ビュー:
リソースをデプロイするために必要な権限と、AzureサブスクリプションをTrendAI Vision One™に接続する際に付与される権限を確認してください。
次の権限が必要です。TrendAI Vision One™Cloud SecurityリソースをAzure Subscriptionに正常にデプロイするために。
注意
注意
ここに記載されている権限は、単一のAzureサブスクリプションに必要です。Azure管理グループを展開する場合は、Azure管理グループに必要な権限を参照してください。
  • Microsoft Entra IDユーザの場合、サインインには次のロールが必要です。
    • アプリケーション管理者
    • 特権ロール管理者
  • Microsoft Azureユーザの場合、接続するサブスクリプションでのサインインには、以下の役割またはそれ以上の役割が必要です。
    • ユーザアクセス管理者
    • 投稿者
  • Microsoft Defender for EndpointコレクションまたはAzureアクティビティログを有効にするには、Microsoft Azureサインインに次のロールが必要です。
    • Key Vault シークレットオフィサー
Terraformプロセスは、Cloud AccountsおよびTrendAI Vision One™ Cloud Securityサービスとの接続を確立するために、特定の権限を自らに割り当てます。これらの権限には、Cloud Accountsアプリとセキュリティサービスが一時的な認証情報を取得し、Azureクラウド環境内でタスクを完了することが含まれます。
機能を選択して、その必要な権限を表示します:

コア機能

権限の種類
必要な権限
Azure Resource Manager (ARM) の権限
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
APIの権限
  • Azure Active Directory Graph (4)
    • Directory.Read.All | Delegated
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
  • Microsoft Graph (4)
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
    • User.Read.All | Application

Server & Workload Protection

権限カテゴリ
必要な権限
サブスクリプションの権限
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
[Virtual Machine (VM) permissions]
  • Microsoft.Compute/virtualMachines/read
仮想マシンスケールセット (VMSS) の権限
  • Microsoft.Compute/virtualMachineScaleSets/read
クラシック仮想マシン (VM) の権限
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
ネットワーク権限
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
AzureメタデータAPIの権限
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
認証とIAM権限
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read

Cloud Security Posture

権限カテゴリ
必要な権限
requiredResourceAccess
  • resourceAppName: Microsoft Graph
  • リソースアクセス:
    • 名前: User.Read
    • タイプ: Delegated
    • 名前: User.Read.All
    • タイプ: Delegated
    • 名前: Directory.Read.All
    • type: Application
    • 名前: User.Read.All
    • type: Application
    • 名前: Policy.Read.All
    • type: Application
requiredRoleAccess
  • resourceAppName: Microsoft App Configuration
    ロールアクション:
    • name: Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    ロールアクション:
    • name: Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    ロールアクション:
    • 名前: Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    dataActions:
    • 名前: Microsoft.KeyVault/vaults/keys/read
    • name: Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    ロールアクション:
    • name: Microsoft.Management/managementGroups/read

エージェントレスによる脆弱性と脅威の検出

権限カテゴリ
必要な権限
Azure Resource Manager (ARM) の権限
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
TrendAI™リソースグループの権限
Azure の組み込みロール: 貢献者
  • 処理:
    • Allow Actions:*
  • NotActions:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure組み込みロール: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure組み込みロール: Storage Blob Data Owner
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
TrendAI™ストレージIDの権限
Azure組み込みロール: Storage Blob Data Reader
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Data Security Posture

権限の種類
必要な権限
Azure Resource Manager (ARM) の権限
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/delete
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Automation/automationAccounts/write
  • Microsoft.Automation/automationAccounts/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Automation/automationAccounts/webhooks/read
  • Microsoft.Automation/automationAccounts/webhooks/write
  • Microsoft.Automation/automationAccounts/webhooks/delete
  • Microsoft.Insights/actionGroups/read
  • Microsoft.Insights/actionGroups/write
  • Microsoft.Insights/actionGroups/delete
  • Microsoft.Automation/automationAccounts/python3Packages/read
  • Microsoft.Automation/automationAccounts/python3Packages/write
  • Microsoft.Automation/automationAccounts/python3Packages/delete
  • Microsoft.Automation/automationAccounts/runbooks/read
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/delete
  • Microsoft.Automation/automationAccounts/jobSchedules/read
  • Microsoft.Automation/automationAccounts/jobSchedules/write
  • Microsoft.Automation/automationAccounts/jobSchedules/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/write
  • Microsoft.Network/virtualNetworks/subnets/delete
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/bastionHosts/read
  • Microsoft.Network/bastionHosts/write
  • Microsoft.Network/bastionHosts/delete

File Storage Security

権限の種類
必要な権限
Azure Resource Manager (ARM) の権限
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleDefinitions/read
  • Microsoft.Authorization/roleDefinitions/write
  • Microsoft.Authorization/roleDefinitions/delete
  • Microsoft.EventGrid/eventSubscriptions/read
  • Microsoft.EventGrid/eventSubscriptions/write
  • Microsoft.EventGrid/eventSubscriptions/delete
  • Microsoft.EventGrid/systemTopics/read
  • Microsoft.EventGrid/systemTopics/write
  • Microsoft.EventGrid/systemTopics/delete
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/read
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/write
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/delete
  • Microsoft.Insights/components/read
  • Microsoft.Insights/components/write
  • Microsoft.Insights/components/delete
  • Microsoft.Insights/components/currentbillingfeatures/read
  • Microsoft.Insights/components/currentbillingfeatures/write
  • Microsoft.KeyVault/locations/deletedVaults/purge/action
  • Microsoft.KeyVault/locations/operationResults/read
  • Microsoft.KeyVault/vaults/read
  • Microsoft.KeyVault/vaults/write
  • Microsoft.KeyVault/vaults/delete
  • Microsoft.KeyVault/vaults/accessPolicies/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/read
  • Microsoft.ManagedIdentity/userAssignedIdentities/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/delete
  • Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
  • Microsoft.OperationalInsights/workspaces/read
  • Microsoft.OperationalInsights/workspaces/write
  • Microsoft.OperationalInsights/workspaces/delete
  • Microsoft.Resources/deployments/read
  • Microsoft.Resources/deployments/write
  • Microsoft.Resources/deployments/delete
  • Microsoft.Resources/deployments/operations/read
  • Microsoft.Resources/deployments/operationstatuses/read
  • Microsoft.Resources/resources/read
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.ServiceBus/namespaces/read
  • Microsoft.ServiceBus/namespaces/write
  • Microsoft.ServiceBus/namespaces/delete
  • Microsoft.ServiceBus/namespaces/networkRuleSets/read
  • Microsoft.ServiceBus/namespaces/queues/read
  • Microsoft.ServiceBus/namespaces/queues/write
  • Microsoft.ServiceBus/namespaces/queues/delete
  • Microsoft.ServiceBus/namespaces/topics/read
  • Microsoft.ServiceBus/namespaces/topics/write
  • Microsoft.ServiceBus/namespaces/topics/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/delete
  • Microsoft.Storage/register/action
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/write
  • Microsoft.Storage/storageAccounts/delete
  • Microsoft.Storage/storageAccounts/listKeys/action
  • Microsoft.Storage/storageAccounts/blobServices/read
  • Microsoft.Storage/storageAccounts/blobServices/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/delete
  • Microsoft.Storage/storageAccounts/fileServices/read
  • Microsoft.Storage/storageAccounts/fileServices/write
  • Microsoft.Web/serverfarms/read
  • Microsoft.Web/serverfarms/write
  • Microsoft.Web/serverfarms/delete
  • Microsoft.Web/sites/read
  • Microsoft.Web/sites/write
  • Microsoft.Web/sites/delete
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/read
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/write
  • Microsoft.Web/sites/config/read
  • Microsoft.Web/sites/config/write
  • Microsoft.Web/sites/config/list/Action
  • Microsoft.Web/sites/functions/read
  • Microsoft.Web/sites/functions/listkeys/action
  • Microsoft.Web/sites/host/listkeys/Action
  • Microsoft.Web/sites/publishxml/read
データアクション
  • Microsoft.KeyVault/vaults/secrets/*
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action

Azureアクティビティログのクラウド検出

権限の種類
必要な権限
必要な権限はありません。

Microsoft Defender for Endpoint ログコレクション

権限の種類
必要な権限
Azure Resource Manager (ARM) の権限
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write