針對 Linux 上的 Microsoft Defender for Endpoint 的缺失事件或警示問題進行疑難排解Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux

適用於:Applies to:

本文提供一些一般步驟,以減輕 安全性中心 入口網站中遺失的事件或警示。This article provides some general steps to mitigate missing events or alerts in the security center portal.

在裝置上正確安裝 Microsoft Defender For Endpoint 後,就會在入口網站中產生 裝置頁面Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal. 您可以在 [裝置] 頁面上的 [時程表] 索引標籤或 [高級搜尋] 頁面中,複查所有錄製的事件。You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. 此區段用於診斷部分或所有預期事件的情況缺失。This section troubleshoots the case of some or all expected events are missing. 例如,如果所有的 CreatedFile 事件都缺失。For instance, if all CreatedFile events are missing.

遺失網路和登入事件Missing network and login events

Microsoft Defender for a Endpoint 利用 audit framework (來自 linux)以追蹤網路和登入活動。Microsoft Defender for Endpoint utilized audit framework from linux to track network and login activity.

  1. 請確定審核架構是否正常運作。Make sure audit framework is working.

    service auditd status
    

    期望的輸出:expected output:

    ● auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
    Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago
        Docs: man:auditd(8)
            https://github.com/linux-audit/audit-documentation
    Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
    Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Main PID: 16666 (auditd)
        Tasks: 25
    CGroup: /system.slice/auditd.service
            ├─16666 /sbin/auditd
            ├─16668 /sbin/audispd
            ├─16670 /usr/sbin/sedispatch
            └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
    
  2. 如果 auditd 標示為已停止,請啟動它。If auditd is marked as stopped, start it.

    service auditd start
    

在 SLES 系統上 ,可能預設會停用的 SYSCALL 審核,而且可能會 auditd 考慮遺失的事件。On SLES systems, SYSCALL auditing in auditd might be disabled by default and can be accounted for missing events.

  1. 若要驗證 SYSCALL 審核未停用,請列出目前的審計規則:To validate that SYSCALL auditing is not disabled, list the current audit rules:

    sudo auditctl -l
    

    如果出現下列行,請將其移除或進行編輯,讓 Microsoft Defender for Endpoint 能夠追蹤特定 SYSCALLs。if the following line is present, remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.

    -a task, never
    

    審核規則位於 /etc/audit/rules.d/audit.rulesaudit rules are located at /etc/audit/rules.d/audit.rules.

遺失檔案事件Missing file events

檔案事件是以 fanotify 架構收集。File events are collected with fanotify framework. 若部分或所有檔案事件遺失,請確定已 fanotify 在裝置上啟用,且 支援檔案系統。In case some or all file events are missing, make sure fanotify is enabled on the device and that the file system is supported.

列出電腦上的檔案系統:List the filesystems on the machine with:

df -Th