管理警示Manage alerts

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

本文章說明如何處理在 Cloud App Security 入口網站中引發的警示。This article explains how to work with alerts raised in the Cloud App Security portal.

注意

警示會在其各自的原則中進行管理,並可設定為以電子郵件、文字訊息或兩者形式傳送。Alerts are managed in their respective policies and can be configured to be sent as an email, text message, or both.

管理警示Manage your alerts

警示是更深入了解雲端環境的切入點。Alerts are the entry points to understanding your cloud environment more deeply. 建議您根據您的發現建立新原則。You might want to create new policies based on what you find. 例如,您可能會看到系統管理員從格陵蘭登入,而您組織中從未有人曾從格陵蘭登入。For example, you might see an administrator signing in from Greenland, and no one in your organization ever signed in from Greenland before. 您可以建立一項原則,在系統管理員帳戶用來從該位置登入時,自動加以暫時停權。You can create a policy that automatically suspends an admin account when it's used to sign in from that location.

建議您檢閱所有的警示,並將其作為修改原則的工具。It's a good idea to review all of your alerts and use them as tools for modifying your policies. 如果無害事件視為對現有原則的違規,則請精簡原則,以降低收到不必要警示的機率。If harmless events are being considered violations to existing policies, refine your policies so that you receive fewer unnecessary alerts.

  1. 從 [警示]**** 頁面中,針對 [解決狀態]**** 選取 [未決]****。From the Alerts page, select Open for the Resolution Status.

    儀表板的本區段提供完整的可見度,讓您掌握任何可疑的活動或違反您所建立原則的情形,This section of the dashboard provides full visibility into any suspicious activity or violation of your established policies. 並可協助保護您為雲端環境所定義的安全性狀態。It can help you safeguard the security posture you defined for your cloud environment.

    警示解決狀態頁面Alerts resolution status page

  2. 您必須調查每個警示,並判斷違規的性質和所需之回應。For each alert, you need to investigate and determine the nature of the violation and the required response.

    • 您可依據 [警示類型] 或 [嚴重性] 來篩選警示,以便優先處理最重要的警示。You can filter the alerts by Alert type or by Severity to process the most important ones first.

    • 選取特定警示。Select a specific alert. 視警示類型而定,您可在解決警示前查看各種可採取的動作。Depending on what type of alert it is, you'll see various actions that can be taken before resolving the alert.

    • 您可以根據應用程式來篩選;列出的應用程式是 Cloud App Security 偵測到其活動的應用程式。You can filter based on App - The apps listed are ones for which activities were detected by Cloud App Security.

    • 有三種類型的違規,您必須在調查警示時處理:There are three types of violations you'll need to deal with when investigating alerts:

      • 嚴重違規 - 嚴重違規需要立即回應。Serious violations - Serious violations require immediate response.
        範例:Examples:

        • 若是可疑的活動警示,在使用者變更其密碼前,建議您先將帳戶暫時停權。For a suspicious activity alert, you might want to suspend the account until the user changes their password.
        • 若發生資料外洩,建議您限制權限或隔離檔案。For a data leak you might want to restrict permissions or quarantine the file.
        • 若探索到新的應用程式,建議您在 Proxy 或防火牆上封鎖服務的存取。If a new app is discovered, you might want to block access to the service on your proxy or firewall.
      • 可疑的違規 - 可疑的違規需要進一步調查。Questionable violations - Questionable violations require further investigation.

        • 您可以連絡使用者或使用者的管理員以了解活動性質。You can contact the user or the user's manager about the nature of the activity.
        • 保持活動開啟,直到有更多的資訊為止。Leave the activity open until you have more information.
      • 授權違規或異常行為 - 授權違規或異常行為可能源於合法使用。Authorized violations or anomalous behavior - Authorized violations or anomalous behavior can result from legitimate use.

        • 您可以關閉警示。You can dismiss the alert.
  3. 每當您關閉警示時,請務必提交意見反應,說明為何關閉警示。Any time you dismiss an alert, it's important to submit feedback about why you're dismissing the alert. Cloud App Security 小組使用此意見反應作為警示正確與否的指標。The Cloud App Security team uses this feedback as an indication of the accuracy of the alert. 接著使用此資訊來微調機器學習模型以取得未來警示。This information is then used to fine-tune our machine learning models for future alerts. 您可以遵循下列方針來決定如何分類警示:You can follow these guidelines in deciding how to categorize the alert:

    • 如果合法使用觸發警示,但不是安全性問題,則可能是下列其中一種類型:If legitimate use triggered the alert and it isn't a security issue, it could be one of these types:

      • 良性肯定:警示是正確的,但活動是合法的。Benign positive: The alert is accurate but the activity is legitimate. 您可以關閉警示,並將原因設定為 [實際的嚴重性較低]**** 或 [不感興趣]****。You can dismiss the alert and set the reason to Actual severity is lower or Not interesting.
      • 誤判:警示不正確。False positive: The alert is inaccurate. 請關閉警示,並將原因設定為 [警示不正確]****。Dismiss the alert and set the reason to Alert is not accurate.
    • 如果有太多雜訊而無法判斷警示的合法性與正確性,請將它關閉,並將原因設定為 [太多類似的警示]****。If there's too much noise to determine the legitimacy and accuracy of an alert, dismiss it and set the reason to Too many similar alerts.

    • 確判:如果內外部人士惡意或無意中認可與實際具風險事件相關的警示,您應該先採取所有適當的動作來補救事件,再將事件設定為 [解決]****。True positive: If the alert is related to an actual risky event that was either committed maliciously or unintentionally by an insider or outsider, you should set the event to Resolve after all appropriate action has been taken to remediate the event.

警示類型Alert types

下表提供可能觸發的警示類型清單,以及建議的解決方法。The following table provides a list of the types of alerts that can be triggered and recommends ways you can resolve them.

警示類型Alert type 描述Description 建議的解決方法Recommended resolution
活動原則違規Activity policy violation 這類警示是您建立的原則結果。This type of alert is the result of a policy you created. 若要大量使用這類警示,建議您在原則中心內使用以減少警示。To work with this type of alert in bulk, we recommend that you work in the Policy center to mitigate them.

新增更多篩選及更細微的控制來微調原則,以排除雜訊太多的實體。Fine-tune the policy to exclude noisy entities by adding more filters and more granular controls.

如果原則精確且應該有警示,而它又是您想要立即停止的違規,請考慮在原則中新增自動補救。If the policy is accurate, the alert is warranted, and it's a violation you want to stop immediately, consider adding automatic remediation in the policy.
檔案原則違規File policy violation 這類警示是您建立的原則結果。This type of alert is the result of a policy you created. 若要大量使用這類警示,建議您在原則中心內使用以減少警示。To work with this type of alert in bulk, we recommend that you work in the Policy center to mitigate them.

新增更多篩選及更細微的控制來微調原則,以排除雜訊太多的實體。Fine-tune the policy to exclude noisy entities by adding more filters and more granular controls.

如果原則精確且應該有警示,而它又是您想要立即停止的違規,請考慮在原則中新增自動補救。If the policy is accurate, the alert is warranted, and it's a violation you want to stop immediately, consider adding automatic remediation in the policy.
遭盜用的帳戶Compromised account 當 Cloud App Security 識別遭到入侵的帳戶時,即會觸發這類警示。This type of alert is triggered when Cloud App Security identifies an account that was compromised. 這表示讓帳戶極可能以未經授權的方式使用。This means there's a very high probability that the account was used in an unauthorized way. 建議您將帳戶暫時停權,直到您能連絡到使用者,並確認他們變更密碼。We recommend that you suspend the account until you can reach the user and make sure they change their password.
非使用中帳戶Inactive account 若您其中一個連線的雲端應用程式中有連續 60 天未使用的帳戶,即會觸發此警示。This alert is triggered when an account hasn't been used in 60 days in one of your connected cloud apps. 請連絡使用者及使用者的管理員,以判斷帳戶是否仍在使用中。Contact the user and the user's manager to determine whether the account is still active. 如果不是,請暫停使用者並終止應用程式授權。If not, suspend the user and terminate the license for the app.
新增管理使用者New admin user 當特殊權限帳戶出現連線的應用程式異動時,即會向您發出警示。Alerts you to changes in your privileged accounts for connected apps. 確認使用者實際上需要新的系統管理員權限。Confirm that the new admin permissions are in fact required for the user. 如果不需要,建議您撤銷系統管理員權限以降低風險。If they aren't, recommend revoking admin privileges to reduce exposure.
新增管理員位置New admin location 當特殊權限帳戶出現連線的應用程式異動時,即會向您發出警示。Alerts you to changes in your privileged accounts for connected apps. 確認從這個異常位置登入是合法動作。Confirm that the sign-in from this anomalous location was legitimate. 如果不是,建議您撤銷系統管理員權限或將帳戶暫時停權以降低風險。If it's not, recommend revoking admin permissions or suspending the account to reduce exposure.
新增位置New location 有關從新位置存取已連線應用程式的資訊警示,而且每個國家/地區只會觸發一次。An informative alert about access to a connected app from a new location, and it's triggered only once per country/region. 調查特定使用者的活動。Investigate the specific user's activity.
新探索到的服務New discovered service 此警示是影子 IT 的相關警示。This alert is an alert about Shadow IT. Cloud Discovery 偵測到新的應用程式。A new app was detected by Cloud Discovery.
  • 根據應用程式目錄評估服務風險。Assess the risk of the service based on the app catalog.
  • 向下切入至活動以了解使用模式和普遍性。Drill down into the activity to understand usage patterns and prevalence.
  • 決定是否要批准該應用程式。Decide whether to sanction or unsanction the app.

針對未經批准的應用程式︰For unsanctioned apps:

  • 您可能想要在 Proxy 或防火牆中封鎖使用。You may want to block use in your proxy or firewall.
  • 如果您在相同類別中有待批准及獲批准的應用程式,您可以匯出待批准的應用程式使用者清單。If you have an unsanctioned app and a sanctioned app in the same category, you can export a list of users of the unsanctioned app. 然後,連絡他們以將其遷移到獲批准的應用程式。Then, contact them to migrate them to the sanctioned app.
可疑的活動Suspicious activity 此警示可讓您知道已偵測到異常活動,它不符合貴組織的預期活動或使用者。This alert lets you know that anomalous activity has been detected that isn't aligned with expected activities or users in your organization. 調查行為並向使用者確認。Investigate the behavior and confirm it with the user.

這類警示是開始深入了解環境及使用這些警示來建立新原則的最佳位置。This type of alert is a great place to start learning more about your environment and creating new policies with these alerts. 例如,如果有人突然上傳大量的資料到您某個連接的應用程式,您可以設定規則來控制該類型的異常行為。For example, if someone suddenly uploads a large amount of data to one of your connected apps, you can set a rule to govern that type of anomalous behavior.
使用個人帳戶Use of personal account 此警示可讓您知道新的個人帳戶可以存取已連線應用程式的資源。This alert lets you know that a new personal account has access to resources in your connected apps. 請在外部帳戶中,移除使用者的共同作業。Remove the user's collaborations in the external account.

下一步Next steps

如需如何調查警示的詳細資訊,請參閱調查For more information about investigating alerts, see Investigate.

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.