From e1f201dddbe89a7a8d430cd66c0a338b00beb32d Mon Sep 17 00:00:00 2001 From: Addam Schroll <108814318+schrolla@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:58:00 -0600 Subject: [PATCH] Remove extraneous SHALL from MS.DEFENDER.4.1 (#1408) * Clarify MS.DEFENDER.4.1v1 policy language to single shall * Update version in MS.DEFENDER.4.1 references in EXO baseline to v2 * Update MS.DEFENDER.4.1 policy ID version * Update MS.DEFENDER.4.1 policy id version in CreateReportStubs test results JSON output * Update MS.DEFENDER.4.1 policy id version in Defender rego unit tests * Increment policy ID version (MS.DEFENDER.4.1v1 -> v2) --- PowerShell/ScubaGear/Rego/DefenderConfig.rego | 4 +-- .../CreateReportStubs/TestResults.json | 10 +++--- .../Rego/Defender/DefenderConfig_04_test.rego | 20 +++++------ PowerShell/ScubaGear/baselines/defender.md | 26 +++++++------- PowerShell/ScubaGear/baselines/exo.md | 6 ++-- .../Products/TestPlans/defender.testplan.yaml | 34 +++++++++---------- 6 files changed, 50 insertions(+), 50 deletions(-) diff --git a/PowerShell/ScubaGear/Rego/DefenderConfig.rego b/PowerShell/ScubaGear/Rego/DefenderConfig.rego index f7f57044d9..d80e90c6fc 100644 --- a/PowerShell/ScubaGear/Rego/DefenderConfig.rego +++ b/PowerShell/ScubaGear/Rego/DefenderConfig.rego @@ -387,7 +387,7 @@ tests contains { ################# # -# MS.DEFENDER.4.1v1 +# MS.DEFENDER.4.1v2 #-- SensitiveContent := [ "U.S. Social Security Number (SSN)", @@ -479,7 +479,7 @@ error_rules contains SensitiveContent[2] if count(Rules.Credit_Card) == 0 # If error_rules contains any value, then some sensitive content # is not protected by any policy & check should fail. tests contains { - "PolicyId": "MS.DEFENDER.4.1v1", + "PolicyId": "MS.DEFENDER.4.1v2", "Criticality": "Shall", "Commandlet": ["Get-DlpComplianceRule"], "ActualValue": Rules, diff --git a/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json b/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json index 1ef3c17506..1e09521fce 100644 --- a/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json +++ b/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json @@ -1037,7 +1037,7 @@ "Get-MalwareFilterPolicy" ], "Criticality": "Should", - "PolicyId": "MS.DEFENDER.4.1v1", + "PolicyId": "MS.DEFENDER.4.1v2", "ReportDetails": "Requirement met", "RequirementMet": true }, @@ -1494,7 +1494,7 @@ "Locations": [ "All" ], - "Name": "MS.DEFENDER.4.1v1 Test", + "Name": "MS.DEFENDER.4.1v2 Test", "Workload": "Exchange, SharePoint, OneDriveForBusiness, Teams, EndpointDevices, OnPremisesScanner" } ], @@ -1527,7 +1527,7 @@ "Locations": [ "All" ], - "Name": "MS.DEFENDER.4.1v1 Test", + "Name": "MS.DEFENDER.4.1v2 Test", "Workload": "Exchange, SharePoint, OneDriveForBusiness, Teams, EndpointDevices, OnPremisesScanner" } ], @@ -1560,7 +1560,7 @@ "Locations": [ "All" ], - "Name": "MS.DEFENDER.4.1v1 Test", + "Name": "MS.DEFENDER.4.1v2 Test", "Workload": "Exchange, SharePoint, OneDriveForBusiness, Teams, EndpointDevices, OnPremisesScanner" } ], @@ -3574,4 +3574,4 @@ "ReportDetails": "1 meeting policy(ies) found that allow cloud recording and storage outside of the tenant\u0027s region: Tag:Custom Policy 1", "RequirementMet": false } -] \ No newline at end of file +] diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego index 77a030a884..a0764b5094 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego @@ -9,7 +9,7 @@ import data.utils.report.NotCheckedDetails import rego.v1 # -# Policy MS.DEFENDER.4.1v1 +# Policy MS.DEFENDER.4.1v2 #-- test_ContentContainsSensitiveInformation_Correct_V1 if { Output := defender.tests with input.dlp_compliance_rules as [DlpComplianceRules] @@ -17,7 +17,7 @@ test_ContentContainsSensitiveInformation_Correct_V1 if { with input.defender_license as true with input.defender_dlp_license as true - TestResult("MS.DEFENDER.4.1v1", Output, PASS, true) == true + TestResult("MS.DEFENDER.4.1v2", Output, PASS, true) == true } test_AdvancedRule_Correct_V2 if { @@ -33,7 +33,7 @@ test_AdvancedRule_Correct_V2 if { with input.defender_license as true with input.defender_dlp_license as true - TestResult("MS.DEFENDER.4.1v1", Output, PASS, true) == true + TestResult("MS.DEFENDER.4.1v2", Output, PASS, true) == true } test_ContentContainsSensitiveInformation_Incorrect_V1 if { @@ -46,7 +46,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V1 if { with input.defender_dlp_license as true ReportDetailString := "No matching rules found for: U.S. Social Security Number (SSN)" - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V2 if { @@ -59,7 +59,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V2 if { with input.defender_dlp_license as true ReportDetailString := "No matching rules found for: U.S. Individual Taxpayer Identification Number (ITIN)" - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V3 if { @@ -72,7 +72,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V3 if { with input.defender_dlp_license as true ReportDetailString := "No matching rules found for: Credit Card Number" - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V4 if { @@ -89,7 +89,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V4 if { "U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN)" ]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V5 if { @@ -106,7 +106,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V5 if { "U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN)" ]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V6 if { @@ -123,7 +123,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V6 if { "U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN)" ]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_NoDLPLicense_Incorrect_4_1_V1 if { @@ -131,7 +131,7 @@ test_NoDLPLicense_Incorrect_4_1_V1 if { with input.defender_dlp_license as false ReportDetailString := concat(" ", [FAIL, DLPLICENSEWARNSTR]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } #-- diff --git a/PowerShell/ScubaGear/baselines/defender.md b/PowerShell/ScubaGear/baselines/defender.md index bac372c45a..d866138218 100644 --- a/PowerShell/ScubaGear/baselines/defender.md +++ b/PowerShell/ScubaGear/baselines/defender.md @@ -401,15 +401,15 @@ confidence levels or adjust the levels in custom DLP policies to fit their environment and needs. ### Policies -#### MS.DEFENDER.4.1v1 -A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked. +#### MS.DEFENDER.4.1v2 +A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN). - + - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures. -- _Last modified:_ June 2023 +- _Last modified:_ November 2024 - _MITRE ATT&CK TTP Mapping:_ - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/) - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -424,7 +424,7 @@ The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams cha affected locations to be effective. - _Last modified:_ June 2023 - _Note:_ The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - _MITRE ATT&CK TTP Mapping:_ - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/) - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -440,7 +440,7 @@ The action for the custom policy SHOULD be set to block sharing sensitive inform on agency policies and valid business justifications. - _Last modified:_ June 2023 - _Note:_ The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - _MITRE ATT&CK TTP Mapping:_ - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/) - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -456,7 +456,7 @@ Notifications to inform users and help educate them on the proper use of sensiti accessing sensitive information. - _Last modified:_ June 2023 - _Note:_ The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - _MITRE ATT&CK TTP Mapping:_ - None @@ -489,7 +489,7 @@ information by restricted apps and unwanted Bluetooth applications. - _Last modified:_ June 2023 - _Note:_ - The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - This action can only be included if at least one device is onboarded to the agency tenant. Otherwise, the option to block restricted apps will not be available. @@ -532,7 +532,7 @@ information by restricted apps and unwanted Bluetooth applications. ### Implementation -#### MS.DEFENDER.4.1v1 Instructions +#### MS.DEFENDER.4.1v2 Instructions 1. Sign in to the **Microsoft Purview compliance portal**. @@ -595,18 +595,18 @@ information by restricted apps and unwanted Bluetooth applications. #### MS.DEFENDER.4.2v1 Instructions -See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) step 8 +See [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) step 8 for details on enforcing DLP policy in specific M365 service locations. #### MS.DEFENDER.4.3v1 Instructions -See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) steps +See [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) steps 15-17 for details on configuring DLP policy to block sharing sensitive information with everyone. #### MS.DEFENDER.4.4v1 Instructions -See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) steps +See [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) steps 18-19 for details on configuring DLP policy to notify users when accessing sensitive information. @@ -645,7 +645,7 @@ before the instructions below can be completed. 3. Select **Policies** from the top of the page. 4. Find the custom DLP policy configured under - [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) in the list + [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) in the list and click the Policy name to select. 5. Select **Edit Policy**. diff --git a/PowerShell/ScubaGear/baselines/exo.md b/PowerShell/ScubaGear/baselines/exo.md index 7d515db945..2d23290f3e 100644 --- a/PowerShell/ScubaGear/baselines/exo.md +++ b/PowerShell/ScubaGear/baselines/exo.md @@ -621,14 +621,14 @@ At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance. #### MS.EXO.8.2v2 Instructions -Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v1-instructions) for additional guidance. +Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v2-instructions) for additional guidance. #### MS.EXO.8.3v1 Instructions Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance. #### MS.EXO.8.4v1 Instructions -Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v1-instructions) for additional guidance. +Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v2-instructions) for additional guidance. ## 9. Attachment File Type @@ -1075,7 +1075,7 @@ Mailbox auditing SHALL be enabled. - [T1586.002: Email Accounts](https://attack.mitre.org/techniques/T1586/002/) - [T1564: Hide Artifacts](https://attack.mitre.org/techniques/T1564/) - [T1564.008: Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008/) - + ### Resources - [Manage mailbox auditing in Office 365 \| Microsoft diff --git a/Testing/Functional/Products/TestPlans/defender.testplan.yaml b/Testing/Functional/Products/TestPlans/defender.testplan.yaml index efbbd1eb05..8eb81fb905 100644 --- a/Testing/Functional/Products/TestPlans/defender.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/defender.testplan.yaml @@ -150,10 +150,10 @@ TestPlan: Postconditions: [] ExpectedResult: true - - PolicyId: MS.DEFENDER.4.1v1 + - PolicyId: MS.DEFENDER.4.1v2 TestDriver: ScubaCached Tests: - - TestDescription: MS.DEFENDER.4.1v1 Compliant case - Advanced Rule + - TestDescription: MS.DEFENDER.4.1v2 Compliant case - Advanced Rule Preconditions: - Command: UpdateProviderExport Splat: @@ -176,7 +176,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: true - - TestDescription: MS.DEFENDER.4.1v1 Compliant case - Not Advanced Rule + - TestDescription: MS.DEFENDER.4.1v2 Compliant case - Not Advanced Rule Preconditions: - Command: UpdateProviderExport Splat: @@ -205,7 +205,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: true - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Advanced Rule, Disabled + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Advanced Rule, Disabled Preconditions: - Command: UpdateProviderExport Splat: @@ -224,7 +224,7 @@ TestPlan: Disabled: true Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Not Advanced Rule, Disabled + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Not Advanced Rule, Disabled Preconditions: - Command: UpdateProviderExport Splat: @@ -249,7 +249,7 @@ TestPlan: Disabled: true Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Advanced Rule, Enabled + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Advanced Rule, Enabled Preconditions: - Command: UpdateProviderExport Splat: @@ -272,7 +272,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Not Advanced Rule, Enabled + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Not Advanced Rule, Enabled Preconditions: - Command: UpdateProviderExport Splat: @@ -301,7 +301,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Advanced Rule, Mode + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Advanced Rule, Mode Preconditions: - Command: UpdateProviderExport Splat: @@ -324,7 +324,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Not Advanced Rule, Mode + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Not Advanced Rule, Mode Preconditions: - Command: UpdateProviderExport Splat: @@ -353,7 +353,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Advanced Rule, Missing U.S. Social Security Number (SSN) + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Advanced Rule, Missing U.S. Social Security Number (SSN) Preconditions: - Command: UpdateProviderExport Splat: @@ -376,7 +376,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Not Advanced Rule, Missing U.S. Social Security Number (SSN) + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Not Advanced Rule, Missing U.S. Social Security Number (SSN) Preconditions: - Command: UpdateProviderExport Splat: @@ -403,7 +403,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Advanced Rule, Missing U.S. Individual Taxpayer Identification Number (ITIN) + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Advanced Rule, Missing U.S. Individual Taxpayer Identification Number (ITIN) Preconditions: - Command: UpdateProviderExport Splat: @@ -426,7 +426,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Not Advanced Rule, Missing U.S. Individual Taxpayer Identification Number (ITIN) + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Not Advanced Rule, Missing U.S. Individual Taxpayer Identification Number (ITIN) Preconditions: - Command: UpdateProviderExport Splat: @@ -453,7 +453,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Advanced Rule, Missing Credit Card + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Advanced Rule, Missing Credit Card Preconditions: - Command: UpdateProviderExport Splat: @@ -476,7 +476,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Not Advanced Rule, Missing Credit Card + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Not Advanced Rule, Missing Credit Card Preconditions: - Command: UpdateProviderExport Splat: @@ -503,7 +503,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Advanced Rule, ParentPolicyName + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Advanced Rule, ParentPolicyName Preconditions: - Command: UpdateProviderExport Splat: @@ -526,7 +526,7 @@ TestPlan: NotifyUserType: "NotSet" Postconditions: [] ExpectedResult: false - - TestDescription: MS.DEFENDER.4.1v1 Non-Compliant case - Not Advanced Rule, ParentPolicyName + - TestDescription: MS.DEFENDER.4.1v2 Non-Compliant case - Not Advanced Rule, ParentPolicyName Preconditions: - Command: UpdateProviderExport Splat: