|
Core features
|
-
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
-
Microsoft.ContainerService/managedClusters/read
-
Microsoft.Resources/subscriptions/resourceGroups/read
-
Microsoft.Authorization/roleAssignments/read
-
Microsoft.Authorization/roleDefinitions/read
-
*/read
|
These permissions are required to deploy the connector into a cloud account.
|
|
Server & Workload Protection
|
Subscription permissions:
-
Microsoft.Resources/subscriptions/read
-
Microsoft.Resources/subscriptions/resourceGroups/read
-
Microsoft.Resources/providers/read
-
Microsoft.Resources/resources/read
|
|
|
Virtual Machine (VM) permissions:
|
|
|
Virtual Machine Scale Set (VMSS) permissions:
|
|
|
Classic Virtual Machine (VM) permissions:
|
|
|
Network permissions:
-
Microsoft.Network/networkSecurityGroups/read
-
Microsoft.Network/networkInterfaces/read
-
Microsoft.Network/publicIPAddresses/read
-
Microsoft.Network/virtualNetworks/read
|
|
|
Azure Metadata API permissions:
|
|
|
Authentication and IAM permissions:
-
Microsoft.Resources/deployments/read
-
Microsoft.Authorization/roleAssignments/read
-
Microsoft.Authorization/roleDefinitions/read
|
|
|
Cloud Security Posture
|
requiredResourceAccess:
|
|
|
requiredRoleAccess
-
resourceAppName: Microsoft App Configuration
roleActions:
- name:
Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
-
resourceAppName: Microsoft Network
roleActions:
-
resourceAppName: Microsoft Web
roleActions:
-
resourceAppName: Microsoft Key Vault
dataActions:
|
|
requiredTenantScopeRoleAccess
|
|
Agentless Vulnerability & Threat Detection
|
Subscription permissions:
-
Microsoft.ContainerRegistry/registries/generateCredentials/action
-
Microsoft.ContainerRegistry/registries/read
-
Microsoft.ContainerRegistry/registries/pull/read
-
Microsoft.ContainerRegistry/registries/tokens/write
-
Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
-
Microsoft.ContainerRegistry/registries/scopeMaps/read
-
Microsoft.ContainerRegistry/registries/tokens/read
-
Microsoft.Compute/disks/read
-
Microsoft.Compute/virtualMachines//read
-
Microsoft.HybridCompute/machines//read
-
Microsoft.Authorization/roleAssignments/write
-
Microsoft.Authorization/roleAssignments/delete
-
Microsoft.Authorization/roleAssignments/read
-
Microsoft.Compute/locations/usages/read
-
Microsoft.Quota/quotas/read
|
|
|
Trend Micro Resource Group permissions
Azure built-in role: Contributor
-
NotActions:
-
Microsoft.Authorization/*/Delete
-
Microsoft.Authorization/*/Write
-
Microsoft.Authorization/elevateAccess/Action
-
Microsoft.Blueprint/blueprintAssignments/write
-
Microsoft.Blueprint/blueprintAssignments/delete
-
Microsoft.Compute/galleries/share/action
-
Microsoft.Purview/consents/write
-
Microsoft.Purview/consents/delete
-
Microsoft.Resources/deploymentStacks/manageDenySetting/action
-
Microsoft.Subscription/cancel/action
-
Microsoft.Subscription/enable/action
Azure built-in role: AcrPull
Azure built-in role: Storage Blob Data Owner
-
Microsoft.Storage/storageAccounts/blobServices/containers/*
-
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
-
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
|
|
Trend Micro Storage ID permissions
Azure built-in role: Storage Blob Data Reader
-
Microsoft.Storage/storageAccounts/blobServices/containers/read
-
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
-
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
|
|
Cloud Detections for Azure Activity Log
|
N/A
|
|
|
Microsoft Defender for Endpoint Log Collection
|
|
|
