碼,並移除轉送規則。Recommended action: Suspend the user, reset their password, and remove the forwarding rule.

  2. FP:如果您可以確認使用者是否已合法建立規則。FP: If you're able to confirm that a user legitimately created the rule.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 請參閱所有使用者活動,以取得額外的入侵指標,例如 可疑的收件匣轉寄 警示,然後再按不 可能的移動 警示。Review all user activity for additional indicators of compromise such as the Suspicious inbox forwarding alert followed by an Impossible Travel alert. 尋找:Look for:
    • 新的 SMTP 轉送規則。New SMTP forwarding rules.
    • 新的收件匣規則,例如「全部刪除」、「將訊息移至另一個資料夾」,或是具有隱匿命名慣例的收件匣規則,例如「...」。New inbox rules, such as "delete all", "move messages to another folder", or those with obscure naming conventions, for example "…".
  2. 收集動作的 IP 位址和位置資訊。Collect IP address and location information for the action.
  3. 檢查從用來建立規則來偵測其他遭盜用使用者的 IP 位址所執行的活動。Review activities performed from the IP address used to create the rule to detect other compromised users.

許可權提升警示Privilege escalation alerts

本節說明警示,指出惡意執行者可能嘗試在您的組織中獲得較高層級的許可權。This section describes alerts indicating that a malicious actor may be attempting to gain higher-level permissions in your organization.

使用者) (不尋常的系統管理活動Unusual administrative activity (by user)

活動指出攻擊者已盜用使用者帳戶,並執行該使用者不常用的系統管理動作。Activities indicating that an attacker has compromised a user account and performed administrative actions that are not common for that user. 例如,攻擊者可以嘗試變更使用者的安全性設定,這是對一般使用者來說相當罕見的操作。For example, an attacker can try to change a security setting for a user, an operation that is relatively rare for a common user. Cloud App Security 會根據使用者的行為建立基準,並在偵測到不尋常的行為時觸發警示。Cloud App Security creates a baseline based on the user's behavior and triggers an alert when the unusual behavior is detected.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的系統管理員所執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate administrator.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP:如果您可以確認系統管理員合法地執行系統管理活動的異常數量。FP: If you're able to confirm that an administrator legitimately performed the unusual volume of administrative activities.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 請參閱所有使用者活動,以取得額外的入侵指標,例如 可疑的收件匣轉寄 或不 可能的移動Review all user activity for additional indicators of compromise such as Suspicious inbox forwarding or Impossible Travel.
  2. 檢查其他設定變更,例如建立可能用於持續性的使用者帳戶。Review other configuration changes, such as creating a user account that might be used for persistence.

認證存取警示Credential access alerts

本節說明警示,指出惡意執行者可能嘗試從您的組織竊取帳戶名稱和密碼。This section describes alerts indicating that a malicious actor may be attempting to steal account names and passwords from your organization.

多次失敗的登入嘗試Multiple failed login attempts

失敗的登入嘗試可能表示嘗試缺口帳戶。Failed login attempts could indicate on an attempt to breach an account. 不過,失敗的登入也可以是正常行為。However, failed logins can also be normal behavior. 例如,當使用者錯誤地輸入錯誤的密碼時。For example, when a user entered a wrong password by mistake. 若要在強烈指出嘗試的缺口時才達到精確度和警示,Cloud App Security 針對組織中的每個使用者建立登入習慣的基準,而且只會在偵測到不尋常的行為時發出警示。To achieve accuracy and alert only when there is a strong indication of an attempted breach, Cloud App Security establishes a baseline of login habits for each user in the organization and will only alert when the unusual behavior is detected.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

這項原則是以學慣用戶的一般登入行為為基礎。This policy is based on learning the normal login behavior of a user. 偵測到來自標準的偏差時,就會觸發警示。When a deviation from the norm is detected, an alert is triggered. 如果偵測開始看到相同的行為仍然存在,則只會引發一次警示。If the detection begins to see that the same behavior continues, the alert is only raised once.

  1. TP (mfa 失敗) :如果您可以確認 mfa 是否正常運作,這可能是嘗試進行暴力密碼破解攻擊的正負號。TP (MFA fails): If you're able to confirm that MFA is working correctly, this could be a sign of an attempted brute force attack.

    建議的動作Recommended actions:

    1. 暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Suspend the user, mark the user as compromised, and reset their password.
    2. 尋找執行失敗驗證的應用程式,並重新設定。Find the app that performed the failed authentications and reconfigure it.
    3. 尋找在活動期間登入的其他使用者,因為他們可能也遭到入侵。Look for other users logged in around the time of the activity because they may also be compromised. 暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Suspend the user, mark the user as compromised, and reset their password.
  2. B-TP (mfa 失敗) :如果您可以確認此警示是因為 MFA 的問題所造成。B-TP (MFA fails): If you're able to confirm that the alert is caused by a problem with MFA.

    建議動作:使用 Power Automate 建立腳本,以聯繫使用者並檢查他們是否遇到 MFA 問題。Recommended action: Create a playbook using Power Automate to contact the user and check if they are having issues with MFA.

  3. B-TP (設定錯誤的應用程式) :如果您可以確認設定錯誤的應用程式嘗試使用過期的認證多次連線到服務。B-TP (Improperly configured app): If you're able to confirm that a misconfigured app is attempting to connect to a service multiple times with expired credentials.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

  4. B-TP (密碼變更) :如果您可以確認使用者最近變更了密碼,但未在網路共用上影響認證。B-TP (Password changed): If you're able to confirm that a user recently changed their password, but it has not impacted credentials across network shares.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

  5. B-TP (安全性測試) :您可以確認安全性分析師是否正在代表組織進行安全性或滲透測試。B-TP (Security test): If you're able to confirm that a security or penetration test is being conducted by security analysts on behalf of the organization.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查所有使用者活動中是否有其他的洩漏指標,例如警示後面接著下列其中一個警示:不 可能的移動來自匿名 IP 位址的活動或非經常性 國家/地區的活動Review all user activity for additional indicators of compromise such as the alert is followed by one of the following alerts: Impossible Travel, Activity from anonymous IP address, or Activity from infrequent country.
  2. 請參閱下列使用者裝置資訊,並與已知的裝置資訊進行比較:Review the following user device information and compare with known device information:
    • 作業系統和版本Operating system and version
    • 瀏覽器和版本Browser and version
    • IP 位址和位置IP address and location
  3. 識別發生驗證嘗試的來源 IP 位址或位置。Identify the source IP address or location where the authentication attempt occurred.
  4. 識別使用者最近是否變更密碼,並確定所有應用程式和裝置都具有更新的密碼。Identify if the user recently changed their password and ensure all apps and devices have the updated password.

收集警示Collection alerts

本節說明警示,指出惡意執行者可能正嘗試收集您組織中的目標所需的相關資料。This section describes alerts indicating that a malicious actor may be attempting to gather data of interest to their goal from your organization.

多 Power BI 報表共用活動Multiple Power BI report sharing activities

在單一會話中的活動指出,相較于已學到的基準,使用者在 Power BI 中執行了不尋常的共用報表活動數目。Activities in a single session indicating that a user performed an unusual number of share report activities in Power BI when compared to the baseline learned. 這可能表示您的組織嘗試缺口。This can indicate an attempted breach of your organization.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作:從 Power BI 移除共用存取。Recommended action: Remove sharing access from Power BI. 如果您可以確認帳戶是否已遭入侵,請暫停使用者、將使用者標記為遭盜用,然後重設其密碼。If you're able to confirm that the account is compromised, then Suspend the user, mark the user as compromised, and reset their password.

  2. FP:如果您可以確認使用者是否有業務上的理由可共用這些報表。FP: If you're able confirm that the user had a business justification to share these reports.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 查看活動記錄,以深入瞭解使用者所執行的其他活動。Review the activity log to gain a better understanding of other activities performed by the user. 查看從中登入的 IP 位址,以及裝置詳細資料。Look at the IP address they are logged in from and the device details.
  2. 請洽詢您的 Power BI 團隊或資訊保護小組,以瞭解在內部和外部共用報表的指導方針。Contact your Power BI team or Information Protection team to understand the guidelines for sharing reports internally and externally.

可疑的 Power BI 報表共用Suspicious Power BI report sharing

活動指出使用者共用 Power BI 報表,其中可能包含使用 NLP 所識別的機密資訊來分析報表的中繼資料。Activities indicating that a user shared a Power BI report that may contain sensitive information identified using NLP to analyze the metadata of the report. 報表已與外部電子郵件地址共用、已發佈至網路,或已將快照集傳送到外部訂閱的電子郵件地址。The report was either shared with an external email address, published to the web, or a snapshot was delivered to an externally subscribed email address. 這可能表示您的組織嘗試缺口。This can indicate an attempted breach of your organization.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作:從 Power BI 移除共用存取。Recommended action: Remove sharing access from Power BI. 如果您可以確認帳戶是否已遭入侵,請暫停使用者、將使用者標記為遭盜用,然後重設其密碼。If you're able to confirm that the account is compromised, then Suspend the user, mark the user as compromised, and reset their password.

  2. FP:如果您可以確認使用者是否有業務上的理由可共用這些報表。FP: If you're able to confirm that the user had a business justification to share these reports.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 查看活動記錄,以深入瞭解使用者所執行的其他活動。Review the activity log to gain a better understanding of other activities performed by the user. 查看從中登入的 IP 位址,以及裝置詳細資料。Look at the IP address they are logged in from and the device details.
  2. 請洽詢您的 Power BI 團隊或資訊保護小組,以瞭解在內部和外部共用報表的指導方針。Contact your Power BI team or Information Protection team to understand the guidelines for sharing reports internally and externally.

使用者) (異常的模擬活動Unusual impersonated activity (by user)

在某些軟體中,有一些選項可讓其他使用者模擬其他使用者。In some software, there are options to allow other users to impersonate other users. 例如,電子郵件服務可讓使用者授權其他使用者代表他們傳送電子郵件。For example, email services allow users to authorize other users to send email on their behalf. 攻擊者經常使用此活動來建立網路釣魚電子郵件,以嘗試將您的組織相關資訊解壓縮。This activity is commonly used by attackers to create phishing emails in an attempt to extract information about your organization. Cloud App Security 會根據使用者的行為建立基準,並在偵測到不尋常的模擬活動時建立活動。Cloud App Security creates a baseline based on the user's behavior and creates an activity when an unusual impersonation activity is detected.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't perform by a legitimate user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP (不尋常的行為) :如果您可以確認使用者是否合法執行不尋常的活動,或超過所建立基準的活動數目。FP (Unusual behavior): If you're able to confirm that the user legitimately performed the unusual activities, or more activities than the established baseline.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

  3. FP:如果您可以確認應用程式(像是小組)已合法地模擬使用者。FP: If you're able to confirm that apps, like Teams, legitimately impersonated the user.

    建議動作:檢查動作並在需要時關閉警示。Recommended action: Review the actions and dismiss the alert if need.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查所有使用者活動和警示,以取得其他洩漏跡象。Review all user activity and alerts for additional indicators of compromise.
  2. 請參閱模擬活動以找出潛在的惡意活動。Review the impersonation activities to identify potential malicious activities.
  3. 檢查委派的存取設定。Review delegated access configuration.

外流警訊Exfiltration alerts

本章節描述的警示指出惡意執行者可能正在嘗試竊取您組織的資料。This section describes alerts indicating that a malicious actor may be attempting to steal data from your organization.

可疑的收件匣轉寄Suspicious inbox forwarding

活動指出攻擊者取得使用者的收件匣存取權,並建立可疑的規則。Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. 操作規則(例如,將所有或特定的電子郵件轉寄到另一個電子郵件帳戶)可能會嘗試從您的組織竊取資訊。Manipulation rules, such as forward all or specific emails to another email account may be an attempt to exfiltrate information from your organization. 當使用者的收件匣上偵測到可疑的收件匣操作規則時,Cloud App Security 分析您的環境並觸發警示。Cloud App Security profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. 這可能表示使用者的帳戶遭到入侵。This may indicate that the user's account is compromised.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認已建立惡意收件匣轉寄規則,且該帳戶遭到入侵。TP: If you're able to confirm that a malicious inbox forwarding rule was created and the account was compromised.

    建議的動作:暫停使用者、重設其密碼,並移除轉送規則。Recommended action: Suspend the user, reset their password, and remove the forwarding rule.

  2. FP:如果您可以確認使用者是否因為合法的原因,而針對新的或個人的外部電子郵件帳戶建立了轉送規則。FP: If you're able to confirm that the user created a forwarding rule to a new or personal external email account for legitimate reasons.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查所有使用者活動中是否有其他的入侵指標,例如警示後接不 可能的移動 警示。Review all user activity for additional indicators of compromise such as the alert is followed by an Impossible Travel alert. 尋找:Look for:

    1. 新的 SMTP 轉送規則,如下所示:New SMTP forwarding rules, as follows:
      • 檢查是否有惡意轉送規則名稱。Check for malicious forwarding rule names. 規則名稱可能會與簡單名稱不同,例如「轉寄所有電子郵件」和「自動轉寄」或詐騙名稱,例如單純可見的「」。Rule names can vary from simple names, such as "Forward All Emails" and "Auto forward", or deceptive names, such as a barely visible ".". 轉寄規則名稱甚至可以是空的,而且轉送收件者可以是單一電子郵件帳戶或整個清單。Forwarding rule names can even be empty, and the forwarding recipient can be a single email account or an entire list. 惡意規則也可以隱藏在使用者介面中。Malicious rules can also be hidden from the user interface. 一旦偵測到,您就可以使用這篇實用的 blog 文章 ,以瞭解如何從信箱刪除隱藏的規則。Once detected, you can use this helpful blog post on how to delete hidden rules from mailboxes.
      • 如果您偵測到無法辨識的轉送規則至未知的內部或外部電子郵件地址,您可以假設收件匣帳戶遭到入侵。If you detect an unrecognized forwarding rule to an unknown internal or external email address, you can assume that the inbox account was compromised.
    2. 新的收件匣規則,例如「全部刪除」、「將訊息移至另一個資料夾」,或是具有隱匿命名慣例的收件匣規則,例如「...」。New inbox rules, such as "delete all", "move messages to another folder", or those with obscure naming conventions, for example "…".
  2. 檢查從用來建立規則來偵測其他遭盜用使用者的 IP 位址所執行的活動。Review activities performed from the IP address used to create the rule to detect other compromised users.

  3. 使用 Exchange Online 郵件追蹤來檢查轉送訊息的清單。Review the list of forwarded messages using Exchange Online message tracking.

使用者) (不尋常的檔案下載Unusual file download (by user)

這項活動指出,相較于已學到的基準,使用者在雲端儲存平臺上執行的檔案下載數量不尋常。Activities indicating that a user performed an unusual number of file downloads from a cloud storage platform when compared to the baseline learned. 這可能表示嘗試得到組織的相關資訊。This can indicate an attempt to gain information about the organization. Cloud App Security 會根據使用者的行為建立基準,並在偵測到不尋常的行為時觸發警示。Cloud App Security creates a baseline based on the user's behavior and triggers an alert when the unusual behavior is detected.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP (不尋常的行為) :如果您可以確認使用者合法執行的檔案下載活動比建立的基準更多。FP (Unusual behavior): If you can confirm that the user legitimately performed more file download activities than the established baseline.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

  3. FP (軟體同步) :如果您可以確認軟體(例如 OneDrive)與導致警示的外部備份同步。FP (Software sync): If you're able to confirm that software, such as OneDrive, synced with an external backup that caused the alert.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 請參閱下載活動,並建立已下載檔案的清單。Review the download activities and create a list of downloaded files.
  2. 檢查已下載檔案與資源擁有者的機密性,並驗證存取層級。Review the sensitivity of the downloaded files with the resource owner and validate the access level.

使用者) (不尋常的檔案共用活動Unusual file share activity (by user)

這項活動指出,相較于已學到的基準,使用者在雲端儲存平臺上執行了不尋常的檔案共用動作數目。Activities indicating that a user performed an unusual number of file sharing actions from a cloud storage platform when compared to the baseline learned. 這可能表示嘗試得到組織的相關資訊。This can indicate an attempt to gain information about the organization. Cloud App Security 會根據使用者的行為建立基準,並在偵測到不尋常的行為時觸發警示。Cloud App Security creates a baseline based on the user's behavior and triggers an alert when the unusual behavior is detected.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認該活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't performed by a legitimate user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP (不尋常的行為) :如果您可以確認使用者合法執行的檔案共用活動比建立的基準更多。FP (Unusual behavior): If you're able to confirm that the user legitimately performed more file sharing activities than the established baseline.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查共用活動並建立共用檔案的清單。Review the sharing activities and create a list of shared files.
  2. 檢查共用檔案與資源擁有者的機密性,並驗證存取層級。Review the sensitivity of the shared files with the resource owner and validate the access level.
  3. 建立類似檔的檔案原則,以偵測未來的機密檔案共用。Create a file policy for similar documents to detect future sharing of sensitive files.

影響警示Impact alerts

本節說明警示,指出惡意執行者可能嘗試操作、中斷或終結您組織中的系統和資料。This section describes alerts indicating that a malicious actor may be attempting to manipulate, interrupt, or destroy you systems and data in your organization.

多次 VM 刪除活動Multiple delete VM activities

在單一會話中的活動指出,相較于已學到的基準,使用者執行了不尋常的 VM 刪除數目。Activities in a single session indicating that a user performed an unusual number of VM deletions when compared to the baseline learned. 多個 VM 的刪除可能表示嘗試中斷或損毀環境。Multiple VM deletions could indicate an attempt to disrupt or destroy an environment. 不過,有許多一般案例會刪除 Vm。However, there are many normal scenarios where VMs are deleted.

TpB-TPFPTP, B-TP, or FP?

為了改善精確度和警示,只有在發現缺口有強烈的徵兆時,此偵測會在組織中的每個環境上建立基準,以減少 B TP 事件,並且只在偵測到不尋常的行為時發出警示。To improve accuracy and alert only when there is a strong indication of a breach, this detection establishes a baseline on each environment in the organization to reduce B-TP incidents and only alert when the unusual behavior is detected.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

  • TP:如果您能夠確認刪除未獲授權。TP: If you're able to confirm that the deletions were unauthorized.

    建議的動作:暫停使用者、重設其密碼,並掃描所有裝置是否有惡意威脅。Recommended action: Suspend the user, reset their password, and scan all devices for malicious threats. 請參閱所有使用者活動,以瞭解是否有其他入侵指標,並探索影響範圍。Review all user activity for other indicators of compromise and explore the scope of impact.

  • B-TP:如果調查之後,您就可以確認系統管理員已獲授權執行這些刪除活動。B-TP: If after your investigation, you're able to confirm that the administrator was authorized to perform these deletion activities.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 請聯繫使用者並確認活動。Contact the user and confirm the activity.
  2. 檢查所有使用者活動中是否有其他的洩漏指標,例如警示後面接著下列其中一個警示:不 可能的移動來自匿名 IP 位址的活動或非經常性 國家/地區的活動Review all user activity for additional indicators of compromise such as the alert is followed by one of the following alerts: Impossible Travel, Activity from anonymous IP address, or Activity from infrequent country.

勒索軟體活動Ransomware activity

勒索軟體是一種網路攻擊,可讓攻擊者從其裝置鎖定受害者,或封鎖它們存取其檔案,直到受害者支付 ransom 為止。Ransomware is a cyberattack in which an attacker locks victims out of their devices or blocks them from accessing their files until the victim pays a ransom. 勒索軟體可以由惡意的共用檔案或遭入侵的網路散佈。Ransomware can be spread by a malicious shared file or compromised network. Cloud App Security 使用安全性研究專長、威脅情報和學習的行為模式來識別勒索軟體活動。Cloud App Security uses security research expertise, threat intelligence, and learned behavioral patterns to identify ransomware activity. 例如,高比率的檔案上傳或檔案刪除,可能代表勒索軟體作業中常見的加密處理常式。For example, a high rate of file uploads, or files deletions, may represent an encryption process that is common among ransomware operations.

這項偵測會建立您組織中每位使用者正常運作模式的基準,例如,當使用者存取雲端時,以及他們通常會在雲端中執行的動作。This detection establishes a baseline of the normal working patterns of each user in your organization, such as when the user accesses the cloud and what they commonly do in the cloud.

Cloud App Security 的自動化威脅偵測原則,會在您連線的時刻于背景開始執行。Cloud App Security's automated threat detection policies start running in the background from the moment you connect. 利用我們的安全性研究專業知識,找出在我們的組織中反映勒索軟體活動的行為模式,Cloud App Security 可針對複雜的勒索軟體攻擊提供完整的涵蓋範圍。Using our security research expertise to identify behavioral patterns that reflect ransomware activity in our organization, Cloud App Security provides comprehensive coverage against sophisticated ransomware attacks.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認活動不是由使用者執行。TP: If you're able to confirm that the activity wasn't perform by the user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP (不尋常的行為) :使用者在短時間內合法地執行多次刪除和上傳類似檔案的活動。FP (Unusual behavior): The user legitimately performed multiple deletion and upload activities of similar files in a short period of time.

    建議的動作:檢查活動記錄檔並確認副檔名不是可疑的之後,請關閉警示。Recommended action: After reviewing the activity log and confirming that the file extensions are not suspicious, dismiss the alert.

  3. FP (常見的勒索軟體副檔名) :如果您可以確認受影響檔案的副檔名與已知勒索軟體延伸模組相符。FP (Common ransomware file extension): If you are able to confirm that the extensions of the affected files are a match for a known ransomware extension.

    建議動作:請洽詢使用者並確認檔案是安全的,然後關閉警示。Recommended action: Contact the user and confirm the files are safe and then dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查活動記錄檔中是否有其他危害指標,例如大量下載或大量刪除的檔案。Review the activity log for other indicators of compromise such as mass download, or mass deletion, of files.
  2. 如果您是使用 Microsoft Defender 進階威脅防護,請檢查使用者的電腦警示,查看是否偵測到惡意檔案。If you're using Microsoft Defender Advanced Threat Protection, review the user's computer alerts to see if malicious files were detected.
  3. 搜尋活動記錄檔中是否有惡意檔案上傳和共用活動。Search the activity log for malicious file upload and sharing activities.

使用者) (不尋常的檔案刪除活動Unusual file deletion activity (by user)

活動,表示使用者已執行不尋常的檔案刪除活動(相較于已學到的基準)。Activities indicating that a user performed an unusual file deletion activity when compared to the baseline learned. 這可能表示勒索軟體攻擊。This can indicate ransomware attack. 比方說,攻擊者可以加密使用者的檔案,並刪除所有原始的檔案,只留下可用來強制犧牲受害者的加密版本來支付 ransom。For example, an attacker can encrypt a user's files and delete all the originals, leaving only the encrypted versions that can be used to coerce the victim to pay a ransom. Cloud App Security 會根據使用者的正常行為建立基準,並在偵測到不尋常的行為時觸發警示。Cloud App Security creates a baseline based on the user's normal behavior and triggers an alert when the unusual behavior is detected.

學習期間Learning period

建立新使用者的活動模式需要七天的初始學習期間,在這段期間內不會針對任何新位置觸發警示。Establishing a new user's activity pattern requires an initial learning period of seven days during which alerts are not triggered for any new locations.

TpB-TPFPTP, B-TP, or FP?

  1. TP:如果您可以確認活動不是由合法的使用者執行。TP: If you're able to confirm that the activity wasn't perform by a legitimate user.

    建議的動作:暫停使用者、將使用者標記為遭盜用,然後重設其密碼。Recommended action: Suspend the user, mark the user as compromised, and reset their password.

  2. FP:如果您可以確認使用者合法執行的檔案刪除活動比建立的基準更多。FP: If you're able to confirm that the user legitimately performed more file deletion activities than the established baseline.

    建議的動作:關閉警示。Recommended action: Dismiss the alert.

了解漏洞的範圍Understand the scope of the breach

  1. 檢查刪除活動,並建立已刪除之檔案的清單。Review the deletion activities and create a list of deleted files. 如有需要,復原已刪除的檔案。If needed, recover the deleted files.
  2. (選擇性)使用 Power Automate 建立腳本,以聯繫使用者及其管理員來驗證活動。Optionally, create a playbook using Power Automate to contact users and their managers to verify the activity.

另請參閱See also