活動原則Activity policies

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

活動原則可讓您使用應用程式提供者的 API,強制執行各種不同的自動化程序。Activity policies allow you to enforce a wide range of automated processes using the app provider’s APIs. 這些原則可讓您監視由不同使用者執行的特定活動,或是追蹤意外高比率的某種特定類型活動。These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of one certain type of activity.

設定活動偵測原則之後,就會開始產生警示 - 只有建立原則之後發生的活動才會產生警示。After you set an activity detection policy, it starts to generate alerts - alerts are only generated on activities that occur after you create the policy.

注意

系統會自動停用每日觸發超過50000個相符項的原則,在過去7天內會有3個。Policies that trigger more than 50,000 matches per day, for 3 out of the last 7 days, are automatically disabled. 您可以藉由新增額外的篩選來嘗試精簡原則,或者,如果您基於報告目的使用原則,請考慮改 為將其儲存為查詢You can try refining policies by adding additional filters or, if you are using policies for reporting purposes, consider saving them as queries instead.

自訂警示Custom alerts

活動原則可在偵測到使用者活動時傳送自訂警示或採取動作。Activity policies allow custom alerts to be sent or actions taken when user activity is detected. 例如,您想要知道每次:For example, you want to know every time:

  • 使用者嘗試登入並在一分鐘內失敗 70 次A user tries to sign in and fails 70 times in one minute
  • 使用者下載 7,000 個檔案A user downloads 7,000 files
  • 使用者從阿富汗登入A user is logged in from Afghanistan

您可以設定在這些事件發生時,傳送活動警示給您自己或使用者。You can set activity alerts to be sent to yourself or to the user when these events occur. 您甚至可以暫時將使用者停權,直到您完成調查發生了什麼事。You can even suspend the user until you have finished investigating what happened.

若要建立新的活動原則,請遵循此程序︰To create a new activity policy, follow this procedure:

  1. 在主控台中,依序按一下 [控制]**** 和 [原則]****。In the console, click on Control followed by Policies.

  2. 按一下 [建立原則]****,然後選取 [活動原則]****。Click Create policy and select Activity policy.

    活動原則功能表

  3. 為您的原則命名並描述,如果希望,也可以範本為依據;如需原則範本的詳細資訊,請參閱 Control cloud apps with policies (使用原則控制雲端應用程式)。Give your policy a name and description, if you want you can base it on a template, for more information on policy templates, see Control cloud apps with policies.

  4. 若要設定觸發此原則的動作或其他計量,請使用 [活動篩選]****。To set which actions or other metrics will trigger this policy, work with the Activity filters.

    注意

    為確保您只包含指定之篩選欄位具有值的結果,我們建議您使用 [ 設定 測試] 再次加入相同的欄位。To ensure you only include results where the specified filter field has a value, we recommend adding the same field again using the is set test. 例如,當依 位置篩選不 等於 指定的國家/地區清單時,也會加入 [ 位置] 的篩選器 設定For example, when filtering by Location does not equal a specified list of countries, also add a filter for Location is set. 您也可以選取 [ 編輯和預覽結果] 來預覽篩選結果。You can also preview the filter results by selecting Edit and preview results.

    篩選設定的螢幕擷取畫面,顯示位置欄位已設定

  5. 在 [活動比對參數]**** 下,選取何時會觸發原則違規。Under Activity match parameters, select when a policy violation will be triggered. 選擇在單一活動符合篩選時觸發,還是僅在偵測到指定數目的 [重複的活動]**** 時才觸發。Choose to trigger when a single activity matches the filters or only when a specified number of Repeated activities are detected.

    • 若您選擇 [重複的活動]****,可以設定 [在單一應用程式中]****。If you choose Repeated activity, you can set In a single app. 僅當重複的活動發生在同一應用程式時,此設定才會觸發原則比對。This setting will trigger a policy match only when the repeated activities occur in the same app. 例如,在 30 分鐘內從 Box 下載五次會觸發原則比對。For example, five downloads in 30 minutes from Box trigger a policy match.
  6. 設定找到相符項目時應該採取的 [動作]****。Configure the Actions that should be taken when a match is found.

看看這些範例︰Take a look at these examples:

  • 多次失敗的登入Multiple failed logins

    您可以設定原則,以便在短時間內發生大量登入失敗時,收到警示。You can set policy so that you receive an alert when a large number of failed logins within a short time period occurs. 若要設定這類原則,請在 [新增活動原則]**** 頁面中選擇適當的活動篩選。To configure this sort of policy, choose the appropriate activity filter in the New Activity Policy page.

    在 [活動篩選]**** 欄位下方,設定觸發警示的參數。Beneath the Activity filters field, configure the parameters for which the alert will be triggered.

    多個失敗登入嘗試的原則範例Policy example for multiple failed sign-in attempts

  • 高下載率High download rate

    您可以設定原則,以便在非預期或無法定性層級的下載活動出現時,收到警示。You can set your policy so that you receive an alert when there has been an unexpected or uncharacteristic level of downloading activity. 若要設定這類原則,請在 [速率]**** 參數下,選擇觸發警示的參數。To configure this sort of policy, under Rate parameters, choose the parameters to trigger the alert.

    高下載率範例high download rate example

活動原則參考Activity policy reference

本節提供原則的參考詳細資料,並說明每種原則類型和您可以針對每項原則設定的欄位。This section has reference details about policies, explanations for each policy type, and the fields that can be configured for each policy.

[活動原則]**** 是一種 API 型原則,可讓您監視雲端中的組織活動。An Activity policy is an API-based policy that enables you to monitor your organization's activities in the cloud. 此原則將 20 多個檔案中繼資料篩選 (包括裝置類型和位置) 納入考量。The policy takes into account over 20 file metadata filters including device type and location. 系統會根據原則結果產生通知,並可能讓使用者暫停使用雲端應用程式。Based on the policy results, notifications can be generated and users can be suspended from the cloud app. 每個原則皆由下列部分組成:Each policy is composed of the following parts:

  • 活動篩選 - 讓您可以根據中繼資料建立細微條件。Activity filters – Enable you to create granular conditions based on metadata.

  • 活動比對參數 – 可讓您設定活動要重複幾次才會被視為符合原則的臨界值。Activity match parameters – Enable you to set a threshold for the number of times an activity repeats to be considered to match the policy. 指定將活動視為符合原則前的必要重複次數。Specify the number of repeated activities required to match the policy. 例如,您可設定原則,以在使用者於 2 分鐘的時間範圍內執行 10 次失敗登入時提出警示。For example, set a policy to alert when a user has 10 unsuccessful login attempts in a 2-minute time frame. 根據預設, 活動相符參數 會針對符合所有活動篩選準則的每個單一活動引發相符的結果。By default, Activity match parameters raise a match for every single activity that meets all of the activity filters.

    • 您可以使用 [重複的活動]**** 來設定重複的活動數量、計算活動數量的持續時間範圍。Using Repeated activity you can set the number of repeated activities, the duration of the time frame in which the activities are counted. 您也可以指定相同使用者和相同雲端應用程式內應該執行的所有活動。You can also specify that all activities should be performed by the same user and in the same cloud app.
  • 動作 – 此原則提供一組可在偵測到違規時自動套用的治理動作。Actions – The policy provides a set of governance actions that can be automatically applied when violations are detected.

下一步Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.