Ansichten:
Überprüfen Sie die Berechtigungen erforderlich, um Ressourcen bereitzustellen, und die Berechtigungen, die beim Verbinden von Azure-Cloud-Konten mit Trend Vision One gewährt werden.

Erforderliche Azure-Berechtigungen

Funktion
Erforderliche Berechtigungen
 Beschreibung
Kernfunktionen
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
Diese Berechtigungen sind erforderlich, um den Connector in einem Cloud-Konto bereitzustellen.
Server- und Workload Protection
Abonnementberechtigungen:
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
  
Virtuelle Maschinen (VM)-Berechtigungen:
  • Microsoft.Compute/virtualMachines/read
  
Berechtigungen für Virtual Machine Scale Set (VMSS):
  • Microsoft.Compute/virtualMachineScaleSets/read
  
Klassische virtuelle Maschinen (VM)-Berechtigungen:
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
  
Netzwerkberechtigungen:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
  
Azure-Metadaten-API-Berechtigungen:
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
 
Authentifizierung und IAM-Berechtigungen:
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
 
Cloud Security Posture
erforderlicherRessourcenzugriff:
  • resourceAppName: Microsoft Graph
  • Ressourcenzugriff:
    • name: User.Read
    • type: Delegated
    • name: User.Read.All
    • type: Delegated
    • name: Directory.Read.All
    • type: Application
    • name: User.Read.All
    • type: Application
    • name: Policy.Read.All
    • type: Application
  
erforderlicherRollenZugriff
  • resourceAppName: Microsoft App Configuration
    roleActions:
    • name: Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    roleActions:
    • name: Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    roleActions:
    • name: Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    dataActions:
    • name: Microsoft.KeyVault/vaults/keys/read
    • name: Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    roleActions:
    • name: Microsoft.Management/managementGroups/read
Agentenlose Sicherheitslücken- und Bedrohungserkennung
Abonnementberechtigungen:
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
  
Trend Micro Ressource-Gruppenberechtigungen
Azure integrierte Rolle: Mitwirkender
  • Aktionen:
    • Allow Actions:*
  • NichtAktionen:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure integrierte Rolle: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure-eingebaute Rolle: Speicher-Blob-Datenbesitzer
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Trend Micro Storage-ID-Berechtigungen
Azure-eingebaute Rolle: Speicher-Blob-Daten-Leser
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Cloud-Erkennungen für Azure-Aktivitätsprotokoll
N/A
  
Microsoft Defender für Endpunkt-Protokollsammlung
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write