Convert Microsoft Secure Score to OHDF (#6007)

* draft of the microsoftSecureScore converter * bugfix: reading of secureScoreProfiles doc needed field for the array * minor update map/filter * add threats to tags from profile matching controlScore * add testing and update status check to use scoreInPercentage * update testing and fingerprinting * update fingerprinting for accept combined msftSecureScore document via UX * lint fix * msft-config-mapper-2.ts renamed without 2, cleanup commented out code * code cleanup. delete unused code * tslint allow commented out code in test suite * revert jest version bump * revert package.json to minimal requirements being added (only typing from MSFT) * rename mapper for consistency. msft_secure_score_mapper * update test name and remove linting inline disble block for commented out code * rename files for org per PR comments * update tags. fix array of array issue. add tiers,services,userImpact tags, add passthrough partial wroking * bugfix: replace missed exports due to rename to MsftSecureScoreMapper * bugfix/ typo * console debugging * Revert "console debugging" This reverts commit 8a003c8. * Passthrough fix; minor styling changes Signed-off-by: Charles Hu <[email protected]> * actual sample msft secureScore.json test doc updated to have value: [] * bugfix/populate code with control data and optionally profiles data * Update libs/hdf-converters/src/msft-secure-score-mapper.ts Co-authored-by: Charles Hu <[email protected]> * remove 'summary' field as no value available * Update libs/hdf-converters/src/msft-secure-score-mapper.ts Co-authored-by: Charles Hu <[email protected]> * improve names of parameters in arrow functions * Update libs/hdf-converters/src/msft-secure-score-mapper.ts Co-authored-by: Charles Hu <[email protected]> * remove unuded profile.version field as no value known from Microsoft * code cleanup. remove unused import * lint and update test expected results * update test data * Missed argument name change Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * implementationStatus -> controls.results.code_desc, remediation -> descriptions. data/label fix , leave controls.code blank * update test data for changes to mapper * Update msft-secure-score-mapper.ts * lint fix and update test data * relocate NIST to be in tags * sort exports per PR comment * add Msft_Secure_mapper to supported formats README.md * typo fixed * add run_time to mapper. required for downstream transformations that require start and end times. * update delimeter on control title from ... to \n * rename tag: group->category in dederence to msft naming * utilize lodash.uniq for tag.threats[] * add profiles[].remediationImpact as descriptions[label:rationale] * add secure score to FileReader.vue * update merge of records by id/cat * fix rawdata passthrough * update profiles.title include runID * handle output readability better * track secureScoreControlProfile.rank as control.tag.rank * remove run_time * cleanup inports * lint fix * conditional includsion of tags * secureScoreResults used to output full OHDF report per secureScore report in combined_input * bugfix/ exports from msft-secure-score-mapper fixed * update exports msftSecureMapper * export MsftSecureScoreMapper * add unmapped fields as tags or passthrough data * update MsftSecureScoreResult type hints * update MsftSecureScoreResult type hints * add withRaw parameter to msft secure score results * use utils.global constants for default NIST tags * remove duplicate tag 'rank' * convert forEach to for ... of * convert forEach to map(..) * delete extra copy of combined_msft.json * lint fix * private keyword isn't that useful Signed-off-by: Amndeep Singh Mann <[email protected]> * memoized the getProfiles function so that the repeated calls to the function don't all need to do the search Signed-off-by: Amndeep Singh Mann <[email protected]> --------- Signed-off-by: Charles Hu <[email protected]> Signed-off-by: Amndeep Singh Mann <[email protected]> Co-authored-by: Charles Hu <[email protected]> Co-authored-by: Charles Hu <[email protected]> Co-authored-by: Eugene Aronne <[email protected]> Co-authored-by: Amndeep Singh Mann <[email protected]>
mitre · Aug 7, 2024 · f5c9fe4 · f5c9fe4
1 parent f5403fd
commit f5c9fe4
Show file tree

Hide file tree

Showing 16 changed files with 53,083 additions and 14 deletions.
diff --git a/apps/frontend/src/components/global/upload_tabs/FileReader.vue b/apps/frontend/src/components/global/upload_tabs/FileReader.vue
@@ -38,6 +38,7 @@
                   <li>Golang Security Checker (gosec)</li>
                   <li>Ion Channel</li>
                   <li>JFrog Xray</li>
+                  <li>Microsoft Secure Score</li>
                   <li>Nessus</li>
                   <li>Netsparker</li>
                   <li>Nikto</li>

diff --git a/apps/frontend/src/store/report_intake.ts b/apps/frontend/src/store/report_intake.ts
@@ -18,6 +18,7 @@ import {
   INPUT_TYPES,
   IonChannelMapper,
   JfrogXrayMapper,
+  MsftSecureScoreResults,
   NessusResults,
   NetsparkerMapper,
   NiktoMapper,
@@ -230,6 +231,8 @@ export class InspecIntake extends VuexModule {
     switch (typeGuess) {
       case INPUT_TYPES.JFROG:
         return new JfrogXrayMapper(convertOptions.data).toHdf();
+      case INPUT_TYPES.MSFT_SEC_SCORE:
+        return new MsftSecureScoreResults(convertOptions.data).toHdf();
       case INPUT_TYPES.ASFF:
         return Object.values(
           new ASFFResultsMapper(convertOptions.data).toHdf()

diff --git a/libs/hdf-converters/README.md b/libs/hdf-converters/README.md
@@ -16,20 +16,21 @@ OHDF Converters supplies several methods to convert various types of security to
 9.  [**gosec-mapper**] - gosec results JSON file
 10. [**ionchannel-mapper**] - SBOM data from Ion Channel
 11. [**jfrog-xray-mapper**] - JFrog Xray results JSON file
-12. [**nessus-mapper**] - Nessus XML results file
-13. [**netsparker-mapper**] - Netsparker XML results file
-14. [**nikto-mapper**] - Nikto results JSON file
-15. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
-16. [**sarif-mapper**] - SARIF JSON file
-17. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
-18. [**snyk-mapper**] - Snyk results JSON file
-19. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
-20. [**splunk-mapper**] - Splunk instance
-21. [**trufflehog-mapper**] - Trufflehog results json file 
-22. [**twistlock-mapper**] - Twistlock CLI output file
-23. [**veracode-mapper**] - Veracode Scan Results XML file
-24. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
-25. [**zap-mapper**] - OWASP ZAP results JSON
+12. [**msft-secure-mapper**] - Microsoft Secure Score results file
+13. [**nessus-mapper**] - Nessus XML results file
+14. [**netsparker-mapper**] - Netsparker XML results file
+15. [**nikto-mapper**] - Nikto results JSON file
+16. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
+17. [**sarif-mapper**] - SARIF JSON file
+18. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
+19. [**snyk-mapper**] - Snyk results JSON file
+20. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
+21. [**splunk-mapper**] - Splunk instance
+22. [**trufflehog-mapper**] - Trufflehog results json file 
+23. [**twistlock-mapper**] - Twistlock CLI output file
+24. [**veracode-mapper**] - Veracode Scan Results XML file
+25. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
+26. [**zap-mapper**] - OWASP ZAP results JSON
 
 ### NOTICE
 

diff --git a/libs/hdf-converters/index.ts b/libs/hdf-converters/index.ts
@@ -24,6 +24,7 @@ export * as NiktoNistMappingData from './src/mappings/NiktoNistMappingData';
 export * as NistCciMappingData from './src/mappings/NistCciMappingData';
 export * as OWaspNistMappingData from './src/mappings/OWaspNistMappingData';
 export * as ScoutsuiteNistMappingData from './src/mappings/ScoutsuiteNistMappingData';
+export * from './src/msft-secure-score-mapper';
 export * from './src/nessus-mapper';
 export * from './src/netsparker-mapper';
 export * from './src/nikto-mapper';

diff --git a/libs/hdf-converters/package.json b/libs/hdf-converters/package.json
@@ -25,6 +25,7 @@
     "xml2json": "tsx data/converters/xml2json.ts"
   },
   "dependencies": {
+    "@microsoft/microsoft-graph-types": "^2.40.0",
     "@aws-sdk/client-config-service": "^3.95.0",
     "@e965/xlsx": "^0.20.0",
     "@mdi/js": "^7.0.96",

diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json
diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json
diff --git a/...rters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore-multiple.json b/...rters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore-multiple.json
@@ -0,0 +1,161 @@
+{
+  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores",
+  "value": [
+    {
+      "id": "12345678-1234-1234-1234-1234567890abcd_2024-01-01",
+      "azureTenantId": "12345678-1234-1234-1234-1234567890abcd",
+      "activeUserCount": 1,
+      "createdDateTime": "2024-01-01T00:00:00Z",
+      "currentScore": 128,
+      "enabledServices": [
+        "HasOCAS",
+        "HasCLB",
+        "HasMDOP1",
+        "HasMDOP2",
+        "HasEXOP2",
+        "HasSPOP2",
+        "HasAADFree"
+      ],
+      "licensedUserCount": 100,
+      "maxScore": 1000,
+      "vendorInformation": {
+        "provider": "SecureScore",
+        "providerVersion": null,
+        "subProvider": null,
+        "vendor": "Microsoft"
+      },
+      "averageComparativeScores": [
+        {
+          "basis": "AllTenants",
+          "averageScore": 54.65,
+          "appsScore": 29.65,
+          "appsScoreMax": 79,
+          "dataScore": 0.46,
+          "dataScoreMax": 3.27,
+          "deviceScore": 9.13,
+          "deviceScoreMax": 16.76,
+          "identityScore": 36.02,
+          "identityScoreMax": 59.42,
+          "infrastructureScore": 0,
+          "infrastructureScoreMax": 0
+        },
+        {
+          "basis": "TotalSeats",
+          "averageScore": 48.98,
+          "SeatSizeRangeLowerValue": "1",
+          "SeatSizeRangeUpperValue": "100",
+          "appsScore": 34.15,
+          "appsScoreMax": 94.46,
+          "dataScore": 0.5,
+          "dataScoreMax": 3.97,
+          "deviceScore": 6.87,
+          "deviceScoreMax": 12.65,
+          "identityScore": 34.16,
+          "identityScoreMax": 59.5,
+          "infrastructureScore": 0,
+          "infrastructureScoreMax": 0
+        }
+      ],
+      "controlScores": [
+        {
+          "controlCategory": "Apps",
+          "controlName": "spo_idle_session_timeout",
+          "description": "\n\t\t\tIdle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive.\n            <br/>\n\t\t\tThis policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless  of where users access the data from, what device they're working on, and how secure their network connection is.\n\t\t",
+          "score": 0,
+          "lastSynced": "2024-01-01T17:12:14Z",
+          "implementationStatus": "The setting is not compliant.",
+          "on": "false",
+          "scoreInPercentage": 0
+        },
+        {
+          "controlCategory": "Apps",
+          "controlName": "spo_legacy_auth",
+          "description": "\n\t\t\tModern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.\n\t\t\t<br/>\n\t\t\tStrong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.\n\t\t\t<br/>\n\t\t\t<i>This information was taken from Center for Internet Security (CIS).</i>\n\t\t",
+          "score": 0,
+          "lastSynced": "2024-01-01T17:12:14Z",
+          "implementationStatus": "The setting is not compliant.",
+          "on": "false",
+          "scoreInPercentage": 0
+        }
+      ]
+    },
+    {
+      "id": "12345678-1234-1234-1234-1234567890abcd_2024-01-02",
+      "azureTenantId": "12345678-1234-1234-1234-1234567890abcd",
+      "activeUserCount": 1,
+      "createdDateTime": "2024-01-01T00:00:00Z",
+      "currentScore": 128,
+      "enabledServices": [
+        "HasOCAS",
+        "HasCLB",
+        "HasMDOP1",
+        "HasMDOP2",
+        "HasEXOP2",
+        "HasSPOP2",
+        "HasAADFree"
+      ],
+      "licensedUserCount": 0,
+      "maxScore": 274,
+      "vendorInformation": {
+        "provider": "SecureScore",
+        "providerVersion": null,
+        "subProvider": null,
+        "vendor": "Microsoft"
+      },
+      "averageComparativeScores": [
+        {
+          "basis": "AllTenants",
+          "averageScore": 54.65,
+          "appsScore": 29.65,
+          "appsScoreMax": 79,
+          "dataScore": 0.46,
+          "dataScoreMax": 3.27,
+          "deviceScore": 9.13,
+          "deviceScoreMax": 16.76,
+          "identityScore": 36.02,
+          "identityScoreMax": 59.42,
+          "infrastructureScore": 0,
+          "infrastructureScoreMax": 0
+        },
+        {
+          "basis": "TotalSeats",
+          "averageScore": 48.98,
+          "SeatSizeRangeLowerValue": "1",
+          "SeatSizeRangeUpperValue": "100",
+          "appsScore": 34.15,
+          "appsScoreMax": 94.46,
+          "dataScore": 0.5,
+          "dataScoreMax": 3.97,
+          "deviceScore": 6.87,
+          "deviceScoreMax": 12.65,
+          "identityScore": 34.16,
+          "identityScoreMax": 59.5,
+          "infrastructureScore": 0,
+          "infrastructureScoreMax": 0
+        }
+      ],
+      "controlScores": [
+        {
+          "controlCategory": "Apps",
+          "controlName": "McasFirewallLogUpload",
+          "description": "Log collectors provide visibility into cloud app usage so you can identify if there are any apps that run without official approval, or if there is anomalous behavior. Log collectors automatically upload reports and parse the firewall/ proxy traffic logs to see if there is a match with your services in the Cloud App Catalog.",
+          "score": 0,
+          "lastSynced": "2024-01-01T04:34:13Z",
+          "implementationStatus": "Feature in place: false.",
+          "on": "false",
+          "scoreInPercentage": 0
+        },
+        {
+          "controlCategory": "Apps",
+          "controlName": "McasCutomActivityPolicy",
+          "description": "Activity policies help you monitor specific activities carried out by users, or follow unexpectedly high rates of certain types of activities. After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy.",
+          "score": 0,
+          "lastSynced": "2024-01-01T04:34:13Z",
+          "implementationStatus": "Policy in place: false.",
+          "on": "false",
+          "scoreInPercentage": 0
+        }
+      ]
+    }
+  ]
+}