你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

New-AzSecurityConnector

创建安全连接器。 如果安全连接器已创建,并且针对同一安全连接器 ID 发出后续请求,则会创建该连接器。

语法

New-AzSecurityConnector
   -Name <String>
   -ResourceGroupName <String>
   [-SubscriptionId <String>]
   [-EnvironmentData <ISecurityConnectorEnvironment>]
   [-EnvironmentName <String>]
   [-Etag <String>]
   [-HierarchyIdentifier <String>]
   [-Kind <String>]
   [-Location <String>]
   [-Offering <ICloudOffering[]>]
   [-Tag <Hashtable>]
   [-DefaultProfile <PSObject>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

说明

创建安全连接器。 如果安全连接器已创建,并且针对同一安全连接器 ID 发出后续请求,则会创建该连接器。

示例

示例 1:创建 AWS 安全连接器

$account = "891376984375"
$arnPrefix = "arn:aws:iam::$($account):role"

$cspmMonitorOffering = New-AzSecurityCspmMonitorAwsOfferingObject -NativeCloudConnectionCloudRoleArn "$arnPrefix/CspmMonitorAws"

$dcspmOffering = New-AzSecurityDefenderCspmAwsOfferingObject `
    -VMScannerEnabled $true -ConfigurationScanningMode Default -ConfigurationCloudRoleArn "$arnPrefix/DefenderForCloud-AgentlessScanner" `
    -DataSensitivityDiscoveryEnabled $true -DataSensitivityDiscoveryCloudRoleArn "$arnPrefix/SensitiveDataDiscovery" `
    -DatabaseDspmEnabled $true -DatabaseDspmCloudRoleArn "$arnPrefix/DefenderForCloud-DataSecurityPostureDB" `
    -CiemDiscoveryCloudRoleArn "$arnPrefix/DefenderForCloud-Ciem" -CiemOidcAzureActiveDirectoryAppName "mciem-aws-oidc-connector" -CiemOidcCloudRoleArn "$arnPrefix/DefenderForCloud-OidcCiem" `
    -MdcContainerImageAssessmentEnabled $true -MdcContainerImageAssessmentCloudRoleArn "$arnPrefix/MDCContainersImageAssessmentRole" `
    -MdcContainerAgentlessDiscoveryK8SEnabled $true -MdcContainerAgentlessDiscoveryK8SCloudRoleArn "$arnPrefix/MDCContainersAgentlessDiscoveryK8sRole"

$defenderForContainersOffering = New-AzSecurityDefenderForContainersAwsOfferingObject `
    -AutoProvisioning $true -KuberneteServiceCloudRoleArn "$arnPrefix/DefenderForCloud-Containers-K8s" -KuberneteScubaReaderCloudRoleArn "$arnPrefix/DefenderForCloud-DataCollection" `
    -KinesiToS3CloudRoleArn "$arnPrefix/DefenderForCloud-Containers-K8s-kinesis-to-s3" -CloudWatchToKinesiCloudRoleArn "$arnPrefix/DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis" `
    -KubeAuditRetentionTime 30 -ScubaExternalId "a47ae0a2-7bf7-482a-897a-7a139d30736c" `
    -MdcContainerAgentlessDiscoveryK8SEnabled $true -MdcContainerAgentlessDiscoveryK8SCloudRoleArn "$arnPrefix/MDCContainersAgentlessDiscoveryK8sRole" `
    -MdcContainerImageAssessmentEnabled $true -MdcContainerImageAssessmentCloudRoleArn "$arnPrefix/MDCContainersImageAssessmentRole" `
    -EnableContainerVulnerabilityAssessment $false

$environment = New-AzSecurityAwsEnvironmentObject -ScanInterval 24

New-AzSecurityConnector -Name "aws-sdktest01" -ResourceGroupName "securityConnectors-tests" `
        -EnvironmentData $environment -EnvironmentName AWS -HierarchyIdentifier "$account" `
        -Offering @($cspmMonitorOffering, $dcspmOffering, $defenderForContainersOffering) `
        -Location "CentralUS"

EnvironmentData                 : {
                                    "environmentType": "AwsAccount",
                                    "regions": [ ],
                                    "scanInterval": 24
                                  }
EnvironmentName                 : AWS
Etag                            :
HierarchyIdentifier             : 891376984375
HierarchyIdentifierTrialEndDate : 3/24/2024 12:00:00 AM
Id                              : /subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/securityconnectors-tests/providers/Microsoft.Security/securityConnectors/aws-sdktes
                                  t01
Kind                            :
Location                        : CentralUS
Name                            : aws-sdktest01
Offering                        : {{
                                    "offeringType": "CspmMonitorAws",
                                    "nativeCloudConnection": {
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/CspmMonitorAws"
                                    }
                                  }, {
                                    "offeringType": "DefenderCspmAws",
                                    "vmScanners": {
                                      "configuration": {
                                        "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-AgentlessScanner",
                                        "scanningMode": "Default"
                                      },
                                      "enabled": true
                                    },
                                    "dataSensitivityDiscovery": {
                                      "enabled": true,
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/SensitiveDataDiscovery"
                                    },
                                    "databasesDspm": {
                                      "enabled": true,
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-DataSecurityPostureDB"
                                    },
                                    "ciem": {
                                      "ciemDiscovery": {
                                        "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-Ciem"
                                      },
                                      "ciemOidc": {
                                        "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-OidcCiem",
                                        "azureActiveDirectoryAppName": "mciem-aws-oidc-connector"
                                      }
                                    },
                                    "mdcContainersImageAssessment": {
                                      "enabled": true,
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/MDCContainersImageAssessmentRole"
                                    },
                                    "mdcContainersAgentlessDiscoveryK8s": {
                                      "enabled": true,
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/MDCContainersAgentlessDiscoveryK8sRole"
                                    }
                                  }, {
                                    "offeringType": "DefenderForContainersAws",
                                    "kubernetesService": {
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-Containers-K8s"
                                    },
                                    "kubernetesScubaReader": {
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-DataCollection"
                                    },
                                    "cloudWatchToKinesis": {
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis"
                                    },
                                    "kinesisToS3": {
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/DefenderForCloud-Containers-K8s-kinesis-to-s3"
                                    },
                                    "mdcContainersImageAssessment": {
                                      "enabled": true,
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/MDCContainersImageAssessmentRole"
                                    },
                                    "mdcContainersAgentlessDiscoveryK8s": {
                                      "enabled": true,
                                      "cloudRoleArn": "arn:aws:iam::891376984375:role/MDCContainersAgentlessDiscoveryK8sRole"
                                    },
                                    "enableContainerVulnerabilityAssessment": false,
                                    "autoProvisioning": true,
                                    "kubeAuditRetentionTime": 30,
                                    "scubaExternalId": "a47ae0a2-7bf7-482a-897a-7a139d30736c"
                                  }}
ResourceGroupName               : securityconnectors-tests
SystemDataCreatedAt             : 2/22/2024 11:45:53 PM
SystemDataCreatedBy             : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataCreatedByType         : Application
SystemDataLastModifiedAt        : 2/22/2024 11:45:53 PM
SystemDataLastModifiedBy        : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataLastModifiedByType    : Application
Tag                             : {
                                  }
Type                            : Microsoft.Security/securityconnectors

示例 2:创建 GCP 安全连接器

$account = "843025268399"
$emailSuffix = "myproject.iam.gserviceaccount.com"
$cspmMonitorOffering = New-AzSecurityCspmMonitorGcpOfferingObject -NativeCloudConnectionServiceAccountEmailAddress "microsoft-defender-cspm@$emailSuffix" -NativeCloudConnectionWorkloadIdentityProviderId "cspm"

$dcspmOffering = New-AzSecurityDefenderCspmGcpOfferingObject `
    -VMScannerEnabled $true -ConfigurationScanningMode Default -ConfigurationExclusionTag @{key="value"} `
    -MdcContainerAgentlessDiscoveryK8SEnabled $true -MdcContainerAgentlessDiscoveryK8SServiceAccountEmailAddress "mdc-containers-k8s-operator@$emailSuffix" -MdcContainerAgentlessDiscoveryK8SWorkloadIdentityProviderId "containers" `
    -MdcContainerImageAssessmentEnabled $true -MdcContainerImageAssessmentServiceAccountEmailAddress "mdc-containers-artifact-assess@$emailSuffix" -MdcContainerImageAssessmentWorkloadIdentityProviderId "containers" `
    -DataSensitivityDiscoveryEnabled $true -DataSensitivityDiscoveryServiceAccountEmailAddress "mdc-data-sec-posture-storage@$emailSuffix" -DataSensitivityDiscoveryWorkloadIdentityProviderId "data-security-posture-storage" `
    -CiemDiscoveryServiceAccountEmailAddress "microsoft-defender-ciem@$emailSuffix" -CiemDiscoveryAzureActiveDirectoryAppName "mciem-gcp-oidc-app" -CiemDiscoveryWorkloadIdentityProviderId "ciem-discovery"

$defenderForContainersOffering = New-AzSecurityDefenderForContainersGcpOfferingObject `
    -NativeCloudConnectionServiceAccountEmailAddress "microsoft-defender-containers@$emailSuffix" -NativeCloudConnectionWorkloadIdentityProviderId "containers" `
    -DataPipelineNativeCloudConnectionServiceAccountEmailAddress "ms-defender-containers-stream@$emailSuffix" -DataPipelineNativeCloudConnectionWorkloadIdentityProviderId "containers-streams" `
    -AuditLogsAutoProvisioningFlag $true -DefenderAgentAutoProvisioningFlag $true -PolicyAgentAutoProvisioningFlag $true `
    -MdcContainerAgentlessDiscoveryK8SEnabled $true -MdcContainerAgentlessDiscoveryK8SWorkloadIdentityProviderId "containers" -MdcContainerAgentlessDiscoveryK8SServiceAccountEmailAddress "mdc-containers-k8s-operator@$emailSuffix" `
    -MdcContainerImageAssessmentEnabled $true -MdcContainerImageAssessmentWorkloadIdentityProviderId "containers" -MdcContainerImageAssessmentServiceAccountEmailAddress "mdc-containers-artifact-assess@$emailSuffix"

$environment = New-AzSecurityGcpProjectEnvironmentObject -ScanInterval 24 -ProjectDetailProjectId "asc-sdk-samples" -ProjectDetailProjectNumber "$account"

New-AzSecurityConnector -Name "gcp-sdktest01" -ResourceGroupName "securityConnectors-tests" -EnvironmentData $environment -EnvironmentName GCP -HierarchyIdentifier "$account" `
    -Offering @($cspmMonitorOffering, $dcspmOffering, $defenderForContainersOffering) -Location "CentralUS"

EnvironmentData                 : {
                                    "environmentType": "GcpProject",
                                    "projectDetails": {
                                        "projectNumber": "843025268399",
                                        "projectId": "asc-sdk-samples"
                                    },
                                    "scanInterval": 24
                                  }
EnvironmentName                 : GCP
Etag                            :
HierarchyIdentifier             : 843025268399
HierarchyIdentifierTrialEndDate : 3/24/2024 12:00:00 AM
Id                              : /subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/securityconnectors-tests/providers/Microsoft.Security/securityConnectors/gcp-sdktest01
Kind                            :
Location                        : CentralUS
Name                            : gcp-sdktest01
Offering                        : {{
                                    "offeringType": "CspmMonitorGcp",
                                    "nativeCloudConnection": {
                                        "workloadIdentityProviderId": "cspm",
                                        "serviceAccountEmailAddress": "microsoft-defender-cspm@myproject.iam.gserviceaccount.com"
                                    }
                                  }, {
                                    "offeringType": "DefenderCspmGcp",
                                    "ciemDiscovery": {
                                        "workloadIdentityProviderId": "ciem-discovery",
                                        "serviceAccountEmailAddress": "microsoft-defender-ciem@myproject.iam.gserviceaccount.com",
                                        "azureActiveDirectoryAppName": "mciem-gcp-oidc-app"
                                    },
                                    "vmScanners": {
                                        "configuration": {
                                            "scanningMode": "Default",
                                            "exclusionTags": {
                                                "key": "value"
                                            }
                                        },
                                        "enabled": true
                                    },
                                    "dataSensitivityDiscovery": {
                                        "enabled": true,
                                        "workloadIdentityProviderId": "data-security-posture-storage",
                                        "serviceAccountEmailAddress": "mdc-data-sec-posture-storage@myproject.iam.gserviceaccount.com"
                                    },
                                    "mdcContainersImageAssessment": {
                                        "enabled": true,
                                        "workloadIdentityProviderId": "containers",
                                        "serviceAccountEmailAddress": "mdc-containers-artifact-assess@myproject.iam.gserviceaccount.com"
                                    },
                                    "mdcContainersAgentlessDiscoveryK8s": {
                                        "enabled": true,
                                        "workloadIdentityProviderId": "containers",
                                        "serviceAccountEmailAddress": "mdc-containers-k8s-operator@myproject.iam.gserviceaccount.com"
                                    }
                                  }, {
                                    "offeringType": "DefenderForContainersGcp",
                                    "nativeCloudConnection": {
                                        "serviceAccountEmailAddress": "microsoft-defender-containers@myproject.iam.gserviceaccount.com",
                                        "workloadIdentityProviderId": "containers"
                                    },
                                    "dataPipelineNativeCloudConnection": {
                                        "serviceAccountEmailAddress": "ms-defender-containers-stream@myproject.iam.gserviceaccount.com",
                                        "workloadIdentityProviderId": "containers-streams"
                                    },
                                    "mdcContainersImageAssessment": {
                                        "enabled": true,
                                        "workloadIdentityProviderId": "containers",
                                        "serviceAccountEmailAddress": "mdc-containers-artifact-assess@myproject.iam.gserviceaccount.com"
                                    },
                                    "mdcContainersAgentlessDiscoveryK8s": {
                                        "enabled": true,
                                        "workloadIdentityProviderId": "containers",
                                        "serviceAccountEmailAddress": "mdc-containers-k8s-operator@myproject.iam.gserviceaccount.com"
                                    },
                                    "auditLogsAutoProvisioningFlag": true,
                                    "defenderAgentAutoProvisioningFlag": true,
                                    "policyAgentAutoProvisioningFlag": true
                                  }}
ResourceGroupName               : securityconnectors-tests
SystemDataCreatedAt             : 2/22/2024 11:45:53 PM
SystemDataCreatedBy             : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataCreatedByType         : Application
SystemDataLastModifiedAt        : 2/22/2024 11:45:53 PM
SystemDataLastModifiedBy        : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataLastModifiedByType    : Application
Tag                             : {}
Type                            : Microsoft.Security/securityconnectors

示例 3:创建 AzureDevOps 安全连接器

New-AzSecurityConnector -ResourceGroupName "securityConnectors-pwsh-tmp" -Name "ado-sdk-pwsh-test03" `
    -EnvironmentName AzureDevOps -EnvironmentData (New-AzSecurityAzureDevOpsScopeEnvironmentObject) `
    -HierarchyIdentifier ([guid]::NewGuid().ToString()) -Location "CentralUS" `
    -Offering @(New-AzSecurityCspmMonitorAzureDevOpsOfferingObject)

EnvironmentData                 : {
                                    "environmentType": "AzureDevOpsScope"
                                  }
EnvironmentName                 : AzureDevOps
Etag                            : 
HierarchyIdentifier             : 9dd01e19-8aaf-43a2-8dd4-1c5992f4df35
HierarchyIdentifierTrialEndDate : 
Id                              : /subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/securityconnectors-pwsh-tmp/providers/Microsoft.Security/securityConnectors/ado-sdk-pwsh-test03
Kind                            : 
Location                        : CentralUS
Name                            : ado-sdk-pwsh-test03
Offering                        : {{
                                    "offeringType": "CspmMonitorAzureDevOps"
                                  }}
ResourceGroupName               : securityconnectors-pwsh-tmp
SystemDataCreatedAt             : 2/24/2024 12:13:11 AM
SystemDataCreatedBy             : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataCreatedByType         : Application
SystemDataLastModifiedAt        : 2/24/2024 12:13:11 AM
SystemDataLastModifiedBy        : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataLastModifiedByType    : Application
Tag                             : {
                                  }
Type                            : Microsoft.Security/securityconnectors

示例 4:创建 GitHub 安全连接器

New-AzSecurityConnector -ResourceGroupName "securityConnectors-pwsh-tmp" -Name "gh-sdk-pwsh-test03" `
    -EnvironmentName GitHub -EnvironmentData (New-AzSecurityGitHubScopeEnvironmentObject) `
    -HierarchyIdentifier ([guid]::NewGuid().ToString()) -Location "CentralUS" `
    -Offering @(New-AzSecurityCspmMonitorGithubOfferingObject)

EnvironmentData                 : {
                                    "environmentType": "GithubScope"
                                  }
EnvironmentName                 : Github
Etag                            : 
HierarchyIdentifier             : e8661d05-8003-46ae-b687-fa83746f44f3
HierarchyIdentifierTrialEndDate : 
Id                              : /subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/securityconnectors-pwsh-tmp/providers/Microsoft.Security/securityConnectors/gh-sdk-pwsh-test03
Kind                            : 
Location                        : CentralUS
Name                            : gh-sdk-pwsh-test03
Offering                        : {{
                                    "offeringType": "CspmMonitorGithub"
                                  }}
ResourceGroupName               : securityconnectors-pwsh-tmp
SystemDataCreatedAt             : 2/24/2024 12:55:33 AM
SystemDataCreatedBy             : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataCreatedByType         : Application
SystemDataLastModifiedAt        : 2/24/2024 12:55:33 AM
SystemDataLastModifiedBy        : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataLastModifiedByType    : Application
Tag                             : {
                                  }
Type                            : Microsoft.Security/securityconnectors

示例 5:创建 GitLab 安全连接器

New-AzSecurityConnector -ResourceGroupName "securityConnectors-pwsh-tmp" -Name "gl-sdk-pwsh-test03" `
    -EnvironmentName GitLab -EnvironmentData (New-AzSecurityGitLabScopeEnvironmentObject) `
    -HierarchyIdentifier ([guid]::NewGuid().ToString()) -Location "CentralUS" `
    -Offering @(New-AzSecurityCspmMonitorGitLabOfferingObject)

EnvironmentData                 : {
                                    "environmentType": "GitLabScope"
                                  }
EnvironmentName                 : GitLab
Etag                            : 
HierarchyIdentifier             : e8661d05-8003-46ae-b687-fa83746f44f3
HierarchyIdentifierTrialEndDate : 
Id                              : /subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/securityconnectors-pwsh-tmp/providers/Microsoft.Security/securityConnectors/gl-sdk-pwsh-test03
Kind                            : 
Location                        : CentralUS
Name                            : gl-sdk-pwsh-test03
Offering                        : {{
                                    "offeringType": "CspmMonitorGitLab"
                                  }}
ResourceGroupName               : securityconnectors-pwsh-tmp
SystemDataCreatedAt             : 2/24/2024 12:55:33 AM
SystemDataCreatedBy             : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataCreatedByType         : Application
SystemDataLastModifiedAt        : 2/24/2024 12:55:33 AM
SystemDataLastModifiedBy        : c3d82ccb-fee1-430c-949e-6c0a217c00a8
SystemDataLastModifiedByType    : Application
Tag                             : {
                                  }
Type                            : Microsoft.Security/securityconnectors

参数

-Confirm

提示你在运行 cmdlet 之前进行确认。

类型:SwitchParameter
别名:cf
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-DefaultProfile

DefaultProfile 参数不起作用。 如果对其他订阅执行 cmdlet,请使用 SubscriptionId 参数。

类型:PSObject
别名:AzureRMContext, AzureCredential
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-EnvironmentData

安全连接器环境数据。

类型:ISecurityConnectorEnvironment
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-EnvironmentName

多云资源的云名称。

类型:String
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-Etag

实体标记用于比较同一请求资源的两个或多个实体。

类型:String
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-HierarchyIdentifier

多云资源标识符(AWS 连接器的帐户 ID、GCP 连接器的项目编号)。

类型:String
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-Kind

资源类型

类型:String
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-Location

存储资源的位置

类型:String
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-Name

安全连接器名称。

类型:String
别名:SecurityConnectorName
Position:Named
默认值:None
必需:True
接受管道输入:False
接受通配符:False

-Offering

安全连接器的产品/服务集合。

类型:ICloudOffering[]
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-ResourceGroupName

用户订阅中的资源组的名称。 此名称不区分大小写。

类型:String
Position:Named
默认值:None
必需:True
接受管道输入:False
接受通配符:False

-SubscriptionId

Azure 订阅 ID

类型:String
Position:Named
默认值:(Get-AzContext).Subscription.Id
必需:False
接受管道输入:False
接受通配符:False

-Tag

描述资源的键值对的列表。

类型:Hashtable
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

-WhatIf

显示运行该 cmdlet 时会发生什么情况。 cmdlet 未运行。

类型:SwitchParameter
别名:wi
Position:Named
默认值:None
必需:False
接受管道输入:False
接受通配符:False

输出

ISecurityConnector