From a58a2c8c4cc4bb5abb4f8085041b9f585c1fb660 Mon Sep 17 00:00:00 2001 From: Addam Schroll <108814318+schrolla@users.noreply.github.com> Date: Thu, 7 Nov 2024 12:55:11 -0600 Subject: [PATCH 1/5] Clarify MS.DEFENDER.4.1v1 policy language to single shall --- PowerShell/ScubaGear/baselines/defender.md | 26 +++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/PowerShell/ScubaGear/baselines/defender.md b/PowerShell/ScubaGear/baselines/defender.md index 914e8338c2..5244fa2486 100644 --- a/PowerShell/ScubaGear/baselines/defender.md +++ b/PowerShell/ScubaGear/baselines/defender.md @@ -427,15 +427,15 @@ confidence levels or adjust the levels in custom DLP policies to fit their environment and needs. ### Policies -#### MS.DEFENDER.4.1v1 -A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked. +#### MS.DEFENDER.4.1v2 +A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN). - + - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures. -- _Last modified:_ June 2023 +- _Last modified:_ November 2024 - _MITRE ATT&CK TTP Mapping:_ - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/) - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -450,7 +450,7 @@ The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams cha affected locations to be effective. - _Last modified:_ June 2023 - _Note:_ The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - _MITRE ATT&CK TTP Mapping:_ - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/) - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -466,7 +466,7 @@ The action for the custom policy SHOULD be set to block sharing sensitive inform on agency policies and valid business justifications. - _Last modified:_ June 2023 - _Note:_ The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - _MITRE ATT&CK TTP Mapping:_ - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/) - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -482,7 +482,7 @@ Notifications to inform users and help educate them on the proper use of sensiti accessing sensitive information. - _Last modified:_ June 2023 - _Note:_ The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - _MITRE ATT&CK TTP Mapping:_ - None @@ -515,7 +515,7 @@ information by restricted apps and unwanted Bluetooth applications. - _Last modified:_ June 2023 - _Note:_ - The custom policy referenced here is the same policy - configured in [MS.DEFENDER.4.1v1](#msdefender41v1). + configured in [MS.DEFENDER.4.1v2](#msdefender41v2). - This action can only be included if at least one device is onboarded to the agency tenant. Otherwise, the option to block restricted apps will not be available. @@ -556,7 +556,7 @@ information by restricted apps and unwanted Bluetooth applications. ### Implementation -#### MS.DEFENDER.4.1v1 Instructions +#### MS.DEFENDER.4.1v2 Instructions 1. Sign in to the **Microsoft Purview compliance portal**. @@ -619,18 +619,18 @@ information by restricted apps and unwanted Bluetooth applications. #### MS.DEFENDER.4.2v1 Instructions -See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) step 8 +See [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) step 8 for details on enforcing DLP policy in specific M365 service locations. #### MS.DEFENDER.4.3v1 Instructions -See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) steps +See [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) steps 15-17 for details on configuring DLP policy to block sharing sensitive information with everyone. #### MS.DEFENDER.4.4v1 Instructions -See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) steps +See [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) steps 18-19 for details on configuring DLP policy to notify users when accessing sensitive information. @@ -669,7 +669,7 @@ before the instructions below can be completed. 3. Select **Policies** from the top of the page. 4. Find the custom DLP policy configured under - [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) in the list + [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) in the list and click the Policy name to select. 5. Select **Edit Policy**. From 746dc2ee345dfcc9d96c14158fa618c9ae525867 Mon Sep 17 00:00:00 2001 From: Addam Schroll <108814318+schrolla@users.noreply.github.com> Date: Thu, 7 Nov 2024 14:23:47 -0600 Subject: [PATCH 2/5] Update version in MS.DEFENDER.4.1 references in EXO baseline to v2 --- PowerShell/ScubaGear/baselines/exo.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/PowerShell/ScubaGear/baselines/exo.md b/PowerShell/ScubaGear/baselines/exo.md index 2dbe2519a1..3c34f8fdac 100644 --- a/PowerShell/ScubaGear/baselines/exo.md +++ b/PowerShell/ScubaGear/baselines/exo.md @@ -621,14 +621,14 @@ At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance. #### MS.EXO.8.2v2 Instructions -Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v1-instructions) for additional guidance. +Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v2-instructions) for additional guidance. #### MS.EXO.8.3v1 Instructions Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance. #### MS.EXO.8.4v1 Instructions -Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v1-instructions) for additional guidance. +Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v2-instructions) for additional guidance. ## 9. Attachment File Type @@ -1075,7 +1075,7 @@ Mailbox auditing SHALL be enabled. - [T1586.002: Email Accounts](https://attack.mitre.org/techniques/T1586/002/) - [T1564: Hide Artifacts](https://attack.mitre.org/techniques/T1564/) - [T1564.008: Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008/) - + ### Resources - [Manage mailbox auditing in Office 365 \| Microsoft From fa3a5ef9880f19dca6bc12b3a674c36ff5903736 Mon Sep 17 00:00:00 2001 From: Addam Schroll <108814318+schrolla@users.noreply.github.com> Date: Thu, 7 Nov 2024 14:27:32 -0600 Subject: [PATCH 3/5] Update MS.DEFENDER.4.1 policy ID version --- PowerShell/ScubaGear/Rego/DefenderConfig.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PowerShell/ScubaGear/Rego/DefenderConfig.rego b/PowerShell/ScubaGear/Rego/DefenderConfig.rego index f7f57044d9..d80e90c6fc 100644 --- a/PowerShell/ScubaGear/Rego/DefenderConfig.rego +++ b/PowerShell/ScubaGear/Rego/DefenderConfig.rego @@ -387,7 +387,7 @@ tests contains { ################# # -# MS.DEFENDER.4.1v1 +# MS.DEFENDER.4.1v2 #-- SensitiveContent := [ "U.S. Social Security Number (SSN)", @@ -479,7 +479,7 @@ error_rules contains SensitiveContent[2] if count(Rules.Credit_Card) == 0 # If error_rules contains any value, then some sensitive content # is not protected by any policy & check should fail. tests contains { - "PolicyId": "MS.DEFENDER.4.1v1", + "PolicyId": "MS.DEFENDER.4.1v2", "Criticality": "Shall", "Commandlet": ["Get-DlpComplianceRule"], "ActualValue": Rules, From f09047ce062b64579fdf4bf112d72b4c3aba3d35 Mon Sep 17 00:00:00 2001 From: Addam Schroll <108814318+schrolla@users.noreply.github.com> Date: Thu, 7 Nov 2024 15:30:33 -0600 Subject: [PATCH 4/5] Update MS.DEFENDER.4.1 policy id version in CreateReportStubs test results JSON output --- .../CreateReport/CreateReportStubs/TestResults.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json b/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json index 1ef3c17506..1e09521fce 100644 --- a/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json +++ b/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json @@ -1037,7 +1037,7 @@ "Get-MalwareFilterPolicy" ], "Criticality": "Should", - "PolicyId": "MS.DEFENDER.4.1v1", + "PolicyId": "MS.DEFENDER.4.1v2", "ReportDetails": "Requirement met", "RequirementMet": true }, @@ -1494,7 +1494,7 @@ "Locations": [ "All" ], - "Name": "MS.DEFENDER.4.1v1 Test", + "Name": "MS.DEFENDER.4.1v2 Test", "Workload": "Exchange, SharePoint, OneDriveForBusiness, Teams, EndpointDevices, OnPremisesScanner" } ], @@ -1527,7 +1527,7 @@ "Locations": [ "All" ], - "Name": "MS.DEFENDER.4.1v1 Test", + "Name": "MS.DEFENDER.4.1v2 Test", "Workload": "Exchange, SharePoint, OneDriveForBusiness, Teams, EndpointDevices, OnPremisesScanner" } ], @@ -1560,7 +1560,7 @@ "Locations": [ "All" ], - "Name": "MS.DEFENDER.4.1v1 Test", + "Name": "MS.DEFENDER.4.1v2 Test", "Workload": "Exchange, SharePoint, OneDriveForBusiness, Teams, EndpointDevices, OnPremisesScanner" } ], @@ -3574,4 +3574,4 @@ "ReportDetails": "1 meeting policy(ies) found that allow cloud recording and storage outside of the tenant\u0027s region: Tag:Custom Policy 1", "RequirementMet": false } -] \ No newline at end of file +] From d27dffc178748c787632e1595e1fd08ae993626a Mon Sep 17 00:00:00 2001 From: Addam Schroll <108814318+schrolla@users.noreply.github.com> Date: Thu, 7 Nov 2024 15:43:20 -0600 Subject: [PATCH 5/5] Update MS.DEFENDER.4.1 policy id version in Defender rego unit tests --- .../Rego/Defender/DefenderConfig_04_test.rego | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego index 77a030a884..a0764b5094 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Defender/DefenderConfig_04_test.rego @@ -9,7 +9,7 @@ import data.utils.report.NotCheckedDetails import rego.v1 # -# Policy MS.DEFENDER.4.1v1 +# Policy MS.DEFENDER.4.1v2 #-- test_ContentContainsSensitiveInformation_Correct_V1 if { Output := defender.tests with input.dlp_compliance_rules as [DlpComplianceRules] @@ -17,7 +17,7 @@ test_ContentContainsSensitiveInformation_Correct_V1 if { with input.defender_license as true with input.defender_dlp_license as true - TestResult("MS.DEFENDER.4.1v1", Output, PASS, true) == true + TestResult("MS.DEFENDER.4.1v2", Output, PASS, true) == true } test_AdvancedRule_Correct_V2 if { @@ -33,7 +33,7 @@ test_AdvancedRule_Correct_V2 if { with input.defender_license as true with input.defender_dlp_license as true - TestResult("MS.DEFENDER.4.1v1", Output, PASS, true) == true + TestResult("MS.DEFENDER.4.1v2", Output, PASS, true) == true } test_ContentContainsSensitiveInformation_Incorrect_V1 if { @@ -46,7 +46,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V1 if { with input.defender_dlp_license as true ReportDetailString := "No matching rules found for: U.S. Social Security Number (SSN)" - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V2 if { @@ -59,7 +59,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V2 if { with input.defender_dlp_license as true ReportDetailString := "No matching rules found for: U.S. Individual Taxpayer Identification Number (ITIN)" - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V3 if { @@ -72,7 +72,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V3 if { with input.defender_dlp_license as true ReportDetailString := "No matching rules found for: Credit Card Number" - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V4 if { @@ -89,7 +89,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V4 if { "U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN)" ]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V5 if { @@ -106,7 +106,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V5 if { "U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN)" ]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_ContentContainsSensitiveInformation_Incorrect_V6 if { @@ -123,7 +123,7 @@ test_ContentContainsSensitiveInformation_Incorrect_V6 if { "U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN)" ]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } test_NoDLPLicense_Incorrect_4_1_V1 if { @@ -131,7 +131,7 @@ test_NoDLPLicense_Incorrect_4_1_V1 if { with input.defender_dlp_license as false ReportDetailString := concat(" ", [FAIL, DLPLICENSEWARNSTR]) - TestResult("MS.DEFENDER.4.1v1", Output, ReportDetailString, false) == true + TestResult("MS.DEFENDER.4.1v2", Output, ReportDetailString, false) == true } #--