Ansichten:
Überprüfen Sie die Berechtigungen erforderlich, um Ressourcen bereitzustellen, und die Berechtigungen, die beim Verbinden von Azure-Abonnements mit TrendAI Vision One™ gewährt werden.
Die folgenden Berechtigungen sind erforderlich, um TrendAI Vision One™ Cloud-Sicherheitsressourcen erfolgreich in Ihrer Azure Subscription bereitzustellen.
Hinweis
Hinweis
Die hier aufgeführten Berechtigungen sind für einzelne Azure-Abonnements erforderlich. Wenn Sie eine Azure-Verwaltungsgruppe bereitstellen, siehe Erforderliche Berechtigungen für Azure-Verwaltungsgruppe.
  • Für Microsoft Entra ID-Benutzer muss Ihre Anmeldung die folgenden Rollen haben:
    • Anwendungsadministrator
    • Administrator für privilegierte Rollen
  • Für Microsoft Azure-Benutzer muss Ihre Anmeldung die folgende oder eine höhere Rolle im Abonnement haben, mit dem Sie sich verbinden:
    • Benutzerzugriffsadministrator
    • Mitwirkender
  • Um Microsoft Defender für Endpunkt-Sammlung oder Azure-Aktivitätsprotokolle zu aktivieren, muss Ihre Microsoft Azure-Anmeldung die folgende Rolle haben:
    • Key Vault Secrets Officer
Der Terraform-Prozess weist sich selbst bestimmte Berechtigungen zu, um die Verbindung mit Cloud-Konten und TrendAI Vision One™ Cloud-Sicherheitsdiensten herzustellen. Diese Berechtigungen umfassen die Aktivierung der Cloud-Konten-App und Sicherheitsdienste, um temporäre Anmeldeinformationen zu erhalten und Aufgaben in Ihrer Azure-Cloud-Umgebung abzuschließen.
Wählen Sie eine Funktion aus, um die erforderlichen Berechtigungen anzuzeigen:

Kernfunktionen

Berechtigungstyp
Erforderliche Berechtigungen
Azure Resource Manager (ARM)-Berechtigungen
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
API-Berechtigungen
  • Azure Active Directory Graph (4)
    • Directory.Read.All | Delegated
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
  • Microsoft Graph (4)
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
    • User.Read.All | Application

Server- und Workload Protection

Berechtigungskategorie
Erforderliche Berechtigungen
Abonnementberechtigungen
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
Berechtigungen für virtuelle Maschinen (VM)
  • Microsoft.Compute/virtualMachines/read
Berechtigungen für Virtual Machine Scale Set (VMSS)
  • Microsoft.Compute/virtualMachineScaleSets/read
Klassische Berechtigungen für virtuelle Maschinen (VM)
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
Netzwerkberechtigungen
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
Azure-Metadaten-API-Berechtigungen
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
Authentifizierung und IAM-Berechtigungen
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read

Cloud Security Posture

Berechtigungskategorie
Erforderliche Berechtigungen
erforderlicherRessourcenzugriff
  • resourceAppName: Microsoft Graph
  • Ressourcenzugriff:
    • name: User.Read
    • type: Delegated
    • name: User.Read.All
    • type: Delegated
    • name: Directory.Read.All
    • type: Application
    • name: User.Read.All
    • type: Application
    • name: Policy.Read.All
    • type: Application
erforderlicherRollenZugriff
  • resourceAppName: Microsoft App Configuration
    roleActions:
    • name: Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    roleActions:
    • name: Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    roleActions:
    • name: Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    dataActions:
    • name: Microsoft.KeyVault/vaults/keys/read
    • name: Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    roleActions:
    • name: Microsoft.Management/managementGroups/read

Agentenlose Sicherheitslücken- und Bedrohungserkennung

Berechtigungskategorie
Erforderliche Berechtigungen
Azure Resource Manager (ARM)-Berechtigungen
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
TrendAI™ Ressourcengruppenberechtigungen
Azure integrierte Rolle: Mitwirkender
  • Aktionen:
    • Allow Actions:*
  • NichtAktionen:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure integrierte Rolle: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure-eingebaute Rolle: Speicher-Blob-Datenbesitzer
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
TrendAI™ Speicher-ID-Berechtigungen
Azure-eingebaute Rolle: Speicher-Blob-Daten-Leser
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Data Security Posture

Berechtigungstyp
Erforderliche Berechtigungen
Azure Resource Manager (ARM)-Berechtigungen
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/delete
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Automation/automationAccounts/write
  • Microsoft.Automation/automationAccounts/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Automation/automationAccounts/webhooks/read
  • Microsoft.Automation/automationAccounts/webhooks/write
  • Microsoft.Automation/automationAccounts/webhooks/delete
  • Microsoft.Insights/actionGroups/read
  • Microsoft.Insights/actionGroups/write
  • Microsoft.Insights/actionGroups/delete
  • Microsoft.Automation/automationAccounts/python3Packages/read
  • Microsoft.Automation/automationAccounts/python3Packages/write
  • Microsoft.Automation/automationAccounts/python3Packages/delete
  • Microsoft.Automation/automationAccounts/runbooks/read
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/delete
  • Microsoft.Automation/automationAccounts/jobSchedules/read
  • Microsoft.Automation/automationAccounts/jobSchedules/write
  • Microsoft.Automation/automationAccounts/jobSchedules/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/write
  • Microsoft.Network/virtualNetworks/subnets/delete
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/bastionHosts/read
  • Microsoft.Network/bastionHosts/write
  • Microsoft.Network/bastionHosts/delete

Dateispeichersicherheit

Berechtigungstyp
Erforderliche Berechtigungen
Azure Resource Manager (ARM)-Berechtigungen
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleDefinitions/read
  • Microsoft.Authorization/roleDefinitions/write
  • Microsoft.Authorization/roleDefinitions/delete
  • Microsoft.EventGrid/eventSubscriptions/read
  • Microsoft.EventGrid/eventSubscriptions/write
  • Microsoft.EventGrid/eventSubscriptions/delete
  • Microsoft.EventGrid/systemTopics/read
  • Microsoft.EventGrid/systemTopics/write
  • Microsoft.EventGrid/systemTopics/delete
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/read
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/write
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/delete
  • Microsoft.Insights/components/read
  • Microsoft.Insights/components/write
  • Microsoft.Insights/components/delete
  • Microsoft.Insights/components/currentbillingfeatures/read
  • Microsoft.Insights/components/currentbillingfeatures/write
  • Microsoft.KeyVault/locations/deletedVaults/purge/action
  • Microsoft.KeyVault/locations/operationResults/read
  • Microsoft.KeyVault/vaults/read
  • Microsoft.KeyVault/vaults/write
  • Microsoft.KeyVault/vaults/delete
  • Microsoft.KeyVault/vaults/accessPolicies/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/read
  • Microsoft.ManagedIdentity/userAssignedIdentities/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/delete
  • Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
  • Microsoft.OperationalInsights/workspaces/read
  • Microsoft.OperationalInsights/workspaces/write
  • Microsoft.OperationalInsights/workspaces/delete
  • Microsoft.Resources/deployments/read
  • Microsoft.Resources/deployments/write
  • Microsoft.Resources/deployments/delete
  • Microsoft.Resources/deployments/operations/read
  • Microsoft.Resources/deployments/operationstatuses/read
  • Microsoft.Resources/resources/read
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.ServiceBus/namespaces/read
  • Microsoft.ServiceBus/namespaces/write
  • Microsoft.ServiceBus/namespaces/delete
  • Microsoft.ServiceBus/namespaces/networkRuleSets/read
  • Microsoft.ServiceBus/namespaces/queues/read
  • Microsoft.ServiceBus/namespaces/queues/write
  • Microsoft.ServiceBus/namespaces/queues/delete
  • Microsoft.ServiceBus/namespaces/topics/read
  • Microsoft.ServiceBus/namespaces/topics/write
  • Microsoft.ServiceBus/namespaces/topics/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/delete
  • Microsoft.Storage/register/action
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/write
  • Microsoft.Storage/storageAccounts/delete
  • Microsoft.Storage/storageAccounts/listKeys/action
  • Microsoft.Storage/storageAccounts/blobServices/read
  • Microsoft.Storage/storageAccounts/blobServices/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/delete
  • Microsoft.Storage/storageAccounts/fileServices/read
  • Microsoft.Storage/storageAccounts/fileServices/write
  • Microsoft.Web/serverfarms/read
  • Microsoft.Web/serverfarms/write
  • Microsoft.Web/serverfarms/delete
  • Microsoft.Web/sites/read
  • Microsoft.Web/sites/write
  • Microsoft.Web/sites/delete
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/read
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/write
  • Microsoft.Web/sites/config/read
  • Microsoft.Web/sites/config/write
  • Microsoft.Web/sites/config/list/Action
  • Microsoft.Web/sites/functions/read
  • Microsoft.Web/sites/functions/listkeys/action
  • Microsoft.Web/sites/host/listkeys/Action
  • Microsoft.Web/sites/publishxml/read
Datenaktionen
  • Microsoft.KeyVault/vaults/secrets/*
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action

Cloud-Erkennungen für Azure-Aktivitätsprotokoll

Berechtigungstyp
Erforderliche Berechtigungen
Keine erforderlichen Berechtigungen.

Microsoft Defender für Endpunkt-Protokollsammlung

Berechtigungstyp
Erforderliche Berechtigungen
Azure Resource Manager (ARM)-Berechtigungen
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write