使用 GitHub Copilot 進行日誌與設定分析
現代雲端環境會產生大量日誌資料。 在繁忙環境中,Azure 防火牆 每小時會產生數千筆日誌。 活動日誌涵蓋所有資源的管理操作。 NSG 流程日誌會記錄所有網路連線,包括允許與拒絕的連線。
挑戰不在於收集數據。 Azure 監視器、Log Analytics 和 Microsoft Sentinel 都能很好地處理收集。 挑戰在於如何快速將原始日誌數據轉化為可操作的情報。 這意味著要從10,000個防火牆條目中找出攻擊模式,找出埋藏在500行錯誤日誌中的部署失敗根本原因,或從一個月的活動資料中產出有意義的合規報告。
GitHub Copilot 在模式識別和摘要方面表現良好。 你提供資料;Copilot 提供分析。
分析 Azure 防火牆記錄
Azure 防火牆 網路規則日誌會記錄防火牆評估的每一段連線:來源 IP、目的地 IP、埠口、協定,以及連線是否被允許或拒絕。 手動分析這些日誌非常耗時。 Copilot 可以在幾秒內掃描它們。
基本分析提示詞
Analyze these Azure Firewall network rule logs and provide:
1. The top 5 source IPs generating denied traffic, with connection counts
2. The top 5 destination ports targeted by denied traffic
3. Any source IPs with rapid sequential connections to many different ports
(port scanning behavior), including the time window
4. The one-hour period with the highest volume of denied connections
5. Any connections that were ALLOWED to unusual external destinations
(non-standard ports, suspicious IP ranges)
Format the output as a structured report with a section for each finding.
[paste firewall-logs.json content here]
良好的防火牆日誌分析揭示了什麼
埠掃描 可透過單一來源 IP 在短時間內連接多個不同的目的地埠來識別。 合法客戶端會反覆連接一兩個埠口。 掃描器會依序探測數十個端口。
暴力密碼破解嘗試會顯示為來自一個來源 IP、在短時間內大量遭拒絕連線到相同目的地連接埠,通常是 22 (SSH) 或 3389 (RDP)。
允許的交通異常 通常比被拒絕的交通更令人擔憂。 被拒絕連線會被封鎖。 允許連線到非標準埠口或與已知威脅相關的 IP 範圍等不尋常目的地,代表實際的資料移動,應被調查。
將研究結果轉化為基礎建設變革
日誌分析應直接回饋至你的 Bicep 範本。 在識別出有問題的來源 IP 後,請 Copilot 產生修復程序:
Based on the firewall log analysis, the following source IPs are confirmed
malicious: 185.220.101.45, 91.230.54.112, 194.165.16.78.
Generate:
1. A Bicep snippet for an Azure Firewall Network Rule Collection that explicitly
denies all traffic from these IPs at the highest priority (100)
2. An Azure CLI command to apply this rule without a full template redeployment
3. A comment explaining the source of each blocked IP
要結束這個循環:分析日誌,識別威脅。 產生 IaC 來阻擋它們。 接著,部署修復措施。 整個流程可以在一次 Copilot Chat 會話中完成。
部署失敗的疑難排解
部署失敗日誌可能相當晦澀難懂。 Azure Resource Manager 會回傳巢狀的 JSON 錯誤物件,包含代碼、訊息和政策評估細節,這些細節需要時間解析。 Copilot 幫助在不同來源間減少噪音,找出明確的根本原因並能在幾秒內解決。
失效分析提示
This is an Azure resource deployment log that ended in failure.
Analyze the log and provide:
- The root cause of the failure in plain language, not error codes
- Which specific resource failed and why
- The exact change needed in the Bicep template or deployment parameters to fix the issue
- Whether there are multiple issues (sometimes one error masks another)
If there is a policy violation, explain: which policy blocked the deployment,
what the policy requires, and where in the template the requirement is not met.
[paste failed-deployment.log content here]
常見的部署失敗類別
子網大小錯誤: Azure 防火牆 需要 /26 子網最小值。 Azure Bastion 需要 /26。 虛擬網路 Gateway 需要 /27。 這些邊界很容易被忽略,產生明確的錯誤訊息,Copilot 可以解析並修正。
政策違規:企業Azure訂閱治理依賴Azure 原則。 常見政策要求所有資源都標示特定標籤,限制 SKU 僅可核准的類型,或強制執行最小子網大小。 錯誤日誌中的政策違規包含政策名稱及被評估為不合規的特定表達式。
資源衝突: 部署一個已經存在且屬性不相容的資源。 範例包含使用與現有儲存體帳戶不同 SKU 的儲存體帳戶,或已在全域中被使用的 金鑰保存庫 名稱。
RBAC 許可失敗: 部署身份缺乏建立特定資源類型的權限。 此範例在部署角色指派時很常見,Microsoft.Authorization/roleAssignments/write 需要擁有者或使用者存取管理員。
API 版本不匹配: 資源使用的 API 版本已不再可用。 這種情況在過時的範本中較為常見。
要求在 Bicep 中修正
在 Copilot 確定根本原因後,請它產生修正:
The deployment failed because:
1. AzureFirewallSubnet is /27 but must be /26
2. The CostCenter tag is missing from the hub VNet resource
Apply both fixes to this Bicep template. Show only the changed sections,
not the entire template, and explain what you changed and why.
[paste the relevant Bicep sections]
為 Azure 監視器 產生 KQL 查詢
KQL(Kusto Query Language)是 Azure 監視器、Log Analytics 和 Microsoft Sentinel 的查詢語言。 從零開始撰寫 KQL 需要了解資料表結構、KQL 函式以及 Azure 診斷日誌的結構。 Copilot 從自然語言描述產生 KQL 查詢,大幅降低了門檻。
基本 KQL 生成
Generate a KQL query for the AzureDiagnostics table in Log Analytics.
The query should:
- Count denied connections grouped by SourceIP
- Filter to the last 24 hours using TimeGenerated > ago(24h)
- Include only rows where Action_s == "Deny"
- Include only rows from Azure Firewall (Category == "AzureFirewallNetworkRule")
- Sort by count descending
- Visualize as a bar chart
Add a comment at the top explaining what this query does and when to use it.
KQL 輸出範例:
// Top blocked source IPs in the last 24 hours
// Use this query to identify source IPs generating the most denied traffic.
// Useful for firewall rule tuning and threat hunting.
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "AzureFirewallNetworkRule"
| where Action_s == "Deny"
| summarize DeniedCount = count() by SourceIP = SourceIp_s
| sort by DeniedCount desc
| render barchart
生成一套安全性查詢
Generate three KQL queries for Azure Firewall security monitoring:
Query 1: Allowed SSH/RDP connections
Find all connections to port 22 or 3389 that were allowed by the firewall.
These are potential security risks that should be reviewed.
Query 2: Hourly allowed vs. denied traffic trend
Show the count of allowed and denied connections per hour over the last 7 days,
as a time chart with two series (one for allowed, one for denied).
Query 3: New source IPs in the last 24 hours
Find source IPs that appear in today's denied traffic but did not appear
in the 7 days prior. These are new sources of malicious traffic.
For each query: add explanatory comments, use the AzureDiagnostics table,
and make them production-ready (handle null fields with isnotempty()).
產生活動記錄的 KQL
活動日誌在 Log Analytics 中使用 AzureActivity 表格。 這個結構和診斷日誌不同,Copilot 知道欄位名稱。
Generate a KQL query for the AzureActivity table that finds:
- All role assignment changes (RBAC) in the last 30 days
- Only operations where OperationNameValue contains "roleAssignments"
- Include: TimeGenerated, Caller, OperationNameValue, ActivityStatusValue,
ResourceGroup, Properties
Sort by TimeGenerated descending. Add a comment explaining how to use
this query for access control auditing.
產生合規稽核摘要
合規團隊與稽核人員需要結構化報告,而非原始日誌資料。 Copilot 能讀取日誌檔案並產生專業稽核摘要。
合規摘要提示
Analyze these Azure Activity Log entries and generate a compliance audit summary
in markdown format for the period [date range].
Structure the report as follows:
## Executive Summary
[2-3 sentences summarizing the overall compliance posture]
## Access Control Changes
[Table: Date | Actor | Action | Resource | Risk Rating]
## Resource Deletions
[Table: Date | Actor | Resource | Resource Group | Risk Rating]
## Policy Exemptions
[Table: Date | Actor | Policy | Exemption Scope | Expiry | Risk Rating]
## After-Hours Activity
[Table: Date | Time | Actor | Action | Risk Rating]
[Note: Business hours are 09:00-18:00 in your local time zone]
## Risk Summary
[Count by risk level: High / Medium / Low]
## Recommended Actions
[Bulleted list of follow-up actions based on findings]
Apply risk ratings:
- High: role assignments, policy exemptions, resource deletions in production
- Medium: configuration changes to security resources (Key Vault, NSG, Firewall)
- Low: read operations, tag updates, scaling events
[paste activity-log.json content here]
輸出可立即作為合規報告、安全審查摘要或稽核回應套件中的一個章節使用。 檢視 Copilot 套用的風險評等,並調整與貴組織風險分類政策不符的評等。