From 50e45b1cd04b209c67bd84bebaebfef37e7250f3 Mon Sep 17 00:00:00 2001
From: Mitcelll Johnson <91237766+Mitchell-jpg@users.noreply.github.com>
Date: Tue, 26 Nov 2024 21:31:27 -0500
Subject: [PATCH] change baseline .md's to use reference links #494
---
PowerShell/ScubaGear/baselines/aad.md | 348 +++++++-----
PowerShell/ScubaGear/baselines/defender.md | 329 +++++++----
PowerShell/ScubaGear/baselines/exo.md | 519 +++++++++++-------
PowerShell/ScubaGear/baselines/powerbi.md | 258 ++++++---
.../ScubaGear/baselines/powerplatform.md | 125 +++--
.../ScubaGear/baselines/removedpolicies.md | 25 +-
PowerShell/ScubaGear/baselines/sharepoint.md | 109 ++--
PowerShell/ScubaGear/baselines/teams.md | 220 +++++---
baselines/README.md | 25 +-
9 files changed, 1275 insertions(+), 683 deletions(-)
diff --git a/PowerShell/ScubaGear/baselines/aad.md b/PowerShell/ScubaGear/baselines/aad.md
index 1c618dfff0..68ea780701 100644
--- a/PowerShell/ScubaGear/baselines/aad.md
+++ b/PowerShell/ScubaGear/baselines/aad.md
@@ -13,15 +13,15 @@ For non-Federal users, the information in this document is being provided “as
> This document is marked TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.
## License Compliance and Copyright
-Portions of this document are adapted from documents in Microsoft’s [M365](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE) and [Azure](https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE) GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
+Portions of this document are adapted from documents in Microsoft’s [M365][] and [Azure][] GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
## Assumptions
-The **License Requirements** sections of this document assume the organization is using an [M365 E3](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) or [G3](https://www.microsoft.com/en-us/microsoft-365/government) license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
+The **License Requirements** sections of this document assume the organization is using an [M365 E3][] or [G3][] license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
-Some of the policies in this baseline may link to Microsoft instruction pages which assume that an agency has created emergency access accounts in Microsoft Entra ID and [implemented strong security measures](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#create-emergency-access-accounts) to protect the credentials of those accounts.
+Some of the policies in this baseline may link to Microsoft instruction pages which assume that an agency has created emergency access accounts in Microsoft Entra ID and [implemented strong security measures][] to protect the credentials of those accounts.
## Key Terminology
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119][].
The following are key terms and descriptions used in this document.
@@ -34,7 +34,7 @@ Microsoft Entra ID tenant.
## Highly Privileged Roles
-This section provides a list of what CISA considers highly privileged [built-in roles in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference). This list is referenced in numerous baseline policies throughout this document. Agencies should consider this reference as a minimum list and can apply the respective baseline policies to additional Microsoft Entra ID roles as necessary.
+This section provides a list of what CISA considers highly privileged [built-in roles in Microsoft Entra ID][]. This list is referenced in numerous baseline policies throughout this document. Agencies should consider this reference as a minimum list and can apply the respective baseline policies to additional Microsoft Entra ID roles as necessary.
- Global Administrator
- Privileged Role Administrator
@@ -51,7 +51,7 @@ Throughout this document, this list of highly privileged roles is referenced in
Numerous policies in this baseline rely on Microsoft Entra ID Conditional Access. Conditional Access is a feature that allows administrators to limit access to resources using conditions such as user or group membership, device, IP location, and real-time risk detection. This section provides guidance and tools when implementing baseline policies which rely on Microsoft Entra ID Conditional Access.
-As described in Microsoft’s literature related to conditional access policies, CISA recommends initially setting a policy to **Report-only** when it is created and then performing thorough hands-on testing to help prevent unintended consequences before toggling the policy from **Report-only** to **On**. The policy will only be enforced when it is set to **On**. One tool that can assist with running test simulations is the [What If tool](https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool). Microsoft also describes [Conditional Access insights and reporting](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-insights-reporting) that can assist with testing.
+As described in Microsoft’s literature related to conditional access policies, CISA recommends initially setting a policy to **Report-only** when it is created and then performing thorough hands-on testing to help prevent unintended consequences before toggling the policy from **Report-only** to **On**. The policy will only be enforced when it is set to **On**. One tool that can assist with running test simulations is the [What If tool][]. Microsoft also describes [Conditional Access insights and reporting][] that can assist with testing.
# Baseline Policies
@@ -67,18 +67,18 @@ Legacy authentication SHALL be blocked.
- _Rationale:_ The security risk of allowing legacy authentication protocols is they do not support MFA. Blocking legacy protocols reduces the impact of user credential theft.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
- - [T1110.001: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
- - [T1110.002: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
- - [T1110.003: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+ - [T1110: Brute Force][]
+ - [T1110.001: Password Guessing][]
+ - [T1110.002: Password Cracking][]
+ - [T1110.003: Password Spraying][]
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
### Resources
-- [Common Conditional Access policy: Block legacy authentication](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy)
+- [Common Conditional Access policy: Block legacy authentication][]
-- [Five steps to securing your identity infrastructure](https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity)
+- [Five steps to securing your identity infrastructure][]
### License Requirements
@@ -88,7 +88,7 @@ Legacy authentication SHALL be blocked.
#### MS.AAD.1.1v1 Instructions
-1. [Determine if an agency’s existing applications use legacy authentication](https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication#identify-legacy-authentication-use) before blocking legacy authentication across the entire application base.
+1. [Determine if an agency’s existing applications use legacy authentication][] before blocking legacy authentication across the entire application base.
2. Create a Conditional Access policy to block legacy authentication
@@ -106,9 +106,9 @@ Legacy authentication SHALL be blocked.
This section provides policies that reduce security risks related to potentially compromised user accounts. These policies combine Microsoft Entra ID Protection and Microsoft Entra ID Conditional Access. Microsoft Entra ID Protection uses numerous signals to detect the risk level for each user or sign-in and determine if an account may have been compromised.
-- _Additional mitigations to reduce risks associated with the authentication of workload identities:_ Although not covered in this baseline due to the need for an additional non-standard license, Microsoft provides support for mitigating risks related to workload identities (Microsoft Entra ID applications or service principals). Agencies should strongly consider implementing this feature because workload identities present many of the same risks as interactive user access and are commonly used in modern systems. CISA urges organizations to [apply Conditional Access policies to workload identities](https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity).
+- _Additional mitigations to reduce risks associated with the authentication of workload identities:_ Although not covered in this baseline due to the need for an additional non-standard license, Microsoft provides support for mitigating risks related to workload identities (Microsoft Entra ID applications or service principals). Agencies should strongly consider implementing this feature because workload identities present many of the same risks as interactive user access and are commonly used in modern systems. CISA urges organizations to [apply Conditional Access policies to workload identities][].
-- _Note:_ In this section, the term ["high risk"](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks) denotes the risk level applied by the Microsoft Entra ID Protection service to a user account or sign-in event.
+- _Note:_ In this section, the term ["high risk"][] denotes the risk level applied by the Microsoft Entra ID Protection service to a user account or sign-in event.
### Policies
#### MS.AAD.2.1v1
@@ -119,8 +119,8 @@ Users detected as high risk SHALL be blocked.
- _Last modified:_ June 2023
- _Note:_ Users identified as high risk by Microsoft Entra ID Identity Protection can be blocked from accessing the system via a Microsoft Entra ID Conditional Access policy. A high-risk user will be blocked until an administrator remediates their account.
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
#### MS.AAD.2.2v1
A notification SHOULD be sent to the administrator when high-risk users are detected.
@@ -129,8 +129,8 @@ A notification SHOULD be sent to the administrator when high-risk users are dete
- _Rationale:_ Notification enables the admin to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
#### MS.AAD.2.3v1
Sign-ins detected as high risk SHALL be blocked.
@@ -139,16 +139,16 @@ Sign-ins detected as high risk SHALL be blocked.
- _Rationale:_ This prevents compromised accounts from accessing the tenant.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
### Resources
-- [What are risk detections?](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks)
+- [What are risk detections?][]
-- [Simulating risk detections in Identity Protection](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-simulate-risk)
+- [Simulating risk detections in Identity Protection][]
-- [User experiences with Microsoft Entra Identity Protection](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-user-experience)
+- [User experiences with Microsoft Entra Identity Protection][]
### License Requirements
@@ -172,7 +172,7 @@ Sign-ins detected as high risk SHALL be blocked.
#### MS.AAD.2.2v1 Instructions
-1. [Configure Microsoft Entra ID Protection to send a regularly monitored security mailbox email notification](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-notifications#configure-users-at-risk-detected-alerts) when user accounts are determined to be high risk.
+1. [Configure Microsoft Entra ID Protection to send a regularly monitored security mailbox email notification][] when user accounts are determined to be high risk.
#### MS.AAD.2.3v1 Instructions
@@ -192,12 +192,12 @@ Sign-ins detected as high risk SHALL be blocked.
This section provides policies that help reduce security risks related to user authentication and registration.
-Phishing-resistant MFA is required per [Office of Management and Budget Memorandum 22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf), but for a variety of reasons, implementing it for all users may be challenging. This section provides additional backup security policies to mitigate risk associated with lesser forms of MFA. For example, Policy MS.AAD.3.2v1 below enforces MFA without stipulating the specific MFA method.
+Phishing-resistant MFA is required per [Office of Management and Budget Memorandum 22-09][], but for a variety of reasons, implementing it for all users may be challenging. This section provides additional backup security policies to mitigate risk associated with lesser forms of MFA. For example, Policy MS.AAD.3.2v1 below enforces MFA without stipulating the specific MFA method.
-Figure 1: Depiction of MFA methods from weakest to strongest. _Adapted from [Microsoft Page](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods)_
+Figure 1: Depiction of MFA methods from weakest to strongest. _Adapted from [Microsoft Page][]_
### Policies
#### MS.AAD.3.1v1
@@ -205,15 +205,15 @@ Phishing-resistant MFA SHALL be enforced for all users.
The phishing-resistant methods **Microsoft Entra ID certificate-based authentication (CBA)**, **FIDO2 Security Key** and **Windows Hello for Business** are the recommended authentication options since they offer forms of MFA with the least weaknesses. For federal agencies, Microsoft Entra ID CBA supports federal PIV card authentication directly to Microsoft Entra ID.
-If on-premises PIV authentication and federation to Microsoft Entra ID is used, [enforce PIV logon via Microsoft Active Directory group policy](https://www.idmanagement.gov/implement/scl-windows/).
+If on-premises PIV authentication and federation to Microsoft Entra ID is used, [enforce PIV logon via Microsoft Active Directory group policy][].
- _Rationale:_ Weaker forms of MFA do not protect against sophisticated phishing attacks. By enforcing methods resistant to phishing, those risks are minimized.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
#### MS.AAD.3.2v1
If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.
@@ -223,10 +223,10 @@ If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL
- _Last modified:_ June 2023
- _Note:_ If a conditional access policy has been created enforcing phishing-resistant MFA, then this policy is not necessary. This policy does not dictate the specific MFA method.
- _MITRE ATT&CK TTP Mapping:_
- - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
- - [T1110.001: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
- - [T1110.002: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
- - [T1110.003: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+ - [T1110: Brute Force][]
+ - [T1110.001: Password Guessing][]
+ - [T1110.002: Password Cracking][]
+ - [T1110.003: Password Spraying][]
#### MS.AAD.3.3v1
If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.
@@ -235,10 +235,10 @@ If phishing-resistant MFA has not been enforced and Microsoft Authenticator is e
- _Rationale:_ This stopgap security policy helps protect the tenant when phishing-resistant MFA has not been enforced and Microsoft Authenticator is used. This policy helps improve the security of Microsoft Authenticator by showing user context information, which helps reduce MFA phishing compromises.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
- - [T1110.001: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
- - [T1110.002: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
- - [T1110.003: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+ - [T1110: Brute Force][]
+ - [T1110.001: Password Guessing][]
+ - [T1110.002: Password Cracking][]
+ - [T1110.003: Password Spraying][]
#### MS.AAD.3.4v1
@@ -258,9 +258,9 @@ The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SH
- _Last modified:_ June 2023
- _Note:_ This policy is only applicable if the tenant has their Manage Migration feature set to Migration Complete.
- _MITRE ATT&CK TTP Mapping:_
- - [T1621: Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+ - [T1621: Multi-Factor Authentication Request Generation][]
+ - [T1566: Phishing][]
+ - [T1566.002: Spearphishing Link][]
#### MS.AAD.3.6v1
Phishing-resistant MFA SHALL be required for highly privileged roles.
@@ -270,21 +270,21 @@ Phishing-resistant MFA SHALL be required for highly privileged roles.
- _Last modified:_ June 2023
- _Note:_ Refer to the Highly Privileged Roles section at the top of this document for a reference list of roles considered highly privileged.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
#### MS.AAD.3.7v1
Managed devices SHOULD be required for authentication.
-- _Rationale:_ The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency. [OMB-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) states, "When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user."
+- _Rationale:_ The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency. [OMB-22-09][] states, "When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user."
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
#### MS.AAD.3.8v1
Managed Devices SHOULD be required to register MFA.
@@ -293,24 +293,24 @@ Managed Devices SHOULD be required to register MFA.
- _Rationale:_ Reduce risk of an adversary using stolen user credentials and then registering their own MFA device to access the tenant by requiring a managed device provisioned and controlled by the agency to perform registration actions. This prevents the adversary from using their own unmanaged device to perform the registration.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.005: Device Registration](https://attack.mitre.org/techniques/T1098/005/)
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
+ - [T1098: Account Manipulation][]
+ - [T1098.005: Device Registration][]
### Resources
-- [What authentication and verification methods are available in Microsoft Entra ID?](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods)
+- [What authentication and verification methods are available in Microsoft Entra ID?][]
-- [How to use additional context in Microsoft Authenticator notifications - Authentication methods policy](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-additional-context#enable-additional-context-in-the-portal)
+- [How to use additional context in Microsoft Authenticator notifications - Authentication methods policy][]
-- [M-22-09 Federal Zero Trust Architecture Strategy](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
+- [M-22-09 Federal Zero Trust Architecture Strategy][]
-- [Configure Microsoft Entra hybrid join](https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join)
+- [Configure Microsoft Entra hybrid join][]
-- [Microsoft Entra joined devices](https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join)
+- [Microsoft Entra joined devices][]
-- [Set up automatic enrollment for Windows devices (for Intune)](https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll)
+- [Set up automatic enrollment for Windows devices (for Intune)][]
### License Requirements
@@ -354,8 +354,8 @@ If phishing-resistant MFA has not been deployed yet and Microsoft Authenticator
#### MS.AAD.3.4v1 Instructions
-1. Go through the process of [How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage).
-2. Once ready to finish the migration, [set the **Manage Migration** option to **Migration Complete**](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage#finish-the-migration).
+1. Go through the process of [How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID][].
+2. Once ready to finish the migration, [set the **Manage Migration** option to **Migration Complete**][].
#### MS.AAD.3.5v1 Instructions
1. In **Microsoft Entra admin center** , click **Security > Authentication methods**
@@ -411,16 +411,16 @@ Security logs SHALL be sent to the agency's security operations center for monit
- _Note:_ The following Microsoft Entra ID logs (configured in diagnostic settings), are required: `AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, ServicePrincipalRiskEvents, EnrichedOffice365AuditLogs, MicrosoftGraphActivityLogs`. If managed identities are used for Azure resources, also send the `ManagedIdentitySignInLogs` log type. If the Microsoft Entra ID Provisioning Service is used to provision users to software-as-a-service (SaaS) apps or other systems, also send the `ProvisioningLogs` log type.
- _Note:_ Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at cyberliason@cisa.dhs.gov to request integration instructions.
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
+ - [T1562: Impair Defenses][]
+ - [T1562.008: Disable or Modify Cloud Logs][]
### Resources
-- [Everything you wanted to know about Security and Audit Logging in Office 365](https://thecloudtechnologist.com/2021/10/15/everything-you-wanted-to-know-about-security-and-audit-logging-in-office-365/)
+- [Everything you wanted to know about Security and Audit Logging in Office 365][]
-- [What are Microsoft Entra sign-in logs??](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins)
+- [What are Microsoft Entra sign-in logs??][]
-- [National Cybersecurity Protection System-Cloud Interface Reference Architecture Volume One: General Guidance](https://www.cisa.gov/sites/default/files/publications/NCPS%20Cloud%20Interface%20RA%20Volume%20One%20%282021-05-14%29.pdf)
+- [National Cybersecurity Protection System-Cloud Interface Reference Architecture Volume One: General Guidance][]
### License Requirements
@@ -444,20 +444,20 @@ Only administrators SHALL be allowed to register applications.
- _Rationale:_ Application access for the tenant presents a heightened security risk compared to interactive user access because applications are typically not subject to critical security protections, such as MFA policies. Reduce risk of unauthorized users installing malicious applications into the tenant by ensuring that only specific privileged users can register applications.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.001: Additional Cloud Credentials][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.5.2v1
Only administrators SHALL be allowed to consent to applications.
-- _Rationale:_ Limiting applications consent to only specific privileged users reduces risk of users giving insecure applications access to their data via [consent grant attacks](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide).
+- _Rationale:_ Limiting applications consent to only specific privileged users reduces risk of users giving insecure applications access to their data via [consent grant attacks][].
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.001: Additional Cloud Credentials][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.5.3v1
An admin consent workflow SHALL be configured for applications.
@@ -466,9 +466,9 @@ An admin consent workflow SHALL be configured for applications.
- _Rationale:_ Configuring an admin consent workflow reduces the risk of the previous policy by setting up a process for users to securely request access to applications necessary for business purposes. Administrators have the opportunity to review the permissions requested by new applications and approve or deny access based on a risk assessment.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.001: Additional Cloud Credentials][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.5.4v1
Group owners SHALL NOT be allowed to consent to applications.
@@ -477,17 +477,17 @@ Group owners SHALL NOT be allowed to consent to applications.
- _Rationale:_ In M365, group owners and team owners can consent to applications accessing data in the tenant. By requiring consent requests to go through an approval workflow, risk of exposure to malicious applications is reduced.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.001: Additional Cloud Credentials][]
+ - [T1098.003: Additional Cloud Roles][]
### Resources
-- [Restrict Application Registration for Non-Privileged Users](https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-register-applications.html)
+- [Restrict Application Registration for Non-Privileged Users][]
-- [Enforce Administrators to Provide Consent for Apps Before Use](https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-consent-to-apps-accessing-company-data-on-their-behalf.html)
+- [Enforce Administrators to Provide Consent for Apps Before Use][]
-- [Configure the admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow)
+- [Configure the admin consent workflow][]
### License Requirements
@@ -555,11 +555,11 @@ User passwords SHALL NOT expire.
### Resources
-- [Password expiration requirements for users](https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide#password-expiration-requirements-for-users)
+- [Password expiration requirements for users][]
-- [Eliminate bad passwords using Microsoft Entra Password Protection](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad)
+- [Eliminate bad passwords using Microsoft Entra Password Protection][]
-- [NIST Special Publication 800-63B - Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)
+- [NIST Special Publication 800-63B - Digital Identity Guidelines][]
### License Requirements
@@ -569,11 +569,11 @@ User passwords SHALL NOT expire.
#### MS.AAD.6.1v1 Instructions
-1. [Configure the **Password expiration policy** to **Set passwords to never expire**](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide#set-password-expiration-policy).
+1. [Configure the **Password expiration policy** to **Set passwords to never expire**][].
## 7. Highly Privileged User Access
-This section provides policies that help reduce security risks related to the usage of [highly privileged Microsoft Entra ID built-in roles](#highly-privileged-roles). Privileged administrative users have access to operations that can undermine the security of the tenant by changing configurations and security policies. Special protections are necessary to secure this level of access.
+This section provides policies that help reduce security risks related to the usage of [highly privileged Microsoft Entra ID built-in roles][]. Privileged administrative users have access to operations that can undermine the security of the tenant by changing configurations and security policies. Special protections are necessary to secure this level of access.
Some of the policy implementations in this section reference specific features of the Microsoft Entra ID Privileged Identity Management (PIM) service that provides Privileged Access Management (PAM) capabilities. As an alternative to Microsoft Entra ID PIM, third-party products and services with equivalent PAM capabilities can be leveraged.
@@ -585,8 +585,8 @@ A minimum of two users and a maximum of eight users SHALL be provisioned with th
- _Rationale:_ The Global Administrator role provides unfettered access to the tenant. Limiting the number of users with this level of access makes tenant compromise more challenging. Microsoft recommends fewer than five users in the Global Administrator role. However, additional user accounts, up to eight, may be necessary to support emergency access and some operational scenarios.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.7.2v1
Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.
@@ -595,11 +595,11 @@ Privileged users SHALL be provisioned with finer-grained roles instead of Global
- _Rationale:_ Many privileged administrative users do not need unfettered access to the tenant to perform their duties. By assigning them to roles based on least privilege, the risks associated with having their accounts compromised are reduced.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
- - [T1651: Cloud Administration Command](https://attack.mitre.org/techniques/T1651/)
- - [T1136: Create Account](https://attack.mitre.org/techniques/T1136/)
- - [T1136.003: Cloud Account](https://attack.mitre.org/techniques/T1136/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
+ - [T1651: Cloud Administration Command][]
+ - [T1136: Create Account][]
+ - [T1136.003: Cloud Account][]
#### MS.AAD.7.3v1
Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.
@@ -608,8 +608,8 @@ Privileged users SHALL be provisioned cloud-only accounts separate from an on-pr
- _Rationale:_ By provisioning cloud-only Microsoft Entra ID user accounts to privileged users, the risks associated with a compromise of on-premises federation infrastructure are reduced. It is more challenging for the adversary to pivot from the compromised environment to the cloud with privileged access.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1556: Modify Authentication Process](https://attack.mitre.org/techniques/T1556/)
- - [T1556.007: Hybrid Identity](https://attack.mitre.org/techniques/T1556/007/)
+ - [T1556: Modify Authentication Process][]
+ - [T1556.007: Hybrid Identity][]
#### MS.AAD.7.4v1
Permanent active role assignments SHALL NOT be allowed for highly privileged roles.
@@ -621,8 +621,8 @@ Permanent active role assignments SHALL NOT be allowed for highly privileged rol
- Emergency access accounts that need perpetual access to the tenant in the rare event of system degradation or other scenarios.
- Some types of service accounts that require a user account with privileged roles; since these accounts are used by software programs, they cannot perform role activation.
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.7.5v1
Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.
@@ -631,7 +631,7 @@ Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM s
- _Rationale:_ Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1651: Cloud Administration Command](https://attack.mitre.org/techniques/T1651/)
+ - [T1651: Cloud Administration Command][]
#### MS.AAD.7.6v1
Activation of the Global Administrator role SHALL require approval.
@@ -640,8 +640,8 @@ Activation of the Global Administrator role SHALL require approval.
- _Rationale:_ Requiring approval for a user to activate Global Administrator, which provides unfettered access, makes it more challenging for an attacker to compromise the tenant with stolen credentials and it provides visibility of activities indicating a compromise is taking place.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.7.7v1
Eligible and Active highly privileged role assignments SHALL trigger an alert.
@@ -650,8 +650,8 @@ Eligible and Active highly privileged role assignments SHALL trigger an alert.
- _Rationale:_ Closely monitor assignment of the highest privileged roles for signs of compromise. Send assignment alerts to enable the security monitoring team to detect compromise attempts.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.7.8v1
User activation of the Global Administrator role SHALL trigger an alert.
@@ -661,8 +661,8 @@ User activation of the Global Administrator role SHALL trigger an alert.
- _Last modified:_ June 2023
- _Note:_ It is recommended to prioritize user activation of Global Administrator as one of the most important events to monitor and respond to.
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.7.9v1
User activation of other highly privileged roles SHOULD trigger an alert.
@@ -671,29 +671,29 @@ User activation of other highly privileged roles SHOULD trigger an alert.
- _Rationale:_ Closely monitor activation of high-risk roles for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts. In some environments, activating privileged roles can generate a significant number of alerts.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
- - [T1136: Create Account](https://attack.mitre.org/techniques/T1136/)
- - [T1136.003: Cloud Account](https://attack.mitre.org/techniques/T1136/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
+ - [T1136: Create Account][]
+ - [T1136.003: Cloud Account][]
### Resources
-- [Limit number of Global Administrators to less than 5](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5)
+- [Limit number of Global Administrators to less than 5][]
-- [Implement Privilege Access Management](https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#implement-privilege-access-management)
+- [Implement Privilege Access Management][]
-- [Assign Microsoft Entra roles in Privileged Identity Management](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-add-role-to-user)
+- [Assign Microsoft Entra roles in Privileged Identity Management][]
-- [Privileged Identity Management (PIM) for Groups](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups)
+- [Privileged Identity Management (PIM) for Groups][]
-- [Approve or deny requests for Microsoft Entra roles in Privileged Identity Management](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-approval-workflow)
+- [Approve or deny requests for Microsoft Entra roles in Privileged Identity Management][]
-- [Configure security alerts for Microsoft Entra roles in Privileged Identity Management](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts)
+- [Configure security alerts for Microsoft Entra roles in Privileged Identity Management][]
### License Requirements
-- Policies [MS.AAD.7.4v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad74v1), [MS.AAD.7.5v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad75v1), [MS.AAD.7.6v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad76v1), [MS.AAD.7.7v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad77v1), [MS.AAD.7.8v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad78v1), and [MS.AAD.7.9v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad79v1) require a Microsoft Entra ID P2 license; however, a third-party Privileged Access Management (PAM) solution may also be used to satisfy the requirements. If a third-party solution is used, then a P2 license is not required for the respective policies.
+- Policies [MS.AAD.7.4v1][], [MS.AAD.7.5v1][], [MS.AAD.7.6v1][], [MS.AAD.7.7v1][], [MS.AAD.7.8v1][], and [MS.AAD.7.9v1][] require a Microsoft Entra ID P2 license; however, a third-party Privileged Access Management (PAM) solution may also be used to satisfy the requirements. If a third-party solution is used, then a P2 license is not required for the respective policies.
### Implementation
The following implementation instructions that reference the Microsoft Entra ID PIM service will vary if using a third-party PAM system instead.
@@ -829,10 +829,10 @@ Guest users SHOULD have limited or restricted access to Microsoft Entra ID direc
- _Rationale:_ Limiting the amount of object information available to guest users in the tenant, reduces malicious reconnaissance exposure, should a guest account become compromised or be created by an adversary.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1087: Account Discovery](https://attack.mitre.org/techniques/T1087/)
- - [T1087.003: Email Account](https://attack.mitre.org/techniques/T1087/003/)
- - [T1087.004: Cloud Account](https://attack.mitre.org/techniques/T1087/004/)
- - [T1526: Cloud Service Discovery](https://attack.mitre.org/techniques/T1526/)
+ - [T1087: Account Discovery][]
+ - [T1087.003: Email Account][]
+ - [T1087.004: Cloud Account][]
+ - [T1526: Cloud Service Discovery][]
#### MS.AAD.8.2v1
Only users with the Guest Inviter role SHOULD be able to invite guest users.
@@ -841,8 +841,8 @@ Only users with the Guest Inviter role SHOULD be able to invite guest users.
- _Rationale:_ By only allowing an authorized group of individuals to invite external users to create accounts in the tenant, an agency can enforce a guest user account approval process, reducing the risk of unauthorized account creation.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
#### MS.AAD.8.3v1
Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.
@@ -851,14 +851,14 @@ Guest invites SHOULD only be allowed to specific external domains that have been
- _Rationale:_ Limiting which domains can be invited to create guest accounts in the tenant helps reduce the risk of users from unauthorized external organizations getting access.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
+ - [T1078: Valid Accounts][]
+ - [T1078.001: Default Accounts][]
### Resources
-- [Configure external collaboration settings](https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure)
+- [Configure external collaboration settings][]
-- [Compare member and guest default permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions)
+- [Compare member and guest default permissions][]
### License Requirements
@@ -896,12 +896,98 @@ Guest invites SHOULD only be allowed to specific external domains that have been
# Appendix A: Microsoft Entra ID hybrid Guidance
-Most of this document does not focus on securing Microsoft Entra ID hybrid environments. CISA released a separate [Hybrid Identity Solutions Architecture](https://www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf) document addressing the unique implementation requirements of Microsoft Entra ID hybrid infrastructure.
+Most of this document does not focus on securing Microsoft Entra ID hybrid environments. CISA released a separate [Hybrid Identity Solutions Architecture][] document addressing the unique implementation requirements of Microsoft Entra ID hybrid infrastructure.
# Appendix B: Cross-tenant Access Guidance
Some of the conditional access policies contained in this security baseline, if implemented as described, will impact guest user access to a tenant. For example, the policies require users to perform MFA and originate from a managed device to gain access. These requirements are also enforced for guest users. For these policies to work effectively with guest users, both the home tenant (the one the guest user belongs to) and the resource tenant (the target tenant) may need to configure their Microsoft Entra ID cross-tenant access settings.
-Microsoft’s [Authentication and Conditional Access for External ID](https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access) provides an understanding of how MFA and device claims are passed from the home tenant to the resource tenant. To configure the inbound and outbound cross-tenant access settings in Microsoft Entra External ID, refer to Microsoft’s [Overview: Cross-tenant access with Microsoft Entra External ID](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview).
+Microsoft’s [Authentication and Conditional Access for External ID][] provides an understanding of how MFA and device claims are passed from the home tenant to the resource tenant. To configure the inbound and outbound cross-tenant access settings in Microsoft Entra External ID, refer to Microsoft’s [Overview: Cross-tenant access with Microsoft Entra External ID][].
**`TLP:CLEAR`**
+
+[M365]: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE
+[Azure]: https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE
+[M365 E3]: https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans
+[G3]: https://www.microsoft.com/en-us/microsoft-365/government
+[implemented strong security measures]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#create-emergency-access-accounts
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[built-in roles in Microsoft Entra ID]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
+[What If tool]: https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool
+[Conditional Access insights and reporting]: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-insights-reporting
+[T1110: Brute Force]: https://attack.mitre.org/techniques/T1110/
+[T1110.001: Password Guessing]: https://attack.mitre.org/techniques/T1110/001/
+[T1110.002: Password Cracking]: https://attack.mitre.org/techniques/T1110/002/
+[T1110.003: Password Spraying]: https://attack.mitre.org/techniques/T1110/003/
+[T1078: Valid Accounts]: https://attack.mitre.org/techniques/T1078/
+[T1078.004: Cloud Accounts]: https://attack.mitre.org/techniques/T1078/004/
+[Common Conditional Access policy: Block legacy authentication]: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy
+[Five steps to securing your identity infrastructure]: https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
+[Determine if an agency’s existing applications use legacy authentication]: https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication#identify-legacy-authentication-use
+[apply Conditional Access policies to workload identities]: https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity
+["high risk"]: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
+[What are risk detections?]: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
+[Simulating risk detections in Identity Protection]: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-simulate-risk
+[User experiences with Microsoft Entra Identity Protection]: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-user-experience
+[Configure Microsoft Entra ID Protection to send a regularly monitored security mailbox email notification]: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-notifications#configure-users-at-risk-detected-alerts
+[Office of Management and Budget Memorandum 22-09]: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
+[Microsoft Page]: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
+[enforce PIV logon via Microsoft Active Directory group policy]: https://www.idmanagement.gov/implement/scl-windows/
+[T1566: Phishing]: https://attack.mitre.org/techniques/T1566/
+[T1566.001: Spearphishing Attachment]: https://attack.mitre.org/techniques/T1566/001/
+[T1566.002: Spearphishing Link]: https://attack.mitre.org/techniques/T1566/002/
+[T1621: Multi-Factor Authentication Request Generation]: https://attack.mitre.org/techniques/T1621/
+[OMB-22-09]: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
+[T1098: Account Manipulation]: https://attack.mitre.org/techniques/T1098/
+[T1098.005: Device Registration]: https://attack.mitre.org/techniques/T1098/005/
+[What authentication and verification methods are available in Microsoft Entra ID?]: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
+[How to use additional context in Microsoft Authenticator notifications - Authentication methods policy]: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-additional-context#enable-additional-context-in-the-portal
+[M-22-09 Federal Zero Trust Architecture Strategy]: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
+[Configure Microsoft Entra hybrid join]: https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join
+[Microsoft Entra joined devices]: https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join
+[Set up automatic enrollment for Windows devices (for Intune)]: https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll
+[How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID]: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage
+[set the **Manage Migration** option to **Migration Complete**]: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage#finish-the-migration
+[T1562: Impair Defenses]: https://attack.mitre.org/techniques/T1562/
+[T1562.008: Disable or Modify Cloud Logs]: https://attack.mitre.org/techniques/T1562/008/
+[Everything you wanted to know about Security and Audit Logging in Office 365]: https://thecloudtechnologist.com/2021/10/15/everything-you-wanted-to-know-about-security-and-audit-logging-in-office-365/
+[What are Microsoft Entra sign-in logs??]: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins
+[National Cybersecurity Protection System-Cloud Interface Reference Architecture Volume One: General Guidance]: https://www.cisa.gov/sites/default/files/publications/NCPS%20Cloud%20Interface%20RA%20Volume%20One%20%282021-05-14%29.pdf
+[T1098.001: Additional Cloud Credentials]: https://attack.mitre.org/techniques/T1098/001/
+[T1098.003: Additional Cloud Roles]: https://attack.mitre.org/techniques/T1098/003/
+[consent grant attacks]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide
+[Restrict Application Registration for Non-Privileged Users]: https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-register-applications.html
+[Enforce Administrators to Provide Consent for Apps Before Use]: https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-consent-to-apps-accessing-company-data-on-their-behalf.html
+[Configure the admin consent workflow]: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow
+[Password expiration requirements for users]: https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide#password-expiration-requirements-for-users
+[Eliminate bad passwords using Microsoft Entra Password Protection]: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad
+[NIST Special Publication 800-63B - Digital Identity Guidelines]: https://pages.nist.gov/800-63-3/sp800-63b.html
+[Configure the **Password expiration policy** to **Set passwords to never expire**]: https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide#set-password-expiration-policy
+[highly privileged Microsoft Entra ID built-in roles]: #highly-privileged-roles
+[T1651: Cloud Administration Command]: https://attack.mitre.org/techniques/T1651/
+[T1136: Create Account]: https://attack.mitre.org/techniques/T1136/
+[T1136.003: Cloud Account]: https://attack.mitre.org/techniques/T1136/003/
+[T1556: Modify Authentication Process]: https://attack.mitre.org/techniques/T1556/
+[T1556.007: Hybrid Identity]: https://attack.mitre.org/techniques/T1556/007/
+[Limit number of Global Administrators to less than 5]: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5
+[Implement Privilege Access Management]: https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#implement-privilege-access-management
+[Assign Microsoft Entra roles in Privileged Identity Management]: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-add-role-to-user
+[Privileged Identity Management (PIM) for Groups]: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups
+[Approve or deny requests for Microsoft Entra roles in Privileged Identity Management]: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-approval-workflow
+[Configure security alerts for Microsoft Entra roles in Privileged Identity Management]: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts
+[MS.AAD.7.4v1]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad74v1
+[MS.AAD.7.5v1]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad75v1
+[MS.AAD.7.6v1]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad76v1
+[MS.AAD.7.7v1]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad77v1
+[MS.AAD.7.8v1]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad78v1
+[MS.AAD.7.9v1]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad79v1
+[T1087: Account Discovery]: https://attack.mitre.org/techniques/T1087/
+[T1087.003: Email Account]: https://attack.mitre.org/techniques/T1087/003/
+[T1087.004: Cloud Account]: https://attack.mitre.org/techniques/T1087/004/
+[T1526: Cloud Service Discovery]: https://attack.mitre.org/techniques/T1526/
+[T1078.001: Default Accounts]: https://attack.mitre.org/techniques/T1078/001/
+[Configure external collaboration settings]: https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure
+[Compare member and guest default permissions]: https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions
+[Hybrid Identity Solutions Architecture]: https://www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf
+[Authentication and Conditional Access for External ID]: https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access
+[Overview: Cross-tenant access with Microsoft Entra External ID]: https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
\ No newline at end of file
diff --git a/PowerShell/ScubaGear/baselines/defender.md b/PowerShell/ScubaGear/baselines/defender.md
index bac372c45a..c4a0edd4b0 100644
--- a/PowerShell/ScubaGear/baselines/defender.md
+++ b/PowerShell/ScubaGear/baselines/defender.md
@@ -19,15 +19,15 @@ For non-Federal users, the information in this document is being provided “as
> This document is marked TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.
## License Compliance and Copyright
-Portions of this document are adapted from documents in Microsoft's [M365](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE) and [Azure](https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE) GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
+Portions of this document are adapted from documents in Microsoft's [M365][] and [Azure][] GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
## Assumptions
-The agency has identified a set of user accounts that are considered sensitive accounts. See [Key Terminology](#key-terminology) for a detailed description of sensitive accounts.
+The agency has identified a set of user accounts that are considered sensitive accounts. See [Key Terminology][] for a detailed description of sensitive accounts.
-The **License Requirements** sections of this document assume the organization is using an [M365 E3](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) or [G3](https://www.microsoft.com/en-us/microsoft-365/government) license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
+The **License Requirements** sections of this document assume the organization is using an [M365 E3][] or [G3][] license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
## Key Terminology
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119][].
The following are key terms and descriptions used in this document.
@@ -40,10 +40,10 @@ may be at a higher risk of being targeted.
## 1. Preset Security Profiles
Microsoft Defender defines three [preset security
-profiles](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide):
+profiles][]:
built-in protection, standard, and strict. These preset policies are informed by Microsoft's observations, and are designed to strike the balance between usability and security. They allow administrators to enable the full feature set of Defender by simply adding users to the policies rather than manually configuring each setting.
-Within the standard and strict preset policies, users can be enrolled in [Exchange Online Protection](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-worldwide) (EOP) and [Defender for Office 365 protection](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview?view=o365-worldwide). Additionally, preset policies support configuration of [impersonation protection](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+Within the standard and strict preset policies, users can be enrolled in [Exchange Online Protection][] (EOP) and [Defender for Office 365 protection][]. Additionally, preset policies support configuration of [impersonation protection][].
### Policies
#### MS.DEFENDER.1.1v1
@@ -53,10 +53,10 @@ The standard and strict preset security policies SHALL be enabled.
- _Rationale:_ Defender includes a large number of features and settings to protect users against threats. Using the preset security policies, administrators can help ensure all new and existing users automatically have secure defaults applied.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1566.003: Spearphishing via Service][]
#### MS.DEFENDER.1.2v1
@@ -67,13 +67,13 @@ All users SHALL be added to Exchange Online Protection (EOP) in either the stand
- _Last modified:_ June 2023
- _Note:_
- The standard and strict preset security policies must be enabled as directed
- by [MS.DEFENDER.1.1v1](#msdefender11v1) for protections to be applied.
+ by [MS.DEFENDER.1.1v1][] for protections to be applied.
- Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming, as closely as possible to the settings used by the preset policies. See the **Resources** section for more details on configuring policies.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1566.003: Spearphishing via Service][]
#### MS.DEFENDER.1.3v1
All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.
@@ -83,13 +83,13 @@ All users SHALL be added to Defender for Office 365 protection in either the sta
- _Last modified:_ June 2023
- _Note:_
- The standard and strict preset security policies must be enabled as directed
- by [MS.DEFENDER.1.1v1](#msdefender11v1) for protections to be applied.
+ by [MS.DEFENDER.1.1v1][] for protections to be applied.
- Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming as closely as possible to the settings used by the preset policies. See the **Resources** section for more details on configuring policies.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1566.003: Spearphishing via Service][]
#### MS.DEFENDER.1.4v1
Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.
@@ -100,9 +100,9 @@ Sensitive accounts SHALL be added to Exchange Online Protection in the strict pr
- _Note:_ The strict preset security policy must be enabled to protect
sensitive accounts.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
#### MS.DEFENDER.1.5v1
Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.
@@ -113,22 +113,22 @@ Sensitive accounts SHALL be added to Defender for Office 365 protection in the s
- _Note:_ The strict preset security policy must be enabled to protect
sensitive accounts.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
### Resources
-- [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)
+- [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \| Microsoft Learn][]
- [Recommended settings for EOP and Microsoft Defender for Office 365
security \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365)
-- [Configure anti-phishing policies in EOP \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure?view=o365-worldwide)
-- [Configure anti-malware policies in EOP \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide)
-- [Configure anti-spam policies in EOP \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide)
-- [Configure anti-phishing policies in Defender for Office 365 \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide)
-- [Set up Safe Attachments policies in Microsoft Defender for Office 365 \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide)
-- [Set up Safe Links policies in Microsoft Defender for Office 365 \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide)
+ Learn][]
+- [Configure anti-phishing policies in EOP \| Microsoft Learn][]
+- [Configure anti-malware policies in EOP \| Microsoft Learn][]
+- [Configure anti-spam policies in EOP \| Microsoft Learn][]
+- [Configure anti-phishing policies in Defender for Office 365 \| Microsoft Learn][]
+- [Set up Safe Attachments policies in Microsoft Defender for Office 365 \| Microsoft Learn][]
+- [Set up Safe Links policies in Microsoft Defender for Office 365 \| Microsoft Learn][]
### License Requirements
@@ -146,7 +146,7 @@ Sensitive accounts SHALL be added to Defender for Office 365 protection in the s
6. Under **Strict protection**, slide the toggle switch to the right so the text next to the toggle reads **Strict protection is on**.
Note: If the toggle slider in step 5 is grayed out, click on **Manage protection settings**
-instead and configure the policy settings according to [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+instead and configure the policy settings according to [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \| Microsoft Learn][].
#### MS.DEFENDER.1.2v1 Instructions
@@ -225,10 +225,10 @@ User impersonation protection SHOULD be enabled for sensitive accounts in both t
- _Note:_ The standard and strict preset security policies must be enabled to
protect accounts.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1656: Impersonation][]
#### MS.DEFENDER.2.2v1
Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.
@@ -239,10 +239,10 @@ Domain impersonation protection SHOULD be enabled for domains owned by the agenc
- _Note:_ The standard and strict preset security policies must be enabled to
protect agency domains.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1656: Impersonation][]
#### MS.DEFENDER.2.3v1
Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.
@@ -253,15 +253,15 @@ Domain impersonation protection SHOULD be added for important partners in both t
- _Note:_ The standard and strict preset security policies must be enabled to
protect partner domains.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1656: Impersonation][]
### Resources
-- [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365 \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)
-- [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)
+- [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365 \| Microsoft Learn][]
+- [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \| Microsoft Learn][]
### License Requirements
@@ -271,7 +271,7 @@ Domain impersonation protection SHOULD be added for important partners in both t
anti-phishing for user and domain impersonation and spoof intelligence
are not yet available in M365 Government Community Cloud (GCC High) and Department of Defense (DoD) environments. See [Platform features \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#platform-features)
+ Learn][]
for current offerings.
### Implementation
@@ -345,20 +345,20 @@ Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams
- _Rationale:_ Clicking malicious links makes users vulnerable to attacks, and this danger is not limited to links in emails. Other Microsoft products, such as Microsoft Teams, can be used to present users with malicious links. As such, it is important to protect users on these other Microsoft products as well.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1204.001: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
- - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1204.001: User Execution][]
+ - [T1204.001: Malicious Link][]
+ - [T1204.002: Malicious File][]
### Resources
- [Safe Attachments in Microsoft Defender for Office 365 \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about?view=o365-worldwide#safe-attachments-policy-settings)
+ Learn][]
- [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide)
+ Learn][]
### License Requirements
@@ -371,7 +371,7 @@ Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams
To enable Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams, follow the instructions listed at [Turn on Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams \| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide).
+Learn][].
1. Sign in to **Microsoft 365 Defender**.
@@ -411,9 +411,9 @@ A custom policy SHALL be configured to protect PII and sensitive information, as
unauthorized disclosures.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1530: Data from Cloud Storage][]
+ - [T1213: Data from Information Repositories][]
#### MS.DEFENDER.4.2v1
The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.
@@ -424,12 +424,12 @@ The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams cha
affected locations to be effective.
- _Last modified:_ June 2023
- _Note:_ The custom policy referenced here is the same policy
- configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+ configured in [MS.DEFENDER.4.1v1][].
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1530: Data from Cloud Storage][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
#### MS.DEFENDER.4.3v1
The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.
@@ -440,11 +440,11 @@ The action for the custom policy SHOULD be set to block sharing sensitive inform
on agency policies and valid business justifications.
- _Last modified:_ June 2023
- _Note:_ The custom policy referenced here is the same policy
- configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+ configured in [MS.DEFENDER.4.1v1][].
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1530: Data from Cloud Storage][]
+ - [T1213: Data from Information Repositories][]
#### MS.DEFENDER.4.4v1
Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.
@@ -456,7 +456,7 @@ Notifications to inform users and help educate them on the proper use of sensiti
accessing sensitive information.
- _Last modified:_ June 2023
- _Note:_ The custom policy referenced here is the same policy
- configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+ configured in [MS.DEFENDER.4.1v1][].
- _MITRE ATT&CK TTP Mapping:_
- None
@@ -471,9 +471,9 @@ A list of apps that are restricted from accessing files protected by DLP policy
to sensitive information on endpoints using Defender.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1565: Data Manipulation][]
+ - [T1485: Data Destruction][]
+ - [T1530: Data from Cloud Storage][]
#### MS.DEFENDER.4.6v1
The custom policy SHOULD include an action to block access to sensitive
@@ -489,44 +489,44 @@ information by restricted apps and unwanted Bluetooth applications.
- _Last modified:_ June 2023
- _Note:_
- The custom policy referenced here is the same policy
- configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+ configured in [MS.DEFENDER.4.1v1][].
- This action can only be included if at least one device is onboarded
to the agency tenant. Otherwise, the option to block restricted apps will
not be available.
- _MITRE ATT&CK TTP Mapping:_
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
- - [T1486: Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/)
+ - [T1565: Data Manipulation][]
+ - [T1485: Data Destruction][]
+ - [T1530: Data from Cloud Storage][]
+ - [T1486: Data Encrypted for Impact][]
### Resources
- [Plan for data loss prevention (DLP) \| Microsoft
- Learn](https://learn.microsoft.com/en-us/purview/dlp-overview-plan-for-dlp?view=o365-worldwide)
+ Learn][]
- [Data loss prevention in Exchange Online \| Microsoft
- Learn](https://learn.microsoft.com/en-us/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention)
+ Learn][]
- [Personally identifiable information (PII) \|
- NIST](https://csrc.nist.gov/glossary/term/personally_identifiable_information#:~:text=NISTIR%208259,2%20under%20PII%20from%20EGovAct)
+ NIST][]
- [Sensitive information \|
- NIST](https://csrc.nist.gov/glossary/term/sensitive_information)
+ NIST][]
- [Get started with Endpoint data loss prevention - Microsoft Purview
- (compliance) \| Microsoft Learn](https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started?view=o365-worldwide)
+ (compliance) \| Microsoft Learn][]
### License Requirements
- DLP for Teams requires an E5 or G5 license. See [Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams \| Microsoft
- Learn](https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-data-loss-prevention-data-loss-prevention-dlp-for-teams)
+ Learn][]
for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.
- DLP for Endpoint requires an E5 or G5 license. See [Get started with
Endpoint data loss prevention - Microsoft Purview (compliance) \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started?view=o365-worldwide)
+ Learn][]
for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.
@@ -595,18 +595,18 @@ information by restricted apps and unwanted Bluetooth applications.
#### MS.DEFENDER.4.2v1 Instructions
-See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) step 8
+See [MS.DEFENDER.4.1v1 Instructions][] step 8
for details on enforcing DLP policy in specific M365 service locations.
#### MS.DEFENDER.4.3v1 Instructions
-See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) steps
+See [MS.DEFENDER.4.1v1 Instructions][] steps
15-17 for details on configuring DLP policy to block sharing sensitive
information with everyone.
#### MS.DEFENDER.4.4v1 Instructions
-See [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) steps
+See [MS.DEFENDER.4.1v1 Instructions][] steps
18-19 for details on configuring DLP policy to notify users when accessing
sensitive information.
@@ -645,7 +645,7 @@ before the instructions below can be completed.
3. Select **Policies** from the top of the page.
4. Find the custom DLP policy configured under
- [MS.DEFENDER.4.1v1 Instructions](#msdefender41v1-instructions) in the list
+ [MS.DEFENDER.4.1v1 Instructions][] in the list
and click the Policy name to select.
5. Select **Edit Policy**.
@@ -681,7 +681,7 @@ There are several pre-built alert policies available pertaining to
various apps in the M365 suite. These alerts give administrators better
real-time insight into possible security incidents. Guidance on specific alerts to configure can be found in the linked section of the CISA M365 Security Configuration Baseline for Exchange Online.
-- [MS.EXO.16.1v1 \| CISA M365 Security Configuration Baseline for Exchange Online](./exo.md#msexo161v1)
+- [MS.EXO.16.1v1 \| CISA M365 Security Configuration Baseline for Exchange Online][]
### Policies
#### MS.DEFENDER.5.1v1
@@ -691,8 +691,8 @@ At a minimum, the alerts required by the CISA M365 Security Configuration Baseli
- _Rationale:_ Potentially malicious or service-impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to the list of events linked above draws attention to them to minimize any impact to users and the agency.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
+ - [T1562: Impair Defenses][]
+ - [T1562.006: Indicator Blocking][]
#### MS.DEFENDER.5.2v1
The alerts SHOULD be sent to a monitored address or incorporated into a Security Information and Event Management (SIEM).
@@ -701,13 +701,13 @@ The alerts SHOULD be sent to a monitored address or incorporated into a Security
- _Rationale:_ Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or SIEM system helps ensure events are acted upon in a timely manner to limit overall impact.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
+ - [T1562: Impair Defenses][]
+ - [T1562.006: Indicator Blocking][]
### Resources
- [Alert policies in Microsoft 365 \| Microsoft
- Learn](https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide)
+ Learn][]
### License Requirements
@@ -725,7 +725,7 @@ The alerts SHOULD be sent to a monitored address or incorporated into a Security
4. Select the checkbox next to each alert to enable as determined by the
agency and at a minimum those referenced in the
- [_CISA M365 Security Configuration Baseline for Exchange Online_](./exo.md#msexo161v1) which are:
+ [_CISA M365 Security Configuration Baseline for Exchange Online_][] which are:
a. **Suspicious email sending patterns detected.**
@@ -783,7 +783,7 @@ Capabilities Related to Cybersecurity Incidents_, M365 audit logs are to be
retained for at least 12 months in active storage and an additional 18 months
in cold storage. This can be accomplished either by offloading the logs out of
the cloud environment or natively through Microsoft by creating an [audit log
-retention policy](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy).
+retention policy][].
OMB M-21-13 requires Advanced Audit Features be configured in M365.
Advanced Audit, now Microsoft Purview Audit (Premium), adds additional event
@@ -797,8 +797,8 @@ Microsoft Purview Audit (Standard) logging SHALL be enabled.
- _Rationale:_ Responding to incidents without detailed information about activities that took place slows response actions. Enabling Microsoft Purview Audit (Standard) helps ensure agencies have visibility into user actions. Furthermore, enabling the unified audit log is required for government agencies by OMB M-21-31 (referred to therein by its former name, Unified Audit Logs).
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
+ - [T1562: Impair Defenses][]
+ - [T1562.008: Disable or Modify Cloud Logs][]
#### MS.DEFENDER.6.2v1
@@ -814,7 +814,7 @@ Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.
Purview (Standard) may be sufficient for agencies to meet basic
logging requirements.
- _MITRE ATT&CK TTP Mapping:_
- - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
+ - [T1070: Indicator Removal][]
#### MS.DEFENDER.6.3v1
Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.
@@ -829,35 +829,35 @@ Audit logs SHALL be maintained for at least the minimum duration dictated by OMB
Agencies may also consider alternate storage locations and services
to meet audit log retention needs.
- _MITRE ATT&CK TTP Mapping:_
- - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
+ - [T1070: Indicator Removal][]
### Resources
- [OMB M-21-31, Improving the Federal Government's Investigative and Remediation Capabilities
Related to Cybersecurity Incidents \| Office of Management and
- Budget](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)
+ Budget][]
- [Turn auditing on or off \| Microsoft
- Learn](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?view=o365-worldwide)
+ Learn][]
- [Create an audit log retention policy \| Microsoft
- Learn](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy)
+ Learn][]
- [Search the audit log in the compliance center \| Microsoft
- Learn](https://learn.microsoft.com/en-us/purview/audit-log-search?view=o365-worldwide)
+ Learn][]
- [Audit log activities \| Microsoft
- Learn](https://learn.microsoft.com/en-us/purview/audit-log-activities)
+ Learn][]
- [Expanding cloud logging to give customers deeper security visibility \|
- Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/)
+ Microsoft Security Blog][]
-- [Export, configure, and view audit log records | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-export-records)
+- [Export, configure, and view audit log records | Microsoft Learn][]
-- [Untitled Goose Tool Fact Sheet | CISA.](https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet)
+- [Untitled Goose Tool Fact Sheet | CISA.][]
-- [Manage audit log retention policies | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy)
+- [Manage audit log retention policies | Microsoft Learn][]
### License Requirements
@@ -867,7 +867,7 @@ Related to Cybersecurity Incidents \| Office of Management and
- Additionally, maintaining logs in the M365 environment for longer than
one year requires an add-on license. For more information, see
- [Manage audit log retention policies | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy). However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.
+ [Manage audit log retention policies | Microsoft Learn][]. However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.
### Implementation
@@ -887,12 +887,111 @@ administrator to start recording user and admin activity.
#### MS.DEFENDER.6.2v1 Instructions
To set up Microsoft Purview Audit (Premium), see [Set up Microsoft Purview Audit (Premium) \|
Microsoft
-Learn.](https://learn.microsoft.com/en-us/purview/audit-premium-setup?view=o365-worldwide)
+Learn.][]
#### MS.DEFENDER.6.3v1 Instructions
-To create one or more custom audit retention policies, if the default retention policy is not sufficient for agency needs, follow [Create an audit log retention policy](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy) instructions.
+To create one or more custom audit retention policies, if the default retention policy is not sufficient for agency needs, follow [Create an audit log retention policy][] instructions.
Ensure the duration selected in the retention policies is at least one year, in accordance with OMB M-21-31.
-As noted in the [License Requirements](https://github.com/cisagov/ScubaGear/baselines/defender.md#license-requirements-1) section above, the creation of a custom audit log retention policy and its retention in the M365 environment requires E5/G5 licenses or E3/G3 licenses with add-on compliance licenses. No additional license is required to view and export logs. To view and export audit logs follow [Export, configure, and view audit log records | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-export-records) and/or [Untitled Goose Tool Fact Sheet | CISA.](https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet)
+As noted in the [License Requirements][] section above, the creation of a custom audit log retention policy and its retention in the M365 environment requires E5/G5 licenses or E3/G3 licenses with add-on compliance licenses. No additional license is required to view and export logs. To view and export audit logs follow [Export, configure, and view audit log records | Microsoft Learn][] and/or [Untitled Goose Tool Fact Sheet | CISA.][]
**`TLP:CLEAR`**
+
+[M365]: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE
+[Azure]: https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE
+[Key Terminology]: #key-terminology
+[M365 E3]: https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans
+[G3]: https://www.microsoft.com/en-us/microsoft-365/government
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[preset security
+profiles]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide
+[Exchange Online Protection]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-worldwide
+[Defender for Office 365 protection]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview?view=o365-worldwide
+[impersonation protection]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365
+[T1566: Phishing]: https://attack.mitre.org/techniques/T1566/
+[T1566.001: Spearphishing Attachment]: https://attack.mitre.org/techniques/T1566/001/
+[T1566.002: Spearphishing Link]: https://attack.mitre.org/techniques/T1566/002/
+[T1566.003: Spearphishing via Service]: https://attack.mitre.org/techniques/T1566/003/
+[MS.DEFENDER.1.1v1]: #msdefender11v1
+[Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users
+[Recommended settings for EOP and Microsoft Defender for Office 365
+ security \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365
+[Configure anti-phishing policies in EOP \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure?view=o365-worldwide
+[Configure anti-malware policies in EOP \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide
+[Configure anti-spam policies in EOP \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide
+[Configure anti-phishing policies in Defender for Office 365 \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide
+[Set up Safe Attachments policies in Microsoft Defender for Office 365 \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide
+[Set up Safe Links policies in Microsoft Defender for Office 365 \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide
+[T1656: Impersonation]: https://attack.mitre.org/techniques/T1656/
+[Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365 \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365
+[Platform features \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#platform-features
+[T1204.001: User Execution]: https://attack.mitre.org/techniques/T1204/
+[T1204.001: Malicious Link]: https://attack.mitre.org/techniques/T1204/001/
+[T1204.002: Malicious File]: https://attack.mitre.org/techniques/T1204/002/
+[Safe Attachments in Microsoft Defender for Office 365 \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about?view=o365-worldwide#safe-attachments-policy-settings
+[Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft
+ Teams \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide
+[Turn on Safe Attachments for
+SharePoint, OneDrive, and Microsoft Teams \| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide
+[T1567: Exfiltration Over Web Service]: https://attack.mitre.org/techniques/T1567/
+[T1530: Data from Cloud Storage]: https://attack.mitre.org/techniques/T1530/
+[T1213: Data from Information Repositories]: https://attack.mitre.org/techniques/T1213/
+[MS.DEFENDER.4.1v1]: #msdefender41v1
+[T1213.002: Sharepoint]: https://attack.mitre.org/techniques/T1213/002/
+[T1565: Data Manipulation]: https://attack.mitre.org/techniques/T1565/
+[T1485: Data Destruction]: https://attack.mitre.org/techniques/T1485/
+[T1486: Data Encrypted for Impact]: https://attack.mitre.org/techniques/T1486/
+[Plan for data loss prevention (DLP) \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/purview/dlp-overview-plan-for-dlp?view=o365-worldwide
+[Data loss prevention in Exchange Online \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention
+[Personally identifiable information (PII) \|
+ NIST]: https://csrc.nist.gov/glossary/term/personally_identifiable_information#:~:text=NISTIR%208259,2%20under%20PII%20from%20EGovAct
+[Sensitive information \|
+ NIST]: https://csrc.nist.gov/glossary/term/sensitive_information
+[Get started with Endpoint data loss prevention - Microsoft Purview
+ (compliance) \| Microsoft Learn]: https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started?view=o365-worldwide
+[Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-data-loss-prevention-data-loss-prevention-dlp-for-teams
+[Get started with
+ Endpoint data loss prevention - Microsoft Purview (compliance) \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started?view=o365-worldwide
+[MS.DEFENDER.4.1v1 Instructions]: #msdefender41v1-instructions
+[MS.EXO.16.1v1 \| CISA M365 Security Configuration Baseline for Exchange Online]: ./exo.md#msexo161v1
+[T1562: Impair Defenses]: https://attack.mitre.org/techniques/T1562/
+[T1562.006: Indicator Blocking]: https://attack.mitre.org/techniques/T1562/006/
+[Alert policies in Microsoft 365 \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide
+[_CISA M365 Security Configuration Baseline for Exchange Online_]: ./exo.md#msexo161v1
+[audit log
+retention policy]: https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy
+[T1562.008: Disable or Modify Cloud Logs]: https://attack.mitre.org/techniques/T1562/008/
+[T1070: Indicator Removal]: https://attack.mitre.org/techniques/T1070/
+[OMB M-21-31, Improving the Federal Government's Investigative and Remediation Capabilities
+Related to Cybersecurity Incidents \| Office of Management and
+ Budget]: https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf
+[Turn auditing on or off \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?view=o365-worldwide
+[Create an audit log retention policy \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy
+[Search the audit log in the compliance center \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/purview/audit-log-search?view=o365-worldwide
+[Audit log activities \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/purview/audit-log-activities
+[Expanding cloud logging to give customers deeper security visibility \|
+ Microsoft Security Blog]: https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/
+[Export, configure, and view audit log records | Microsoft Learn]: https://learn.microsoft.com/en-us/purview/audit-log-export-records
+[Untitled Goose Tool Fact Sheet | CISA.]: https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet
+[Manage audit log retention policies | Microsoft Learn]: https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy
+[Set up Microsoft Purview Audit (Premium) \|
+Microsoft
+Learn.]: https://learn.microsoft.com/en-us/purview/audit-premium-setup?view=o365-worldwide
+[Create an audit log retention policy]: https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy
+[License Requirements]: https://github.com/cisagov/ScubaGear/baselines/defender.md#license-requirements-1
\ No newline at end of file
diff --git a/PowerShell/ScubaGear/baselines/exo.md b/PowerShell/ScubaGear/baselines/exo.md
index 7d515db945..7d2c17929e 100644
--- a/PowerShell/ScubaGear/baselines/exo.md
+++ b/PowerShell/ScubaGear/baselines/exo.md
@@ -24,9 +24,9 @@ For non-Federal users, the information in this document is being provided “as
## License Compliance and Copyright
Portions of this document are adapted from documents in Microsoft's
-[M365](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE)
+[M365][]
and
-[Azure](https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE)
+[Azure][]
GitHub repositories. The respective documents are subject to copyright
and are adapted under the terms of the Creative Commons Attribution 4.0
International license. Sources are linked throughout this
@@ -38,8 +38,8 @@ strengthen the security of widely used cloud-based software services.
The **License Requirements** sections of this document assume the
organization is using an [M365
-E3](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans)
-or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
+E3][]
+or [G3][]
license level at a minimum. Therefore, only licenses not included in E3/G3 are
listed.
@@ -48,7 +48,7 @@ listed.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in
-[RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+[RFC 2119][].
# Baseline Policies
@@ -70,16 +70,16 @@ external to the organization but does not impede legitimate
internal forwarding.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
### Resources
- [Reducing or increasing information flow to another company \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/remote-domains/remote-domains#reducing-or-increasing-information-flow-to-another-company)
+ Learn][]
### License Requirements
@@ -127,24 +127,24 @@ agency, facilitating phishing attacks. Publishing an SPF policy for each agency
- _Last modified:_ March 2024
- _Note:_ SPF defines two different "fail" mechanisms: fail (indicated by `-`, sometimes referred to as hardfail) and softfail (indicated by `~`). Fail, as used in this baseline policy, refers to hardfail (i.e., `-`).
- _MITRE ATT&CK TTP Mapping:_
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1656: Impersonation][]
+ - [T1566: Phishing][]
### Resources
- [Binding Operational Directive 18-01 - Enhance Email and Web Security
- \| DHS](https://cyber.dhs.gov/bod/18-01/)
+ \| DHS][]
- [Trustworthy Email \| NIST 800-177 Rev.
- 1](https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final)
+ 1][]
- [Set up SPF to help prevent spoofing \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide)
+ Learn][]
- [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent
spoofing \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-anti-spoofing?view=o365-worldwide)
+ Learn][]
### License Requirements
@@ -153,14 +153,14 @@ agency, facilitating phishing attacks. Publishing an SPF policy for each agency
### Implementation
#### MS.EXO.2.2v2 Instructions
-First, identify any approved senders specific to your agency, e.g., any on-premises mail servers. SPF allows you to indicate approved senders by IP address or CIDR range. However, note that SPF allows you to [include](https://www.rfc-editor.org/rfc/rfc7208#section-5.2) the IP addresses indicated by a separate SPF policy, referred to by domain name. See [External DNS records required for SPF](https://learn.microsoft.com/en-us/microsoft-365/enterprise/external-domain-name-system-records?view=o365-worldwide#external-dns-records-required-for-spf) for inclusions required for M365 to send email on behalf of your domain.
+First, identify any approved senders specific to your agency, e.g., any on-premises mail servers. SPF allows you to indicate approved senders by IP address or CIDR range. However, note that SPF allows you to [include][] the IP addresses indicated by a separate SPF policy, referred to by domain name. See [External DNS records required for SPF][] for inclusions required for M365 to send email on behalf of your domain.
SPF is not configured through the Exchange admin center, but rather via
DNS records hosted by the agency's domain. Thus, the exact steps needed
-to set up SPF varies from agency to agency. See [Add or edit an SPF TXT record to help prevent email spam (Outlook, Exchange Online) \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online) for more details.
+to set up SPF varies from agency to agency. See [Add or edit an SPF TXT record to help prevent email spam (Outlook, Exchange Online) \| Microsoft Learn][] for more details.
To test your SPF configuration, consider using a web-based tool, such as
-those listed under [How can I validate SPF records for my domain? \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq?view=o365-worldwide#how-can-i-validate-spf-records-for-my-domain).
+those listed under [How can I validate SPF records for my domain? \| Microsoft Learn][].
Additionally, SPF records can be requested using the
PowerShell tool `Resolve-DnsName`. For example:
@@ -173,7 +173,7 @@ returned; though by necessity, the contents of the SPF
policy may vary by agency. In this example, the SPF policy indicates
the IP addresses listed by the policy for "spf.protection.outlook.com" are
the only approved senders for "example.onmicrosoft.com." These IPs can be determined
-via an additional SPF lookup, this time for "spf.protection.outlook.com." Ensure the IP addresses listed as approved senders for your domains are correct. Additionally, ensure that each policy either ends in `-all` or [redirects](https://www.rfc-editor.org/rfc/rfc7208#section-6.1) to one that does; this directive indicates that all IPs that don't match the policy should fail. See [SPF TXT record syntax for Microsoft 365 \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-anti-spoofing?view=o365-worldwide#spf-txt-record-syntax-for-microsoft-365) for a more in-depth discussion
+via an additional SPF lookup, this time for "spf.protection.outlook.com." Ensure the IP addresses listed as approved senders for your domains are correct. Additionally, ensure that each policy either ends in `-all` or [redirects][] to one that does; this directive indicates that all IPs that don't match the policy should fail. See [SPF TXT record syntax for Microsoft 365 \| Microsoft Learn][] for a more in-depth discussion
of SPF record syntax.
## 3. DomainKeys Identified Mail
@@ -196,27 +196,27 @@ agency, facilitating phishing attacks. Enabling DKIM is another means for
recipients to detect spoofed emails and verify the integrity of email content.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1598: Phishing for Information][]
+ - [T1656: Impersonation][]
+ - [T1566: Phishing][]
### Resources
- [Binding Operational Directive 18-01 - Enhance Email and Web Security
- \| DHS](https://cyber.dhs.gov/bod/18-01/)
+ \| DHS][]
- [Trustworthy Email \| NIST 800-177 Rev.
- 1](https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final)
+ 1][]
- [Use DKIM to validate outbound email sent from your custom domain \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide)
+ Learn][]
- [Support for validation of DKIM signed messages \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-support-about?view=o365-worldwide)
+ Learn][]
- [What is EOP? \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-faq?view=o365-worldwide#what-is-eop-)
+ Learn][]
### License Requirements
@@ -227,7 +227,7 @@ recipients to detect spoofed emails and verify the integrity of email content.
#### MS.EXO.3.1v1 Instructions
1. To enable DKIM, follow the instructions listed on [Steps to Create,
enable and disable DKIM from Microsoft 365 Defender portal \| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal).
+Learn][].
## 4. Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
@@ -248,9 +248,9 @@ emails to reach end users' mailboxes. Publishing DMARC records at the
second-level domain protects the second-level domains and all subdomains.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1598: Phishing for Information][]
+ - [T1656: Impersonation][]
+ - [T1566: Phishing][]
#### MS.EXO.4.2v1
The DMARC message rejection option SHALL be p=reject.
@@ -261,9 +261,9 @@ reject provides the strongest protection. Reject is the level of protection
required by BOD 18-01 for FCEB departments and agencies.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1598: Phishing for Information][]
+ - [T1656: Impersonation][]
+ - [T1566: Phishing][]
#### MS.EXO.4.3v1
The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`.
@@ -276,7 +276,7 @@ Including as a point of contact for these reports
- _Note:_ Only federal, executive branch, departments and agencies should
include this email address in their DMARC record.
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+ - [T1562: Impair Defenses][]
#### MS.EXO.4.4v1
An agency point of contact SHOULD be included for aggregate and failure reports.
@@ -288,24 +288,24 @@ Including an agency point of contact gives the agency insight into attempts
to spoof their domains.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+ - [T1562: Impair Defenses][]
### Resources
- [Binding Operational Directive 18-01 - Enhance Email and Web Security
- \| DHS](https://cyber.dhs.gov/bod/18-01/)
+ \| DHS][]
- [Trustworthy Email \| NIST 800-177 Rev.
- 1](https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final)
+ 1][]
- [Domain-based Message Authentication, Reporting, and Conformance
- (DMARC) \| RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)
+ (DMARC) \| RFC 7489][]
- [Best practices for implementing DMARC in Office 365 \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#best-practices-for-implementing-dmarc-in-microsoft-365)
+ Learn][]
- [How Office 365 handles outbound email that fails DMARC \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#how-microsoft-365-handles-inbound-email-that-fails-dmarc)
+ Learn][]
### License Requirements
@@ -317,7 +317,7 @@ to spoof their domains.
DMARC is not configured through the Exchange admin center, but rather via
DNS records hosted by the agency's domain. As such, implementation varies
depending on how an agency manages its DNS records. See [Form the DMARC TXT record for your domain \| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#step-4-form-the-dmarc-txt-record-for-your-domain)
+Learn][]
for Microsoft guidance.
A DMARC record published at the second-level domain will protect all subdomains.
@@ -341,14 +341,14 @@ reports@dmarc.cyber.dhs.gov and reports@example.com. Failure reports will be
sent to reports@example.com.
#### MS.EXO.4.2v1 Instructions
-See [MS.EXO.4.1v1 Instructions](#msexo41v1-instructions) for an overview of how to publish and check a DMARC record. Ensure the record published includes `p=reject`.
+See [MS.EXO.4.1v1 Instructions][] for an overview of how to publish and check a DMARC record. Ensure the record published includes `p=reject`.
#### MS.EXO.4.3v1 Instructions
-See [MS.EXO.4.1v1 Instructions](#msexo41v1-instructions) for an overview of how to publish and check a DMARC record. Ensure the record published includes
+See [MS.EXO.4.1v1 Instructions][] for an overview of how to publish and check a DMARC record. Ensure the record published includes
as one of the emails for the RUA field.
#### MS.EXO.4.4v1 Instructions
-See [MS.EXO.4.1v1 Instructions](#msexo41v1-instructions) for an overview of how to publish and check a DMARC record. Ensure the record published includes:
+See [MS.EXO.4.1v1 Instructions][] for an overview of how to publish and check a DMARC record. Ensure the record published includes:
- A point of contact specific to your agency in the RUA field.
- as one of the emails in the RUA field.
- One or more agency-defined points of contact in the RUF field.
@@ -380,7 +380,7 @@ least functionality.
- [Enable or disable authenticated client SMTP submission (SMTP AUTH) in
Exchange Online \| Microsoft
- Learn](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission)
+ Learn][]
### License Requirements
@@ -413,8 +413,8 @@ for specific legitimate use as needed.
- _Last modified:_ June 2023
- _Note:_ Contact folders MAY be shared with specific domains.
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
#### MS.EXO.6.2v1
@@ -426,19 +426,19 @@ for legitimate use as needed.
- _Last modified:_ June 2023
- _Note:_ Calendar details MAY be shared with specific domains.
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
### Resources
- [Sharing in Exchange Online \| Microsoft
- Learn](https://learn.microsoft.com/en-us/exchange/sharing/sharing)
+ Learn][]
- [Organization relationships in Exchange Online \| Microsoft
- Learn](https://learn.microsoft.com/en-us/exchange/sharing/organization-relationships/organization-relationships)
+ Learn][]
- [Sharing policies in Exchange Online \| Microsoft
- Learn](https://learn.microsoft.com/en-us/exchange/sharing/sharing-policies/sharing-policies)
+ Learn][]
### License Requirements
@@ -463,7 +463,7 @@ To restrict sharing with all domains:
To restrict sharing calendar details with all domains:
-1. Refer to step 5 in [MS.EXO.6.1v1 Instructions](#msexo61v1-instructions) to implement
+1. Refer to step 5 in [MS.EXO.6.1v1 Instructions][] to implement
this policy.
## 7. External Sender Warnings
@@ -479,20 +479,20 @@ External sender warnings SHALL be implemented.
- _Rationale:_ Phishing is an ever-present threat. Alerting users when email originates from outside their organization can encourage them to exercise increased caution, especially if an email is one they expected from an internal sender.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1566: Phishing][]
### Resources
- [Mail flow rules (transport rules) in Exchange Online \| Microsoft
- Learn](https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)
+ Learn][]
- [Capacity Enhancement Guide: Counter-Phishing Recommendations for
Federal Agencies \|
- CISA](https://www.cisa.gov/sites/default/files/publications/Capacity_Enhancement_Guide-Counter-Phishing_Recommendations_for_Federal_Agencies.pdf)
+ CISA][]
- [Actions To Counter Email-Based Attacks On Election-Related Entities
\|
- CISA](https://www.cisa.gov/sites/default/files/publications/CISA_Insights_Actions_to_Counter_Email-Based_Attacks_on_Election-Related_S508C.pdf)
+ CISA][]
### License Requirements
@@ -550,7 +550,7 @@ should offer services comparable to those offered by Microsoft.
Though use of Microsoft's DLP solution is not strictly
required, guidance for configuring Microsoft's DLP solution can be found in the following section of the CISA M365 Security Configuration Baseline for Defender for Office 365.
-- [Data Loss Prevention \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#4-data-loss-prevention)
+- [Data Loss Prevention \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
### Policies
@@ -561,9 +561,9 @@ A DLP solution SHALL be used.
- _Rationale:_ Users may inadvertently disclose sensitive information to unauthorized individuals. A DLP solution may detect the presence of sensitive information in Exchange Online and block access to unauthorized entities.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1530: Data from Cloud Storage][]
#### MS.EXO.8.2v2
@@ -573,11 +573,11 @@ The DLP solution SHALL protect personally identifiable information (PII) and sen
- _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1530: Data from Cloud Storage][]
#### MS.EXO.8.3v1
@@ -587,9 +587,9 @@ The selected DLP solution SHOULD offer services comparable to the native DLP sol
- _Rationale:_ Any alternative DLP solution should be able to detect sensitive information in Exchange Online and block access to unauthorized entities.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1530: Data from Cloud Storage][]
#### MS.EXO.8.4v1
@@ -599,11 +599,11 @@ At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S.
- _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1530: Data from Cloud Storage][]
### Resources
@@ -618,17 +618,17 @@ At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S.
#### MS.EXO.8.1v2 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP][] for additional guidance.
#### MS.EXO.8.2v2 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v1-instructions) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII][] for additional guidance.
#### MS.EXO.8.3v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP][] for additional guidance.
#### MS.EXO.8.4v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v1-instructions) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII][] for additional guidance.
## 9. Attachment File Type
@@ -644,7 +644,7 @@ Though using Microsoft Defender's solution is not strictly required for
this purpose, guidance for configuring the Common Attachment Filter in
Microsoft Defender can be found in the follow section of the CISA M365 Security Configuration Baseline for Defender for Office 365.
-- [Preset Security Policies \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#1-preset-security-profiles)
+- [Preset Security Policies \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
### Policies
@@ -659,8 +659,8 @@ any potential benefits. Filtering email attachments based on file types can
prevent spread of malware distributed via click-to-run email attachments.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
#### MS.EXO.9.2v1
The attachment filter SHOULD attempt to determine the true file type and assess the file extension.
@@ -669,10 +669,10 @@ The attachment filter SHOULD attempt to determine the true file type and assess
- _Rationale:_ Users can change a file extension at the end of a file name (e.g., notepad.exe to notepad.txt) to obscure the actual file type. Verifying the file type and checking that this matches the designated file extension can help detect instances where the file extension was changed.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1036: Masquerading](https://attack.mitre.org/techniques/T1036/)
- - [T1036.006: Space after Filename](https://attack.mitre.org/techniques/T1036/006/)
- - [T1036.007: Double File Extension](https://attack.mitre.org/techniques/T1036/007/)
- - [T1036.008: Masquerade File Type](https://attack.mitre.org/techniques/T1036/008/)
+ - [T1036: Masquerading][]
+ - [T1036.006: Space after Filename][]
+ - [T1036.007: Double File Extension][]
+ - [T1036.008: Masquerade File Type][]
#### MS.EXO.9.3v2
Disallowed file types SHALL be determined and enforced.
@@ -684,8 +684,8 @@ determining the full list of file types to block is left to each
organization, to be made in accordance with their risk tolerance.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
#### MS.EXO.9.4v1
@@ -699,8 +699,8 @@ any potential benefits. Filtering email attachments based on file types can
prevent spread of malware distributed via click-to-run email attachments.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
#### MS.EXO.9.5v1
@@ -711,13 +711,13 @@ At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
Blocking a list of common executable files helps mitigate the risk of adversarial exploitation.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
### Resources
-- [Common attachments filter in anti-malware policies \| Microsoft Learn](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about#common-attachments-filter-in-anti-malware-policies)
+- [Common attachments filter in anti-malware policies \| Microsoft Learn][]
### License Requirements
@@ -729,35 +729,35 @@ Blocking a list of common executable files helps mitigate the risk of adversaria
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
include email filtering based on attachment file type.
#### MS.EXO.9.2v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
attempt to determine the true file type and assess the file extension.
#### MS.EXO.9.3v2 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
disallow click-to-run file types.
#### MS.EXO.9.4v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
disallow click-to-run file types.
#### MS.EXO.9.5v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
disallow click-to-run file types.
@@ -774,10 +774,10 @@ the solution selected by an agency should offer services comparable to
those offered by Microsoft. If the agency uses Microsoft Defender to
implement malware scanning, see the following policies of the CISA M365 Security Configuration Baseline for Defender for Office 365 for additional guidance.
-- [MS.DEFENDER.1.2v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#msdefender12v1)
+- [MS.DEFENDER.1.2v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
- All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy.
-- [MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#msdefender13v1)
+- [MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
- All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy.
### Policies
@@ -791,8 +791,8 @@ In many cases, malware can be detected through scanning, reducing
the risk for end users.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
#### MS.EXO.10.2v1
Emails identified as containing malware SHALL be quarantined or dropped.
@@ -803,10 +803,10 @@ Preventing emails with known malware from reaching user mailboxes helps ensure
users cannot interact with those emails.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
#### MS.EXO.10.3v1
Email scanning SHALL be capable of reviewing emails after delivery.
@@ -815,8 +815,8 @@ Email scanning SHALL be capable of reviewing emails after delivery.
- _Rationale:_ As known malware signatures are updated, it is possible for an email to be retroactively identified as containing malware after delivery. By scanning emails, the number of malware-infected in users' mailboxes can be reduced.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
### Resources
@@ -832,21 +832,21 @@ Email scanning SHALL be capable of reviewing emails after delivery.
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
include anti-malware protection.
#### MS.EXO.10.2v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
include anti-malware protection to quarantine malware in email.
#### MS.EXO.10.3v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#implementation), which
+[enabling preset security policies][], which
include zero-hour auto purge (ZAP) to retroactively detect malware in messages
already delivered to mailboxes and removes them.
@@ -870,13 +870,13 @@ policy group may be used. If the agency uses Exchange Online Protection
Exchange Online mailboxes, see the following policy and section of the CISA
M365 Security Configuration Baseline for Defender for Office 365.
-- [MS.DEFENDER.1.2v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#msdefender12v1).
+- [MS.DEFENDER.1.2v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365][].
- All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy.
EOP alone does not support impersonation protection, but this is provided through
Defender for Office 365. If using Defender for Office 365 for impersonation protection, see the following policy and section of the CISA M365 Security Configuration Baseline for Defender for Office 365.
-- [Impersonation Protection \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#2-impersonation-protection)
+- [Impersonation Protection \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
### Policies
@@ -890,8 +890,8 @@ By automatically identifying senders who appear to be impersonating known
senders, the risk of a successful phishing attempt can be reduced.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+ - [T1566: Phishing][]
+ - [T1656: Impersonation][]
#### MS.EXO.11.2v1
User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.
@@ -903,8 +903,8 @@ User warnings can handle these tasks, reducing the burden on end users and the r
successful phishing attempts.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+ - [T1566: Phishing][]
+ - [T1656: Impersonation][]
#### MS.EXO.11.3v1
The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.
@@ -913,8 +913,8 @@ The phishing protection solution SHOULD include an AI-based phishing detection t
- _Rationale:_ Phishing attacks can result in unauthorized data disclosure and unauthorized access. Using AI-based phishing detection tools to improve the detection rate of phishing attempts helps reduce the risk of successful phishing attacks.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+ - [T1566: Phishing][]
+ - [T1656: Impersonation][]
### Resources
@@ -924,7 +924,7 @@ The phishing protection solution SHOULD include an AI-based phishing detection t
- If using Defender for Office 365 for impersonation protection and advanced
phishing thresholds, Defender for Office 365 Plan 1 or 2 is required. These are included with E5 and G5 and are available as add-ons for E3 and G3. As of November 14, 2023, anti-phishing for user and domain impersonation and spoof intelligence are not yet available in M365 Government Community Cloud High (GCC High) and M365 Department of Defense (DOD). See [Platform
- features \| Microsoft Docs](https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#platform-features)
+ features \| Microsoft Docs][]
for current offerings.
### Implementation
@@ -933,20 +933,20 @@ The phishing protection solution SHOULD include an AI-based phishing detection t
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling impersonation protection](./defender.md#msdefender21v1-instructions).
+[enabling impersonation protection][].
#### MS.EXO.11.2v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender12v1) which
+[enabling preset security policies][] which
include user safety tips to warn users.
#### MS.EXO.11.3v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender13v1) which
+[enabling preset security policies][] which
include mailbox intelligence for detecting phishing attacks using AI.
## 12. IP Allow Lists
@@ -955,7 +955,7 @@ Microsoft Defender supports creating IP allow lists intended
to prevent blocking emails from *specific* senders. However,
as a result, emails from these senders bypass important security
mechanisms, such as spam filtering, SPF, DKIM, DMARC, and [FROM address
-enforcement](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-from-email-address-validation?view=o365-worldwide#override-from-address-enforcement).
+enforcement][].
IP block lists block email from listed IP addresses. Although we have no specific guidance on which IP addresses to add, block lists can be used to block mail from known spammers.
@@ -991,14 +991,14 @@ specific senders.
### Resources
- [Use the IP Allow List \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide#use-the-ip-allow-list)
+ Learn][]
- [Configure connection filtering \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/connection-filter-policies-configure?view=o365-worldwide)
+ Learn][]
- [Use the Microsoft 365 Defender portal to modify the default
connection filter policy \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/connection-filter-policies-configure?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-modify-the-default-connection-filter-policy)
+ Learn][]
### License Requirements
@@ -1010,7 +1010,7 @@ specific senders.
To modify the connection filters, follow the instructions found in [Use
the Microsoft 365 Defender portal to modify the default connection
filter
-policy](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/connection-filter-policies-configure?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-modify-the-default-connection-filter-policy).
+policy][].
1. Sign in to **Microsoft 365 Defender portal**.
@@ -1065,27 +1065,27 @@ Mailbox auditing SHALL be enabled.
- _Rationale:_ Exchange Online user accounts can be compromised or misused. Enabling mailbox auditing provides a valuable source of information to detect and respond to mailbox misuse.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
- - [T1070.008: Clear Mailbox Data](https://attack.mitre.org/techniques/T1070/008/)
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.002: Additional Email Delegate Permissions](https://attack.mitre.org/techniques/T1098/002/)
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
- - [T1586: Compromise Accounts](https://attack.mitre.org/techniques/T1586/)
- - [T1586.002: Email Accounts](https://attack.mitre.org/techniques/T1586/002/)
- - [T1564: Hide Artifacts](https://attack.mitre.org/techniques/T1564/)
- - [T1564.008: Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008/)
+ - [T1070: Indicator Removal][]
+ - [T1070.008: Clear Mailbox Data][]
+ - [T1098: Account Manipulation][]
+ - [T1098.002: Additional Email Delegate Permissions][]
+ - [T1562: Impair Defenses][]
+ - [T1562.008: Disable or Modify Cloud Logs][]
+ - [T1586: Compromise Accounts][]
+ - [T1586.002: Email Accounts][]
+ - [T1564: Hide Artifacts][]
+ - [T1564.008: Email Hiding Rules][]
### Resources
- [Manage mailbox auditing in Office 365 \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide)
+ Learn][]
- [Supported mailbox types \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide&viewFallbackFrom=o365-worldwide%22%20%5Cl%20%22supported-mailbox-types)
+ Learn][]
- [Microsoft Purview Compliance Manager - Microsoft 365 Compliance \|Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide)
+ Learn][]
### License Requirements
@@ -1097,7 +1097,7 @@ Mailbox auditing SHALL be enabled.
Mailbox auditing can be managed from the Exchange Online PowerShell.
Follow the instructions listed on [Manage mailbox auditing in Office
-365](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide).
+365][].
To check the current mailbox auditing status for your organization via PowerShell:
@@ -1129,7 +1129,7 @@ used. If the agency uses Microsoft Defender to meet this baseline policy
group, see the following policy of the CISA M365 Security Configuration
Baseline for Defender for Office 365.
-- [MS.DEFENDER.1.2v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#msdefender12v1)
+- [MS.DEFENDER.1.2v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
- All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy.
### Policies
@@ -1141,7 +1141,7 @@ A spam filter SHALL be enabled.
- _Rationale:_ Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1566: Phishing][]
#### MS.EXO.14.2v1
@@ -1152,7 +1152,7 @@ Spam and high confidence spam SHALL be moved to either the junk email folder or
Moving spam messages to a separate junk or quarantine folder helps users filter out spam while still giving them the ability to review messages, as needed, in case a message is filtered incorrectly.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1566: Phishing][]
#### MS.EXO.14.3v1
Allowed domains SHALL NOT be added to inbound anti-spam protection policies.
@@ -1166,7 +1166,7 @@ potentially unknown users to bypass spam protections.
- _Last modified:_ June 2023
- _Note:_ Allowed senders MAY be added.
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1566: Phishing][]
#### MS.EXO.14.4v1
If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.
@@ -1175,11 +1175,11 @@ If a third-party party filtering solution is used, the solution SHOULD offer ser
- _Rationale:_ Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.
- _Last modified:_ May 2024
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1566: Phishing][]
### Resources
-- [Configure anti-spam policies in EOP \| Microsoft Learn](https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure?view=o365-worldwide)
+- [Configure anti-spam policies in EOP \| Microsoft Learn][]
### License Requirements
@@ -1192,7 +1192,7 @@ If a third-party party filtering solution is used, the solution SHOULD offer ser
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender12v1), which
+[enabling preset security policies][], which
include spam filtering.
#### MS.EXO.14.2v1 Instructions
@@ -1200,7 +1200,7 @@ include spam filtering.
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender12v1), which
+[enabling preset security policies][], which
include spam filtering that moves high confidence spam to either the junk
or quarantine folder.
@@ -1209,7 +1209,7 @@ include spam filtering that moves high confidence spam to either the junk
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender12v1), which do not
+[enabling preset security policies][], which do not
include any allowed sender domains by default.
#### MS.EXO.14.4v1 Instructions
@@ -1217,7 +1217,7 @@ include any allowed sender domains by default.
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender12v1), which
+[enabling preset security policies][], which
include spam filtering.
## 15. Link Protection
@@ -1246,7 +1246,7 @@ Using Microsoft Defender is not strictly required for this purpose;
any product fulfilling the requirements outlined in this baseline policy group may be used.
If the agency uses Microsoft Defender for Office 365 to meet this baseline policy group, see the following policy of the CISA M365 Security Configuration Baseline for Defender for Office 365 for additional guidance.
-- [MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#msdefender13v1).
+- [MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365][].
- All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy.
### Policies
@@ -1258,8 +1258,8 @@ URL comparison with a block-list SHOULD be enabled.
- _Rationale:_ Users may be directed to malicious websites via links in email. Blocking access to known, malicious URLs can prevent users from accessing known malicious websites.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+ - [T1566: Phishing][]
+ - [T1566.002: Spearphishing Link][]
#### MS.EXO.15.2v1
Direct download links SHOULD be scanned for malware.
@@ -1270,8 +1270,8 @@ Scanning direct download links in real-time for known malware and blocking acces
users from infecting their devices.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+ - [T1566: Phishing][]
+ - [T1566.002: Spearphishing Link][]
#### MS.EXO.15.3v1
User click tracking SHOULD be enabled.
@@ -1280,8 +1280,8 @@ User click tracking SHOULD be enabled.
- _Rationale:_ Users may click on malicious links in emails, leading to compromise or unauthorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+ - [T1566: Phishing][]
+ - [T1566.002: Spearphishing Link][]
### Resources
@@ -1298,7 +1298,7 @@ User click tracking SHOULD be enabled.
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender for Office 365, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender13v1), which
+[enabling preset security policies][], which
include Safe Links protections to scan URLs in email messages against a list
of known, malicious links.
@@ -1307,7 +1307,7 @@ of known, malicious links.
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender for Office 365, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender13v1), which
+[enabling preset security policies][], which
include Safe Links protections to scan links to files for malware.
#### MS.EXO.15.3v1 Instructions
@@ -1315,7 +1315,7 @@ include Safe Links protections to scan links to files for malware.
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft Defender for Office 365, see the following
implementation steps for
-[enabling preset security policies](./defender.md#msdefender13v1), which
+[enabling preset security policies][], which
include Safe Links click protections to track user clicks on links in email.
## 16. Alerts
@@ -1334,7 +1334,7 @@ Online. Guidance for configuring alerts in Microsoft 365 is
given in the following section of the CISA M365 Security Configuration Baseline
for Defender for Office 365.
-- [Alerts \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#5-alerts)
+- [Alerts \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
### Policies
@@ -1362,13 +1362,13 @@ At a minimum, the following alerts SHALL be enabled:
to help minimize impact to users and the agency.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
+ - [T1562: Impair Defenses][]
+ - [T1566: Phishing][]
+ - [T1566.002: Spearphishing Link][]
+ - [T1562: Impair Defenses][]
+ - [T1562.006: Indicator Blocking][]
#### MS.EXO.16.2v1
The alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.
@@ -1381,8 +1381,8 @@ The alerts SHOULD be sent to a monitored address or incorporated into a security
impact.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
+ - [T1562: Impair Defenses][]
+ - [T1562.006: Indicator Blocking][]
### Resources
@@ -1398,14 +1398,14 @@ The alerts SHOULD be sent to a monitored address or incorporated into a security
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft 365 alert policies, see the following implementation steps for
-[enabling alerts](./defender.md#msdefender51v1-instructions) for additional
+[enabling alerts][] for additional
guidance.
#### MS.EXO.16.2v1 Instructions
Any product meeting the requirements outlined in this baseline policy may be
used. If the agency uses Microsoft 365 alert policies, see the following implementation steps to
-[add email recipients to an alert](./defender.md#msdefender51v1-instructions)
+[add email recipients to an alert][]
for additional guidance.
## 17. Audit Logging
@@ -1423,7 +1423,7 @@ Microsoft 365 audit logs are to be retained at least 12 months in active
storage and an additional 18 months in cold storage. This can be accomplished
by offloading the logs out of the cloud environment or natively through
Microsoft by creating an [audit log retention
-policy](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy).
+policy][].
OMB M-21-31 also requires Advanced Audit be configured in M365. Advanced Audit,
now Microsoft Purview Audit (Premium), adds additional event types to the
@@ -1434,7 +1434,7 @@ implementation guidance for configuring audit logging, see the following
section of the CISA M365 Security Configuration Baseline for Defender for
Office 365.
-- [Audit Logging \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#6-audit-logging)
+- [Audit Logging \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
### Policies
@@ -1450,8 +1450,8 @@ government agencies by OMB M-21-31 (referred to therein by its former
name, Unified Audit Logs).
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
+ - [T1562: Impair Defenses][]
+ - [T1562.008: Disable or Modify Cloud Logs][]
#### MS.EXO.17.2v1
Microsoft Purview Audit (Premium) logging SHALL be enabled.
@@ -1469,8 +1469,8 @@ Furthermore, it is required for government agencies by OMB M-21-31 (referred to
Purview (Standard) may be sufficient for agencies to meet basic
logging requirements.
- _MITRE ATT&CK TTP Mapping:_
- - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
- - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
+ - [T1562: Impair Defenses][]
+ - [T1562.008: Disable or Modify Cloud Logs][]
#### MS.EXO.17.3v1
Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).
@@ -1488,13 +1488,13 @@ Audit Logs in the Cloud Azure log category.
### Resources
- [Expanding cloud logging to give customers deeper security visibility \|
- Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/)
+ Microsoft Security Blog][]
-- [Export, configure, and view audit log records | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-export-records)
+- [Export, configure, and view audit log records | Microsoft Learn][]
-- [Untitled Goose Tool Fact Sheet | CISA.](https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet)
+- [Untitled Goose Tool Fact Sheet | CISA.][]
-- [Manage audit log retention policies | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy)
+- [Manage audit log retention policies | Microsoft Learn][]
### License Requirements
@@ -1505,23 +1505,164 @@ Audit Logs in the Cloud Azure log category.
- Additionally, maintaining logs in the M365 environment for longer than one
year requires an add-on license. For more information, see
[Licensing requirements \| Microsoft
- Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide#licensing-requirements). However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.
+ Docs][]. However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.
### Implementation
#### MS.EXO.17.1v1 Instructions
See the following implementation steps for enabling [Microsoft Purview
-(Standard)](./defender.md#msdefender61v1-instructions) for additional
+(Standard)][] for additional
guidance.
#### MS.EXO.17.2v1 Instructions
See the following implementation steps for enabling [Microsoft Purview
-(Premium)](./defender.md#msdefender62v1-instructions) for additional
+(Premium)][] for additional
guidance.
#### MS.EXO.17.3v1 Instructions
See the following implementation steps to
-[create an audit retention policy](./defender.md#msdefender62v1-instructions)
+[create an audit retention policy][]
for additional guidance.
**`TLP:CLEAR`**
+
+[M365]: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE
+[Azure]: https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE
+[M365
+E3]: https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans
+[G3]: https://www.microsoft.com/en-us/microsoft-365/government
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[T1567: Exfiltration Over Web Service]: https://attack.mitre.org/techniques/T1567/
+[T1048: Exfiltration Over Alternative Protocol]: https://attack.mitre.org/techniques/T1048/
+[T1566: Phishing]: https://attack.mitre.org/techniques/T1566/
+[T1566.001: Spearphishing Attachment]: https://attack.mitre.org/techniques/T1566/001/
+[Reducing or increasing information flow to another company \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/remote-domains/remote-domains#reducing-or-increasing-information-flow-to-another-company
+[T1656: Impersonation]: https://attack.mitre.org/techniques/T1656/
+[Binding Operational Directive 18-01 - Enhance Email and Web Security
+ \| DHS]: https://cyber.dhs.gov/bod/18-01/
+[Trustworthy Email \| NIST 800-177 Rev.
+ 1]: https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final
+[Set up SPF to help prevent spoofing \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide
+[How Microsoft 365 uses Sender Policy Framework (SPF) to prevent
+ spoofing \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-anti-spoofing?view=o365-worldwide
+[include]: https://www.rfc-editor.org/rfc/rfc7208#section-5.2
+[External DNS records required for SPF]: https://learn.microsoft.com/en-us/microsoft-365/enterprise/external-domain-name-system-records?view=o365-worldwide#external-dns-records-required-for-spf
+[Add or edit an SPF TXT record to help prevent email spam (Outlook, Exchange Online) \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online
+[How can I validate SPF records for my domain? \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq?view=o365-worldwide#how-can-i-validate-spf-records-for-my-domain
+[redirects]: https://www.rfc-editor.org/rfc/rfc7208#section-6.1
+[SPF TXT record syntax for Microsoft 365 \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-anti-spoofing?view=o365-worldwide#spf-txt-record-syntax-for-microsoft-365
+[T1598: Phishing for Information]: https://attack.mitre.org/techniques/T1598/
+[Use DKIM to validate outbound email sent from your custom domain \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide
+[Support for validation of DKIM signed messages \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-support-about?view=o365-worldwide
+[What is EOP? \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-faq?view=o365-worldwide#what-is-eop-
+[Steps to Create,
+enable and disable DKIM from Microsoft 365 Defender portal \| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal
+[T1562: Impair Defenses]: https://attack.mitre.org/techniques/T1562/
+[Domain-based Message Authentication, Reporting, and Conformance
+ (DMARC) \| RFC 7489]: https://datatracker.ietf.org/doc/html/rfc7489
+[Best practices for implementing DMARC in Office 365 \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#best-practices-for-implementing-dmarc-in-microsoft-365
+[How Office 365 handles outbound email that fails DMARC \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#how-microsoft-365-handles-inbound-email-that-fails-dmarc
+[Form the DMARC TXT record for your domain \| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#step-4-form-the-dmarc-txt-record-for-your-domain
+[MS.EXO.4.1v1 Instructions]: #msexo41v1-instructions
+[Enable or disable authenticated client SMTP submission (SMTP AUTH) in
+ Exchange Online \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission
+[Sharing in Exchange Online \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/exchange/sharing/sharing
+[Organization relationships in Exchange Online \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/exchange/sharing/organization-relationships/organization-relationships
+[Sharing policies in Exchange Online \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/exchange/sharing/sharing-policies/sharing-policies
+[MS.EXO.6.1v1 Instructions]: #msexo61v1-instructions
+[Mail flow rules (transport rules) in Exchange Online \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
+[Capacity Enhancement Guide: Counter-Phishing Recommendations for
+ Federal Agencies \|
+ CISA]: https://www.cisa.gov/sites/default/files/publications/Capacity_Enhancement_Guide-Counter-Phishing_Recommendations_for_Federal_Agencies.pdf
+[Actions To Counter Email-Based Attacks On Election-Related Entities
+ \|
+ CISA]: https://www.cisa.gov/sites/default/files/publications/CISA_Insights_Actions_to_Counter_Email-Based_Attacks_on_Election-Related_S508C.pdf
+[Data Loss Prevention \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#4-data-loss-prevention
+[T1530: Data from Cloud Storage]: https://attack.mitre.org/techniques/T1530/
+[T1213: Data from Information Repositories]: https://attack.mitre.org/techniques/T1213/
+[T1213.002: Sharepoint]: https://attack.mitre.org/techniques/T1213/002/
+[DLP]: ./defender.md#implementation-3
+[protecting PII]: ./defender.md#msdefender41v1-instructions
+[Preset Security Policies \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#1-preset-security-profiles
+[T1036: Masquerading]: https://attack.mitre.org/techniques/T1036/
+[T1036.006: Space after Filename]: https://attack.mitre.org/techniques/T1036/006/
+[T1036.007: Double File Extension]: https://attack.mitre.org/techniques/T1036/007/
+[T1036.008: Masquerade File Type]: https://attack.mitre.org/techniques/T1036/008/
+[Common attachments filter in anti-malware policies \| Microsoft Learn]: https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about#common-attachments-filter-in-anti-malware-policies
+[enabling preset security policies]: ./defender.md#implementation
+[MS.DEFENDER.1.2v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#msdefender12v1
+[MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#msdefender13v1
+[Impersonation Protection \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#2-impersonation-protection
+[Platform
+ features \| Microsoft Docs]: https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#platform-features
+[enabling impersonation protection]: ./defender.md#msdefender21v1-instructions
+[FROM address
+enforcement]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-from-email-address-validation?view=o365-worldwide#override-from-address-enforcement
+[Use the IP Allow List \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide#use-the-ip-allow-list
+[Configure connection filtering \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/connection-filter-policies-configure?view=o365-worldwide
+[Use the Microsoft 365 Defender portal to modify the default
+ connection filter policy \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/connection-filter-policies-configure?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-modify-the-default-connection-filter-policy
+[Use
+the Microsoft 365 Defender portal to modify the default connection
+filter
+policy]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/connection-filter-policies-configure?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-modify-the-default-connection-filter-policy
+[T1070: Indicator Removal]: https://attack.mitre.org/techniques/T1070/
+[T1070.008: Clear Mailbox Data]: https://attack.mitre.org/techniques/T1070/008/
+[T1098: Account Manipulation]: https://attack.mitre.org/techniques/T1098/
+[T1098.002: Additional Email Delegate Permissions]: https://attack.mitre.org/techniques/T1098/002/
+[T1562.008: Disable or Modify Cloud Logs]: https://attack.mitre.org/techniques/T1562/008/
+[T1586: Compromise Accounts]: https://attack.mitre.org/techniques/T1586/
+[T1586.002: Email Accounts]: https://attack.mitre.org/techniques/T1586/002/
+[T1564: Hide Artifacts]: https://attack.mitre.org/techniques/T1564/
+[T1564.008: Email Hiding Rules]: https://attack.mitre.org/techniques/T1564/008/
+[Manage mailbox auditing in Office 365 \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide
+[Supported mailbox types \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide&viewFallbackFrom=o365-worldwide%22%20%5Cl%20%22supported-mailbox-types
+[Microsoft Purview Compliance Manager - Microsoft 365 Compliance \|Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide
+[Manage mailbox auditing in Office
+365]: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide
+[Configure anti-spam policies in EOP \| Microsoft Learn]: https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure?view=o365-worldwide
+[T1566.002: Spearphishing Link]: https://attack.mitre.org/techniques/T1566/002/
+[Alerts \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#5-alerts
+[T1078: Valid Accounts]: https://attack.mitre.org/techniques/T1078/
+[T1078.004: Cloud Accounts]: https://attack.mitre.org/techniques/T1078/004/
+[T1562.006: Indicator Blocking]: https://attack.mitre.org/techniques/T1562/006/
+[enabling alerts]: ./defender.md#msdefender51v1-instructions
+[add email recipients to an alert]: ./defender.md#msdefender51v1-instructions
+[audit log retention
+policy]: https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy
+[Audit Logging \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#6-audit-logging
+[Expanding cloud logging to give customers deeper security visibility \|
+ Microsoft Security Blog]: https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/
+[Export, configure, and view audit log records | Microsoft Learn]: https://learn.microsoft.com/en-us/purview/audit-log-export-records
+[Untitled Goose Tool Fact Sheet | CISA.]: https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet
+[Manage audit log retention policies | Microsoft Learn]: https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy
+[Licensing requirements \| Microsoft
+ Docs]: https://docs.microsoft.com/en-us/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide#licensing-requirements
+[Microsoft Purview
+(Standard)]: ./defender.md#msdefender61v1-instructions
+[Microsoft Purview
+(Premium)]: ./defender.md#msdefender62v1-instructions
+[create an audit retention policy]: ./defender.md#msdefender62v1-instructions
\ No newline at end of file
diff --git a/PowerShell/ScubaGear/baselines/powerbi.md b/PowerShell/ScubaGear/baselines/powerbi.md
index 79e11727c2..5baffa4edf 100644
--- a/PowerShell/ScubaGear/baselines/powerbi.md
+++ b/PowerShell/ScubaGear/baselines/powerbi.md
@@ -14,10 +14,10 @@ For non-Federal users, the information in this document is being provided “as
## License Compliance and Copyright
-Portions of this document are adapted from documents in Microsoft's [M365](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE) and [Azure](https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE) GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
+Portions of this document are adapted from documents in Microsoft's [M365][] and [Azure][] GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
## Assumptions
-The **License Requirements** sections of this document assume the organization is using an [M365 E3](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) or [G3](https://www.microsoft.com/en-us/microsoft-365/government) license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
+The **License Requirements** sections of this document assume the organization is using an [M365 E3][] or [G3][] license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
Agencies using Power BI may have a data classification scheme in place for
@@ -29,7 +29,7 @@ Agencies using Power BI may have a data classification scheme in place for
the Power BI tenant; the agency disallows non-secure connections.
## Key Terminology
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119][].
Access to PowerBI can be controlled by the user type. In this baseline,
the types of users are defined as follows:
@@ -68,15 +68,15 @@ The Publish to Web feature SHOULD be disabled unless the agency mission requires
- _Rationale:_ A publicly accessible web URL can be accessed by everyone, including malicious actors. This policy limits information available on the public web that is not specifically allowed to be published.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1530: Data from Cloud Storage][]
### Resources
- [About Power BI Tenant settings \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-about-tenant-settings)
+ Learn][]
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
- repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
+ repo][]
### License Requirements
@@ -106,19 +106,19 @@ Guest user access to the Power BI tenant SHOULD be disabled unless the agency mi
- _Rationale:_ Disabling external access to Power BI helps keep guest users from accessing potentially risky data and application programming interfaces (APIs). If an agency needs to allow guest access, this can be limited to users in specific security groups to curb risk.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
+ - [T1485: Data Destruction][]
+ - [T1565: Data Manipulation][]
+ - [T1565.001: Stored Data Manipulation][]
+ - [T1078: Valid Accounts][]
+ - [T1078.001: Default Accounts][]
### Resources
- [About Power BI Tenant settings \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-about-tenant-settings)
+ Learn][]
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
- repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
+ repo][]
### License Requirements
@@ -167,24 +167,24 @@ The Invite external users to your organization feature SHOULD be disabled unless
> Note:
> If this feature is disabled, existing guest users in the tenant continue to have access to Power BI items they already had access to and continue to be listed in user picker experiences. After it is disabled, an external user who is not already a guest user cannot be added to the tenant through Power BI.
- _MITRE ATT&CK TTP Mapping:_
- - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
- - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/)
+ - [T1485: Data Destruction][]
+ - [T1565: Data Manipulation][]
+ - [T1565.001: Stored Data Manipulation][]
+ - [T1078: Valid Accounts][]
+ - [T1078.001: Default Accounts][]
+ - [T1199: Trusted Relationship][]
### Resources
- [About Power BI Tenant settings \| Microsoft
- Docs](https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-about-tenant-settings)
+ Docs][]
- [Distribute Power BI content to external guest users with Microsoft Entra B2B \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-azure-ad-b2b)
+ Learn][]
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
- repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
+ repo][]
### License Requirements
@@ -235,8 +235,8 @@ Service principals with access to APIs SHOULD be restricted to specific security
- _Rationale:_ With unrestricted service principals, unwanted access to APIs is possible. Allowing service principals through security groups, and only where necessary, mitigates this risk.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
- - [T1059.009: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
+ - [T1059: Command and Scripting Interpreter][]
+ - [T1059.009: Cloud API][]
#### MS.POWERBI.4.2v1
Service principals creating and using profiles SHOULD be restricted to specific security groups.
@@ -245,33 +245,33 @@ Service principals creating and using profiles SHOULD be restricted to specific
- _Rationale:_ With unrestricted service principals creating/using profiles, there is risk of an unauthorized user using a profile with more permissions than they have. Allowing service principals through security groups will mitigate that risk.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
- - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+ - [T1098: Account Manipulation][]
+ - [T1098.003: Additional Cloud Roles][]
### Resources
- [Automate Premium workspace and dataset tasks with service principal
\| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-premium-service-principal)
+ Learn][]
- [Embed Power BI content with service principal and an application
secret \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal)
+ Learn][]
- [Embed Power BI content with service principal and a certificate \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal-certificate)
+ Learn][]
- [Enable service principal authentication for read-only admin APIs \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/read-only-apis-service-principal-authentication)
+ Learn][]
- [Microsoft Power BI Embedded Developer Code Samples \| Microsoft
- GitHub](https://github.com/microsoft/PowerBI-Developer-Samples/blob/master/Python/Encrypt%20credentials/README.md)
+ GitHub][]
- [Azure security baseline for Power BI \|
Microsoft
- Learn](https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/power-bi-security-baseline)
+ Learn][]
### License Requirements
@@ -323,18 +323,18 @@ ResourceKey-based authentication SHOULD be blocked unless a specific use case (e
- _Rationale:_ If resource keys are allowed, someone can move data without Microsoft Entra ID OAuth bearer token, causing possibly malicious or junk data to be stored. Disabling resource keys reduces risk that an unauthorized individual will make changes.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1134: Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)
- - [T1134.001: Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001/)
- - [T1134.003: Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003/)
+ - [T1134: Access Token Manipulation][]
+ - [T1134.001: Token Impersonation/Theft][]
+ - [T1134.003: Make and Impersonate Token][]
### Resources
- [Power BI Tenant settings \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-about-tenant-settings)
+ Learn][]
- [Real-time streaming in Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/connect-data/service-real-time-streaming)
+ Learn][]
### License Requirements
@@ -371,15 +371,15 @@ Python and R interactions SHOULD be disabled.
- _Rationale:_ External code poses a security and privacy risk as there is no good way to regulate what is done with the data or integrations. Disabling this will reduce the risk of a data leak or malicious actor.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
- - [T1059.009: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+ - [T1059: Command and Scripting Interpreter][]
+ - [T1059.009: Cloud API][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1567: Exfiltration Over Web Service][]
### Resources
- [Create Power BI visuals with Python \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/connect-data/desktop-python-visuals)
+ Learn][]
### License Requirements
@@ -421,30 +421,30 @@ Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive dat
- _Rationale:_ A document without sensitivity labels may be opened unknowingly, potentially exposing data to someone who is not supposed to have access to it. This policy will help organize and classify data, making it easier to keep data out of the wrong hands.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1530: Data from Cloud Storage][]
+ - [T1567: Exfiltration Over Web Service][]
### Resources
- [Enable sensitivity labels in Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels)
+ Learn][]
- [Data loss prevention policies for Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-dlp-policies-for-power-bi-overview)
+ Learn][]
- [Data Protection in Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-data-protection-overview)
+ Learn][]
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
- repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
+ repo][]
### License Requirements
- Microsoft Purview Information Protection Premium P1 or Premium P2 license is required to apply or view
Microsoft Information Protection sensitivity labels in Power BI. Azure Information Protection can be purchased either standalone or through one of the Microsoft licensing suites. See [Microsoft Purview Information Protection
- service description](https://azure.microsoft.com/services/information-protection/) for
+ service description][] for
details.
- Microsoft Purview Information Protection sensitivity labels need to be migrated to
@@ -458,7 +458,7 @@ Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive dat
- Before enabling sensitivity labels on the agency's tenant, ensure sensitivity labels have been defined and published for relevant
users and groups. See [Create and configure sensitivity labels and
their
- policies](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)
+ policies][]
for detail.
@@ -530,7 +530,7 @@ the agency.
labels in Power BI. Microsoft Purview Information Protection can be purchased
either standalone or through one of the Microsoft licensing suites.
See [Microsoft Purview Information Protection
- service](https://learn.microsoft.com/en-us/office365/servicedescriptions/azure-information-protection) description for
+ service][] description for
details.
- Microsoft Purview Information Protection sensitivity labels need to be migrated to
@@ -545,7 +545,7 @@ the agency.
that sensitivity labels have been defined and published for relevant
users and groups. See [Create and configure sensitivity labels and
their
- policies](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)
+ policies][]
for detail.
**High-Level Steps to Use Bring Your Own Key (BYOK) Feature in Power
@@ -555,9 +555,9 @@ First, confirm having the latest Power BI Management cmdlet. Install the
latest version by running Install-Module -Name MicrosoftPowerBIMgmt.
More information about the Power BI cmdlet and its parameters is
available in [Power BI PowerShell cmdlet
-module](https://learn.microsoft.com/en-us/powershell/power-bi/overview?view=powerbi-ps).
+module][].
-Follow steps in [Bring Your Own (encryption) Keys for Power BI](https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok).
+Follow steps in [Bring Your Own (encryption) Keys for Power BI][].
**Row-Level Security Implementation**
@@ -584,24 +584,24 @@ should be completed in the following order.
- Reference Microsoft Power BI documentation for additional detail on
[row-level security
- configuration](https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls).
+ configuration][].
**Related Resources**
- [Sensitivity labels in Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-sensitivity-label-overview)
+ Learn][]
- [Bring your own encryption keys for Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok)
+ Learn][]
- [What is an on-premises data gateway? \| Microsoft
- Learn](https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-onprem)
+ Learn][]
- [Row-level security (RLS) with Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls)
+ Learn][]
- [Power BI PowerShell cmdlets and modules references \| Microsoft
- Learn](https://learn.microsoft.com/en-us/powershell/power-bi/overview?view=powerbi-ps)
+ Learn][]
# Appendix B: Source Code and Credential Security Considerations
@@ -623,7 +623,7 @@ use BYOK, which is supported by Power BI. By default,
Power BI uses Microsoft-managed keys to encrypt the data. In Power BI
Premium, users can use their own keys for data at-rest imported
into a dataset. See [Data source and storage
-considerations](https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok#data-source-and-storage-considerations)
+considerations][]
for more information.
- For Power BI embedded applications, a best practice is to implement a
@@ -637,7 +637,7 @@ for more information.
- Implementers must do their own due diligence in selecting a source
code scanner that integrates with their specific environment.
- Microsoft documentation references an Open Web Application Security Project, [Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools); which is a guide to
+ Microsoft documentation references an Open Web Application Security Project, [Source Code Analysis Tools][]; which is a guide to
third-party scanners. This baseline does not endorse or advise on the selection or
use of any specific third-party tool.
@@ -672,27 +672,27 @@ configuration steps are as follows:
3. To turn on BYOK, Power BI Tenant administrators must use a set of
Power BI [Admin PowerShell
- Cmdlets](https://learn.microsoft.com/en-us/powershell/module/microsoftpowerbimgmt.admin/?view=powerbi-ps)
+ Cmdlets][]
added to the Power BI Admin Cmdlets.
- Follow detailed steps in Microsoft's [Bring your own encryption keys for Power BI](https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok)
+ Follow detailed steps in Microsoft's [Bring your own encryption keys for Power BI][]
from Microsoft.
**Related Resources**
- [Bring your own encryption keys for Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok)
+ Learn][]
-- [Microsoft Security DevOps Azure DevOps extension](https://learn.microsoft.com/en-us/azure/defender-for-cloud/azure-devops-extension)
+- [Microsoft Security DevOps Azure DevOps extension][]
- For GitHub, the agency can use the native secret scanning feature to
identify credentials or other form of secrets within code at [About
secret scanning \| GitHub
- docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning)
+ docs][]
- [Announcing General Availability of Bring Your Own Key (BYOK) for
Power BI
- Premium](https://powerbi.microsoft.com/en-us/blog/announcing-general-availability-of-bring-your-own-key-byok-for-power-bi-premium/)
+ Premium][]
# Appendix C: File Export and Visual Artifact Considerations
@@ -724,13 +724,13 @@ the Export and Sharing Settings.
**Related Resources**
- [Sensitivity labels in Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-sensitivity-label-overview)
+ Learn][]
- [Say No to Export Data, Yes to Analyze in
- Excel](https://radacad.com/say-no-to-export-data-yes-to-analyze-in-excel-power-bi-and-excel-can-talk)
+ Excel][]
- [Power BI Governance – Why you should consider disabling Export to
- Excel](https://data-marc.com/2020/04/13/power-bi-governance-why-you-should-consider-to-disable-export-to-excel/)
+ Excel][]
**Implementation settings**
@@ -784,9 +784,9 @@ disabling public internet access.
**Related Resources**
- [Private endpoints for secure access to Power BI \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-private-links)
+ Learn][]
-- [Azure security baseline for Power BI](https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/power-bi-security-baseline)
+- [Azure security baseline for Power BI][]
## Best Practices for Service Principals
@@ -806,3 +806,109 @@ disabling public internet access.
> This policy is only applicable if the setting **Allow service principals to use Power BI APIs** is enabled.
**`TLP:CLEAR`**
+
+[M365]: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE
+[Azure]: https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE
+[M365 E3]: https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans
+[G3]: https://www.microsoft.com/en-us/microsoft-365/government
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[T1530: Data from Cloud Storage]: https://attack.mitre.org/techniques/T1530/
+[About Power BI Tenant settings \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-about-tenant-settings
+[Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
+ repo]: https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx
+[T1485: Data Destruction]: https://attack.mitre.org/techniques/T1485/
+[T1565: Data Manipulation]: https://attack.mitre.org/techniques/T1565/
+[T1565.001: Stored Data Manipulation]: https://attack.mitre.org/techniques/T1565/001/
+[T1078: Valid Accounts]: https://attack.mitre.org/techniques/T1078/
+[T1078.001: Default Accounts]: https://attack.mitre.org/techniques/T1078/001/
+[T1199: Trusted Relationship]: https://attack.mitre.org/techniques/T1199/
+[About Power BI Tenant settings \| Microsoft
+ Docs]: https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-about-tenant-settings
+[Distribute Power BI content to external guest users with Microsoft Entra B2B \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-azure-ad-b2b
+[T1059: Command and Scripting Interpreter]: https://attack.mitre.org/techniques/T1059/
+[T1059.009: Cloud API]: https://attack.mitre.org/techniques/T1059/009/
+[T1098: Account Manipulation]: https://attack.mitre.org/techniques/T1098/
+[T1098.003: Additional Cloud Roles]: https://attack.mitre.org/techniques/T1098/003/
+[Automate Premium workspace and dataset tasks with service principal
+ \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-premium-service-principal
+[Embed Power BI content with service principal and an application
+ secret \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal
+[Embed Power BI content with service principal and a certificate \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal-certificate
+[Enable service principal authentication for read-only admin APIs \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/read-only-apis-service-principal-authentication
+[Microsoft Power BI Embedded Developer Code Samples \| Microsoft
+ GitHub]: https://github.com/microsoft/PowerBI-Developer-Samples/blob/master/Python/Encrypt%20credentials/README.md
+[Azure security baseline for Power BI \|
+ Microsoft
+ Learn]: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/power-bi-security-baseline
+[T1134: Access Token Manipulation]: https://attack.mitre.org/techniques/T1134/
+[T1134.001: Token Impersonation/Theft]: https://attack.mitre.org/techniques/T1134/001/
+[T1134.003: Make and Impersonate Token]: https://attack.mitre.org/techniques/T1134/003/
+[Power BI Tenant settings \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-about-tenant-settings
+[Real-time streaming in Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/connect-data/service-real-time-streaming
+[T1048: Exfiltration Over Alternative Protocol]: https://attack.mitre.org/techniques/T1048/
+[T1567: Exfiltration Over Web Service]: https://attack.mitre.org/techniques/T1567/
+[Create Power BI visuals with Python \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/connect-data/desktop-python-visuals
+[T1213: Data from Information Repositories]: https://attack.mitre.org/techniques/T1213/
+[T1213.002: Sharepoint]: https://attack.mitre.org/techniques/T1213/002/
+[Enable sensitivity labels in Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels
+[Data loss prevention policies for Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-dlp-policies-for-power-bi-overview
+[Data Protection in Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-data-protection-overview
+[Microsoft Purview Information Protection
+ service description]: https://azure.microsoft.com/services/information-protection/
+[Create and configure sensitivity labels and
+ their
+ policies]: https://learn.microsoft.com/en-us/purview/create-sensitivity-labels
+[Microsoft Purview Information Protection
+ service]: https://learn.microsoft.com/en-us/office365/servicedescriptions/azure-information-protection
+[Power BI PowerShell cmdlet
+module]: https://learn.microsoft.com/en-us/powershell/power-bi/overview?view=powerbi-ps
+[Bring Your Own (encryption) Keys for Power BI]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok
+[row-level security
+ configuration]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls
+[Sensitivity labels in Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-sensitivity-label-overview
+[Bring your own encryption keys for Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok
+[What is an on-premises data gateway? \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-onprem
+[Row-level security (RLS) with Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls
+[Power BI PowerShell cmdlets and modules references \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/powershell/power-bi/overview?view=powerbi-ps
+[Data source and storage
+considerations]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok#data-source-and-storage-considerations
+[Source Code Analysis Tools]: https://owasp.org/www-community/Source_Code_Analysis_Tools
+[Admin PowerShell
+ Cmdlets]: https://learn.microsoft.com/en-us/powershell/module/microsoftpowerbimgmt.admin/?view=powerbi-ps
+[Bring your own encryption keys for Power BI]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok
+[Bring your own encryption keys for Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok
+[Microsoft Security DevOps Azure DevOps extension]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/azure-devops-extension
+[About
+ secret scanning \| GitHub
+ docs]: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
+[Announcing General Availability of Bring Your Own Key (BYOK) for
+ Power BI
+ Premium]: https://powerbi.microsoft.com/en-us/blog/announcing-general-availability-of-bring-your-own-key-byok-for-power-bi-premium/
+[Say No to Export Data, Yes to Analyze in
+ Excel]: https://radacad.com/say-no-to-export-data-yes-to-analyze-in-excel-power-bi-and-excel-can-talk
+[Power BI Governance – Why you should consider disabling Export to
+ Excel]: https://data-marc.com/2020/04/13/power-bi-governance-why-you-should-consider-to-disable-export-to-excel/
+[Private endpoints for secure access to Power BI \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-private-links
+[Azure security baseline for Power BI]: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/power-bi-security-baseline
\ No newline at end of file
diff --git a/PowerShell/ScubaGear/baselines/powerplatform.md b/PowerShell/ScubaGear/baselines/powerplatform.md
index 73941ecf59..6cc0384cdb 100644
--- a/PowerShell/ScubaGear/baselines/powerplatform.md
+++ b/PowerShell/ScubaGear/baselines/powerplatform.md
@@ -15,18 +15,18 @@ For non-Federal users, the information in this document is being provided “as
## License Compliance and Copyright
-Portions of this document are adapted from documents in Microsoft’s [Microsoft 365](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE) and [Azure](https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE) GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source documents are linked throughout this document. The United States Government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
+Portions of this document are adapted from documents in Microsoft’s [Microsoft 365][] and [Azure][] GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source documents are linked throughout this document. The United States Government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
## Assumptions
-The **License Requirements** sections of this document assume the organization is using an [M365 E3](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) or [G3](https://www.microsoft.com/en-us/microsoft-365/government) license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
+The **License Requirements** sections of this document assume the organization is using an [M365 E3][] or [G3][] license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
## Key Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in
-[RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+[RFC 2119][].
The following section summarizes the various Power Platform applications referenced in this baseline:
@@ -36,28 +36,28 @@ to create custom business applications. The apps can be developed as desktop,
mobile, and even web apps. Three different types of Power Apps can be
created:
- 1. [**Canvas Apps**](https://learn.microsoft.com/en-us/power-apps/maker/canvas-apps/): These are drag and
+ 1. [**Canvas Apps**][]: These are drag and
drop style developed apps, where
users drag and add User Interface (UI) components to the screen.
Users can then connect the components to data sources to display
data in the canvas app.
- 2. [**Model-Driven Apps**](https://learn.microsoft.com/en-us/power-apps/maker/model-driven-apps/): These are apps developed from an existing
+ 2. [**Model-Driven Apps**][]: These are apps developed from an existing
data source. They can be thought of as the inverse of a Canvas App.
Since, you build the app from the source rather than building the UI and then connecting to the source like
Canvas apps.
- 3. [**Power Pages**](https://learn.microsoft.com/en-us/power-pages/): These apps that are developed to function as either internal or external facing websites.
+ 3. [**Power Pages**][]: These apps that are developed to function as either internal or external facing websites.
-2. [**Power Automate**](https://learn.microsoft.com/en-us/power-automate/): This is an online tool within Microsoft 365 and add-ins used to create automated workflows between apps
+2. [**Power Automate**][]: This is an online tool within Microsoft 365 and add-ins used to create automated workflows between apps
and services to synchronize files, get notifications, and collect data.
-3. [**Power Virtual Agents**](https://learn.microsoft.com/en-us/power-virtual-agents/): These are custom chat bots for use in the stand-alone Power Virtual Agents web app or in a Microsoft Teams
+3. [**Power Virtual Agents**][]: These are custom chat bots for use in the stand-alone Power Virtual Agents web app or in a Microsoft Teams
channel.
-4. [**Connectors**](https://learn.microsoft.com/en-us/connectors/connector-reference/): These are proxies or wrappers around an API that allow the underlying service to be accessed from Power Automate Workflows, Power Apps, or Azure Logic Apps.
+4. [**Connectors**][]: These are proxies or wrappers around an API that allow the underlying service to be accessed from Power Automate Workflows, Power Apps, or Azure Logic Apps.
-5. [**Microsoft Dataverse**](https://learn.microsoft.com/en-us/power-apps/maker/data-platform/): This is a cloud database management system most
+5. [**Microsoft Dataverse**][]: This is a cloud database management system most
often used to store data in SQL-like tables. A Power App would then use
a connector to connect to the Dataverse table and perform create, read,
update, and delete (CRUD) operations.
@@ -68,7 +68,7 @@ Baseline Policies in this document are targeted towards administrative controls
Power Platform applications at either the tenant or Power Platform
environment level. Additional Power Platform security settings can be
implemented at the app level, connector level, or Dataverse table level.
-Refer to [Power Platform Microsoft Learn documentation](https://learn.microsoft.com/en-us/power-platform/) for those additional controls.
+Refer to [Power Platform Microsoft Learn documentation][] for those additional controls.
## 1. Creation of Power Platform Environments
@@ -84,8 +84,8 @@ The ability to create production and sandbox environments SHALL be restricted to
- _Last Modified:_ June 2023
- Note: This control restricts creating environments to users with Global admin, Dynamics 365 service admin, Power Platform service admins, or Delegated admin roles.
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
#### MS.POWERPLATFORM.1.2v1
The ability to create trial environments SHALL be restricted to admins.
@@ -101,13 +101,13 @@ The ability to create trial environments SHALL be restricted to admins.
- [Control who can create and manage environments in the Power Platform
admin center \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-platform/admin/control-environment-creation)
+ Learn][]
- [Power Platform \| Digital Transformation Agency of
- Australia](https://desktop.gov.au/blueprint/office-365.html#power-platform)
+ Australia][]
- [Microsoft Power Apps Documentation \| Power
- Apps](https://learn.microsoft.com/en-us/power-apps/)
+ Apps][]
### License Requirements
@@ -117,7 +117,7 @@ The ability to create trial environments SHALL be restricted to admins.
#### MS.POWERPLATFORM.1.1v1 Instructions
1. Sign in to your tenant environment's respective [Power Platform admin
- center](https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls).
+ center][].
2. In the upper-right corner of the Microsoft Power Platform site,
select the **Gear icon** (Settings icon).
@@ -170,8 +170,8 @@ A DLP policy SHALL be created to restrict connector access in the default Power
- _Last Modified:_ June 2023
- _Note:_ The following connectors drive core Power Platform functionality and enable core Office customization scenarios: Approvals, Dynamics 365 Customer Voice, Excel Online (Business), Microsoft DataverseMicrosoft Dataverse (legacy), Microsoft Teams, Microsoft To-Do (Business), Office 365 Groups, Office 365 Outlook, Office 365 Users, OneDrive for Business, OneNote (Business), Planner, Power Apps Notification, Power BI, SharePoint, Shifts for Microsoft Teams, and Yammer. As such these connectors remain non-blockable to maintain core user scenario functions.
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
#### MS.POWERPLATFORM.2.2v1
Non-default environments SHOULD have at least one DLP policy affecting them.
@@ -180,23 +180,23 @@ Non-default environments SHOULD have at least one DLP policy affecting them.
- _Rationale:_ Users may inadvertently use connectors that share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
- _Last Modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+ - [T1567: Exfiltration Over Web Service][]
+ - [T1048: Exfiltration Over Alternative Protocol][]
### Resources
- [Data Policies for Power Automate and Power Apps \| Digital
Transformation Agency of
- Australia](https://desktop.gov.au/blueprint/office-365.html#power-apps-and-power-automate)
+ Australia][]
- [Create a data loss prevention (DLP) policy \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-platform/admin/create-dlp-policy)
+ Learn][]
- [DLP connector classification \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-platform/admin/dlp-connector-classification?source=recommendations)
+ Learn][]
- [DLP for custom connectors \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-platform/admin/dlp-custom-connector-parity?WT.mc_id=ppac_inproduct_datapol)
+ Learn][]
### License Requirements
@@ -206,7 +206,7 @@ Non-default environments SHOULD have at least one DLP policy affecting them.
#### MS.POWERPLATFORM.2.1v1 Instructions
1. Sign in to your tenant environment's respective [Power Platform admin
- center](https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls).
+ center][].
2. On the left pane, select **Policies** \> **Data Policies.**
@@ -225,7 +225,7 @@ Non-default environments SHOULD have at least one DLP policy affecting them.
9. At the bottom of the screen, select **Next** to move on.
10. Add a custom connector pattern. Custom connectors allow admins to specify an ordered list of Allow and Deny URL patterns for custom connectors. View [DLP for custom connectors \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-platform/admin/dlp-custom-connector-parity?WT.mc_id=ppac_inproduct_datapol) for more information.
+ Learn][] for more information.
11. Click **Next**.
@@ -270,9 +270,9 @@ Power Platform tenant isolation SHALL be enabled.
- _Rationale:_ Provides an additional tenant isolation control on top of Microsoft Entra ID tenant isolation specifically for Power Platform applications to prevent accidental or malicious cross tenant information sharing.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
- - [T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
+ - [T1078: Valid Accounts][]
+ - [T1078.004: Cloud Accounts][]
+ - [T1190: Exploit Public-Facing Application][]
#### MS.POWERPLATFORM.3.2v1
An inbound/outbound connection allowlist SHOULD be configured.
@@ -287,7 +287,7 @@ An inbound/outbound connection allowlist SHOULD be configured.
### Resources
- [Enable tenant isolation and configure allowlist \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-platform/admin/cross-tenant-restrictions#enable-tenant-isolation-and-configure-allowlist)
+ Learn][]
### License Requirements
@@ -297,7 +297,7 @@ An inbound/outbound connection allowlist SHOULD be configured.
#### MS.POWERPLATFORM.3.1v1 Instructions
1. Sign in to your tenant environment's respective [Power Platform admin
- center](https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls).
+ center][].
2. On the left pane, select **Policies -\> Tenant Isolation**.
@@ -332,12 +332,12 @@ Content Security Policy (CSP) SHALL be enforced for model-driven and canvas Powe
- _Rationale:_ Adds CSP as a defense mechanism for Power Apps against common website attacks.
- _Last Modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
+ - [T1190: Exploit Public-Facing Application][]
### Resources
- [Content Security Policy \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-platform/admin/content-security-policy)
+ Learn][]
### License Requirements
@@ -347,7 +347,7 @@ Content Security Policy (CSP) SHALL be enforced for model-driven and canvas Powe
#### MS.POWERPLATFORM.4.1v1 Instructions
1. Sign in to your tenant environment's respective [Power Platform admin
-center](https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls).
+center][].
2. On the left-hand pane click on **Environments** and then select an environment from the list.
@@ -374,11 +374,11 @@ The ability to create Power Pages sites SHOULD be restricted to admins.
- _Rationale:_ Users may unintentionally misconfigure their Power Pages to expose sensitive information or leave the website in a vulnerable state.
- _Last Modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
+ - [T1190: Exploit Public-Facing Application][]
### Resources
- [Control Portal Creation \| Microsoft
- Learn](https://learn.microsoft.com/en-us/power-apps/maker/portals/control-portal-creation)
+ Learn][]
### License Requirements
@@ -387,10 +387,10 @@ The ability to create Power Pages sites SHOULD be restricted to admins.
### Implementation
#### MS.POWERPLATFORM.5.1v1 Instructions
-1. This setting currently can only be enabled through the [Power Apps PowerShell modules](https://learn.microsoft.com/en-us/power-platform/admin/powerapps-powershell#installation).
+1. This setting currently can only be enabled through the [Power Apps PowerShell modules][].
2. After installing the Power Apps PowerShell modules, run `Add-PowerAppsAccount -Endpoint $YourTenantsEndpoint`. To authenticate to your tenants Power Platform.
-Discover the valid endpoint parameter [here](https://learn.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/add-powerappsaccount?view=pa-ps-latest#-endpoint). Commercial tenants use `-Endpoint prod`, GCC tenants use `-Endpoint usgov` and so on.
+Discover the valid endpoint parameter [here][]. Commercial tenants use `-Endpoint prod`, GCC tenants use `-Endpoint usgov` and so on.
3. Then run the following PowerShell command to disable the creation of Power Pages sites by non-administrative users.
@@ -399,3 +399,50 @@ Discover the valid endpoint parameter [here](https://learn.microsoft.com/en-us/p
```
**`TLP:CLEAR`**
+
+[Microsoft 365]: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE
+[Azure]: https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE
+[M365 E3]: https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans
+[G3]: https://www.microsoft.com/en-us/microsoft-365/government
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[**Canvas Apps**]: https://learn.microsoft.com/en-us/power-apps/maker/canvas-apps/
+[**Model-Driven Apps**]: https://learn.microsoft.com/en-us/power-apps/maker/model-driven-apps/
+[**Power Pages**]: https://learn.microsoft.com/en-us/power-pages/
+[**Power Automate**]: https://learn.microsoft.com/en-us/power-automate/
+[**Power Virtual Agents**]: https://learn.microsoft.com/en-us/power-virtual-agents/
+[**Connectors**]: https://learn.microsoft.com/en-us/connectors/connector-reference/
+[**Microsoft Dataverse**]: https://learn.microsoft.com/en-us/power-apps/maker/data-platform/
+[Power Platform Microsoft Learn documentation]: https://learn.microsoft.com/en-us/power-platform/
+[T1567: Exfiltration Over Web Service]: https://attack.mitre.org/techniques/T1567/
+[T1048: Exfiltration Over Alternative Protocol]: https://attack.mitre.org/techniques/T1048/
+[Control who can create and manage environments in the Power Platform
+ admin center \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-platform/admin/control-environment-creation
+[Power Platform \| Digital Transformation Agency of
+ Australia]: https://desktop.gov.au/blueprint/office-365.html#power-platform
+[Microsoft Power Apps Documentation \| Power
+ Apps]: https://learn.microsoft.com/en-us/power-apps/
+[Power Platform admin
+ center]: https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls
+[Data Policies for Power Automate and Power Apps \| Digital
+ Transformation Agency of
+ Australia]: https://desktop.gov.au/blueprint/office-365.html#power-apps-and-power-automate
+[Create a data loss prevention (DLP) policy \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-platform/admin/create-dlp-policy
+[DLP connector classification \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-platform/admin/dlp-connector-classification?source=recommendations
+[DLP for custom connectors \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-platform/admin/dlp-custom-connector-parity?WT.mc_id=ppac_inproduct_datapol
+[T1078: Valid Accounts]: https://attack.mitre.org/techniques/T1078/
+[T1078.004: Cloud Accounts]: https://attack.mitre.org/techniques/T1078/004/
+[T1190: Exploit Public-Facing Application]: https://attack.mitre.org/techniques/T1190/
+[Enable tenant isolation and configure allowlist \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-platform/admin/cross-tenant-restrictions#enable-tenant-isolation-and-configure-allowlist
+[Content Security Policy \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-platform/admin/content-security-policy
+[Power Platform admin
+center]: https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls
+[Control Portal Creation \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/power-apps/maker/portals/control-portal-creation
+[Power Apps PowerShell modules]: https://learn.microsoft.com/en-us/power-platform/admin/powerapps-powershell#installation
+[here]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/add-powerappsaccount?view=pa-ps-latest#-endpoint
\ No newline at end of file
diff --git a/PowerShell/ScubaGear/baselines/removedpolicies.md b/PowerShell/ScubaGear/baselines/removedpolicies.md
index 9d10765499..d766c88855 100644
--- a/PowerShell/ScubaGear/baselines/removedpolicies.md
+++ b/PowerShell/ScubaGear/baselines/removedpolicies.md
@@ -12,17 +12,17 @@ For non-Federal users, the information in this document is being provided “as
> This document is marked TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.
## Key Terminology
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119][].
Additional terminology in this document specific to their respective SCBs are to be interpreted as described in the following:
-1. [AAD](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#key-terminology)
-2. [Defender](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/defender.md#key-terminology)
-3. [Exo](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/exo.md#key-terminology)
-4. [Power BI](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/powerbi.md#key-terminology)
-5. [PowerPlatform](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/powerplatform.md#key-terminology)
-6. [SharePoint](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#key-terminology)
-7. [Teams](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/teams.md#key-terminology)
+1. [AAD][]
+2. [Defender][]
+3. [Exo][]
+4. [Power BI][]
+5. [PowerPlatform][]
+6. [SharePoint][]
+7. [Teams][]
# Azure Active Directory / Entra ID
@@ -66,3 +66,12 @@ Users SHALL be prevented from running custom scripts on personal sites (aka OneD
- _Removal date:_ July 2024
- _Removal rationale:_ The option to enable and disable custom scripting on personal sites (aka OneDrive) found in policy MS.SHAREPOINT.4.1v1 has been deprecated by Microsoft. All references including the policy and its implementation steps have been removed as the setting is no longer present. Furthermore, it is no longer possible to allow custom scripts on personal sites.
+
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[AAD]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#key-terminology
+[Defender]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/defender.md#key-terminology
+[Exo]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/exo.md#key-terminology
+[Power BI]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/powerbi.md#key-terminology
+[PowerPlatform]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/powerplatform.md#key-terminology
+[SharePoint]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#key-terminology
+[Teams]: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/teams.md#key-terminology
\ No newline at end of file
diff --git a/PowerShell/ScubaGear/baselines/sharepoint.md b/PowerShell/ScubaGear/baselines/sharepoint.md
index 7cf13166cb..be2565161c 100644
--- a/PowerShell/ScubaGear/baselines/sharepoint.md
+++ b/PowerShell/ScubaGear/baselines/sharepoint.md
@@ -13,13 +13,13 @@ For non-Federal users, the information in this document is being provided “as
## License Compliance and Copyright
-Portions of this document are adapted from documents in Microsoft’s [M365](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE) and [Azure](https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE) GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
+Portions of this document are adapted from documents in Microsoft’s [M365][] and [Azure][] GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
## Assumptions
-The **License Requirements** sections of this document assume the organization is using an [M365 E3](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) or [G3](https://www.microsoft.com/en-us/microsoft-365/government) license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
+The **License Requirements** sections of this document assume the organization is using an [M365 E3][] or [G3][] license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
## Key Terminology
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119][].
# Baseline Policies
@@ -36,9 +36,9 @@ External sharing for SharePoint SHALL be limited to Existing guests or Only peop
- _Rationale:_ Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of access to information.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
#### MS.SHAREPOINT.1.2v1
External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.
@@ -47,10 +47,10 @@ External sharing for OneDrive SHALL be limited to Existing guests or Only people
- _Rationale:_ Sharing files outside the organization via OneDrive increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of unauthorized unauthorized access to information.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1530: Data from Cloud Storage][]
#### MS.SHAREPOINT.1.3v1
External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.
@@ -60,10 +60,10 @@ External sharing SHALL be restricted to approved external domains and/or users i
- _Last modified:_ June 2023
- _Note:_ This policy is only applicable if the external sharing slider on the admin page is set to any value other than **Only people in your organization**.
- _MITRE ATT&CK TTP Mapping:_
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1530: Data from Cloud Storage][]
#### MS.SHAREPOINT.1.4v1
Guest access SHALL be limited to the email the invitation was sent to.
@@ -73,16 +73,16 @@ Guest access SHALL be limited to the email the invitation was sent to.
- _Last modified:_ June 2023
- _Note:_ This policy is only applicable if the external sharing slider on the admin page is set to any value other than **Only People in your organization**.
- _MITRE ATT&CK TTP Mapping:_
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1530: Data from Cloud Storage][]
### Resources
-- [Overview of external sharing in SharePoint and OneDrive in Microsoft 365 \| Microsoft Documents](https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview)
+- [Overview of external sharing in SharePoint and OneDrive in Microsoft 365 \| Microsoft Documents][]
-- [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 \| Microsoft Documents](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off)
+- [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 \| Microsoft Documents][]
### License Requirements
@@ -160,11 +160,11 @@ File and folder default sharing scope SHALL be set to Specific people (only the
- _Rationale:_ By making the default sharing the most restrictive, administrators prevent accidentally sharing information too broadly.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1565: Data Manipulation][]
+ - [T1565.001: Stored Data Manipulation][]
#### MS.SHAREPOINT.2.2v1
File and folder default sharing permissions SHALL be set to View.
@@ -173,14 +173,14 @@ File and folder default sharing permissions SHALL be set to View.
- _Rationale:_ Edit access to files and folders could allow a user to make unauthorized changes. By restricting default permissions to **View**, administrators prevent unintended or malicious modification.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1080: Taint Shared Content](https://attack.mitre.org/techniques/T1080/)
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
+ - [T1080: Taint Shared Content][]
+ - [T1565: Data Manipulation][]
+ - [T1565.001: Stored Data Manipulation][]
### Resources
- [File and folder links \| Microsoft
- Documents](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#file-and-folder-links)
+ Documents][]
### License Requirements
@@ -223,10 +223,10 @@ Expiration days for Anyone links SHALL be set to 30 days or less.
- _Last modified:_ June 2023
- _Note:_ This policy is only applicable if the external sharing slider on the admin center sharing page is set to **Anyone**.
- _MITRE ATT&CK TTP Mapping:_
- - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1048: Exfiltration Over Alternative Protocol][]
+ - [T1213: Data from Information Repositories][]
+ - [T1213.002: Sharepoint][]
+ - [T1530: Data from Cloud Storage][]
#### MS.SHAREPOINT.3.2v1
The allowable file and folder permissions for links SHALL be set to View only.
@@ -236,9 +236,9 @@ The allowable file and folder permissions for links SHALL be set to View only.
- _Last modified:_ June 2023
- _Note:_ This policy is only applicable if the external sharing slider on the admin center sharing page is set to **Anyone**.
- _MITRE ATT&CK TTP Mapping:_
- - [T1080: Taint Shared Content](https://attack.mitre.org/techniques/T1080/)
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
+ - [T1080: Taint Shared Content][]
+ - [T1565: Data Manipulation][]
+ - [T1565.001: Stored Data Manipulation][]
#### MS.SHAREPOINT.3.3v1
Reauthentication days for people who use a verification code SHALL be set to 30 days or less.
@@ -248,9 +248,9 @@ Reauthentication days for people who use a verification code SHALL be set to 30
- _Last modified:_ June 2023
- _Note:_ This policy is only applicable if the external sharing slider on the admin center sharing page is set to **Anyone** or **New and existing guests**.
- _MITRE ATT&CK TTP Mapping:_
- - [T1080: Taint Shared Content](https://attack.mitre.org/techniques/T1080/)
- - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
- - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
+ - [T1080: Taint Shared Content][]
+ - [T1565: Data Manipulation][]
+ - [T1565.001: Stored Data Manipulation][]
### License Requirements
@@ -259,7 +259,7 @@ Reauthentication days for people who use a verification code SHALL be set to 30
### Resources
- [Secure external sharing recipient experience \| Microsoft
- Documents](https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release)
+ Documents][]
### Implementation
@@ -320,13 +320,13 @@ Users SHALL be prevented from running custom scripts on self-service created sit
- _Rationale:_ Scripts on SharePoint sites run in the context of users visiting the site and therefore provide access to everything users can access. By preventing custom scripts on self-service created sites, administrators block a path for potentially malicious code execution.
- _Last modified:_ June 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
- - [T1059.009: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
+ - [T1059: Command and Scripting Interpreter][]
+ - [T1059.009: Cloud API][]
### Resources
- [Allow or prevent custom script \| Microsoft
- Documents](https://docs.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script)
+ Documents][]
### License Requirements
@@ -347,3 +347,26 @@ Users SHALL be prevented from running custom scripts on self-service created sit
5. Select **Prevent users from running custom script on self-service created sites**.
6. Select **OK**.
+
+[M365]: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE
+[Azure]: https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE
+[M365 E3]: https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans
+[G3]: https://www.microsoft.com/en-us/microsoft-365/government
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[T1048: Exfiltration Over Alternative Protocol]: https://attack.mitre.org/techniques/T1048/
+[T1213: Data from Information Repositories]: https://attack.mitre.org/techniques/T1213/
+[T1213.002: Sharepoint]: https://attack.mitre.org/techniques/T1213/002/
+[T1530: Data from Cloud Storage]: https://attack.mitre.org/techniques/T1530/
+[Overview of external sharing in SharePoint and OneDrive in Microsoft 365 \| Microsoft Documents]: https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview
+[Manage sharing settings for SharePoint and OneDrive in Microsoft 365 \| Microsoft Documents]: https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off
+[T1565: Data Manipulation]: https://attack.mitre.org/techniques/T1565/
+[T1565.001: Stored Data Manipulation]: https://attack.mitre.org/techniques/T1565/001/
+[T1080: Taint Shared Content]: https://attack.mitre.org/techniques/T1080/
+[File and folder links \| Microsoft
+ Documents]: https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#file-and-folder-links
+[Secure external sharing recipient experience \| Microsoft
+ Documents]: https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release
+[T1059: Command and Scripting Interpreter]: https://attack.mitre.org/techniques/T1059/
+[T1059.009: Cloud API]: https://attack.mitre.org/techniques/T1059/009/
+[Allow or prevent custom script \| Microsoft
+ Documents]: https://docs.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script
\ No newline at end of file
diff --git a/PowerShell/ScubaGear/baselines/teams.md b/PowerShell/ScubaGear/baselines/teams.md
index b58cef21b7..90dcb5248e 100644
--- a/PowerShell/ScubaGear/baselines/teams.md
+++ b/PowerShell/ScubaGear/baselines/teams.md
@@ -12,13 +12,13 @@ For non-Federal users, the information in this document is being provided “as
> This document is marked TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.
## License Compliance and Copyright
-Portions of this document are adapted from documents in Microsoft's [M365](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE) and [Azure](https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE) GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source documents are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
+Portions of this document are adapted from documents in Microsoft's [M365][] and [Azure][] GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source documents are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
## Assumptions
-The **License Requirements** sections of this document assume the organization is using an [M365 E3](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) or [G3](https://www.microsoft.com/en-us/microsoft-365/government) license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
+The **License Requirements** sections of this document assume the organization is using an [M365 E3][] or [G3][] license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
## Key Terminology
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119][].
Access to Teams can be controlled by the user type. In this baseline,
the types of users are defined as follows:
@@ -71,8 +71,8 @@ Anonymous users SHALL NOT be enabled to start meetings.
- _Last modified:_ July 2023
- _Note:_ This policy applies to the Global (Org-wide default) meeting policy, and custom meeting policies if they exist.
- _MITRE ATT&CK TTP Mapping:_
- - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
+ - [T1078: Valid Accounts][]
+ - [T1078.001: Default Accounts][]
#### MS.TEAMS.1.3v1
Anonymous users and dial-in callers SHOULD NOT be admitted automatically.
@@ -127,16 +127,16 @@ Record an event SHOULD be set to Organizer can record.
### Resources
- [Manage who can present and request control in Microsoft Teams \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control)
-- [Meeting policy settings \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference#meetings)
+ Learn][]
+- [Meeting policy settings \| Microsoft Learn][]
- [Teams cloud meeting recording \| Microsoft
-Learn ](https://learn.microsoft.com/en-us/microsoftteams/cloud-recording)
+Learn ][]
- [Assign policies in Teams – getting started \| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoftteams/policy-assignment-overview)
+Learn][]
- [Live Event Recording Policies \| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoftteams/teams-live-events/live-events-recording-policies)
+Learn][]
### License Requirements
@@ -255,7 +255,7 @@ able to attend meetings if added as B2B guest users.
External access may be granted on a per-domain basis. This may be
desirable in some cases (e.g., for agency-to-agency collaboration). See
the Chief Information Officer Council's [Interagency Collaboration
-Program](https://community.max.gov/display/Egov/Interagency+Collaboration+Program) Office of Management and Budget MA site for a list of .gov domains for sharing.
+Program][] Office of Management and Budget MA site for a list of .gov domains for sharing.
Similar to external users, blocking contact with unmanaged Teams users prevents these users from looking up internal users by their email address and initiating chats and calls within Teams. These users would still be able to join calls, assuming anonymous join is enabled. Additionally, unmanaged users may be added to Teams chats if the internal user initiates the contact.
@@ -268,9 +268,9 @@ External access for users SHALL only be enabled on a per-domain basis.
- _Rationale:_ The default configuration allows members to communicate with all external users with similar access permissions. This unrestricted access can lead to data breaches and other security threats. This policy provides protection against threats posed by unrestricted access by allowing communication with only trusted domains.
- _Last modified:_ July 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/)
- - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+ - [T1199: Trusted Relationship][]
+ - [T1204: User Execution][]
+ - [T1204.001: Malicious Link][]
#### MS.TEAMS.2.2v1
Unmanaged users SHALL NOT be enabled to initiate contact with internal users.
@@ -280,8 +280,8 @@ Unmanaged users SHALL NOT be enabled to initiate contact with internal users.
- _Last modified:_ July 2023
- _Note:_ This policy is not applicable to Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) tenants.
- _MITRE ATT&CK TTP Mapping:_
- - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+ - [T1204: User Execution][]
+ - [T1204.001: Malicious Link][]
#### MS.TEAMS.2.3v1
Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.
@@ -291,24 +291,24 @@ Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.
- _Last modified:_ July 2023
- _Note:_ This policy is not applicable to Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) tenants.
- _MITRE ATT&CK TTP Mapping:_
- - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+ - [T1204: User Execution][]
+ - [T1204.001: Malicious Link][]
### Resources
- [IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoftteams/manage-external-access)
+ Learn][]
- [Teams settings and policies reference \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings)
+ Learn][]
- [Use guest access and external access to collaborate with people
outside your organization \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations)
+ Learn][]
- [Manage chat with external Teams users not managed by an organization
\| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoftteams/manage-external-access#manage-chat-with-external-teams-users-not-managed-by-an-organization)
+Learn][]
### License Requirements
@@ -318,7 +318,7 @@ Learn](https://learn.microsoft.com/en-us/microsoftteams/manage-external-access#m
Steps for the unmanaged users are outlined in [Manage chat with external Teams users not
managed by an
-organization](https://learn.microsoft.com/en-us/microsoftteams/manage-external-access#manage-chat-with-external-teams-users-not-managed-by-an-organization).
+organization][].
#### MS.TEAMS.2.1v1 Instructions
@@ -382,15 +382,15 @@ Contact with Skype users SHALL be blocked.
- _Last modified:_ July 2023
- _Note:_ This policy is not applicable to Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) tenants.
- _MITRE ATT&CK TTP Mapping:_
- - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+ - [T1567: Exfiltration Over Web Service][]
### Resources
- [Configure external meetings and chat with Skype for Business Server \| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoftteams/external-meetings-skype-for-business-server-hybrid)
+Learn][]
- [Skype for Business Online to Be Retired in 2021 \| Microsoft Teams
-Blog](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/skype-for-business-online-to-be-retired-in-2021/ba-p/777833)
+Blog][]
### License Requirements
@@ -421,14 +421,14 @@ Teams email integration SHALL be disabled.
- _Last modified:_ July 2023
- _Note:_ Teams email integration is not available in GCC, GCC High, or DoD regions.
- _MITRE ATT&CK TTP Mapping:_
- - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
- - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
+ - [T1204: User Execution][]
+ - [T1204.001: Malicious Link][]
+ - [T1204.002: Malicious File][]
### Resources
- [Email Integration \| Microsoft
-Learn](https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference#email-integration)
+Learn][]
### License Requirements
@@ -467,7 +467,7 @@ Agencies SHOULD only allow installation of Microsoft apps approved by the agency
- _Last modified:_ July 2023
- _Note:_ This policy applies to the Global (Org-wide default) policy, all custom policies, and the org-wide app settings. Custom policies MAY be created to allow more flexibility for specific users.
- _MITRE ATT&CK TTP Mapping:_
- - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
+ - [T1195: Supply Chain Compromise][]
#### MS.TEAMS.5.2v1
Agencies SHOULD only allow installation of third-party apps approved by the agency.
@@ -477,8 +477,8 @@ Agencies SHOULD only allow installation of third-party apps approved by the agen
- _Last modified:_ July 2023
- _Note:_ This policy applies to the Global (Org-wide default) policy, all custom policies if they exist, and the org-wide settings. Custom policies MAY be created to allow more flexibility for specific users. Third-party apps are not available in GCC, GCC High, or DoD regions.
- _MITRE ATT&CK TTP Mapping:_
- - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
- - [T1528: Steal Application Access Token](https://attack.mitre.org/techniques/T1528/)
+ - [T1195: Supply Chain Compromise][]
+ - [T1528: Steal Application Access Token][]
#### MS.TEAMS.5.3v1
Agencies SHOULD only allow installation of custom apps approved by the agency.
@@ -488,14 +488,14 @@ Agencies SHOULD only allow installation of custom apps approved by the agency.
- _Last modified:_ July 2023
- _Note:_ This policy applies to the Global (Org-wide default) policy, all custom policies if they exist, and the org-wide settings. Custom policies MAY be created to allow more flexibility for specific users. Custom apps are not available in GCC, GCC High, or DoD regions.
- _MITRE ATT&CK TTP Mapping:_
- - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
- - [T1528: Steal Application Access Token](https://attack.mitre.org/techniques/T1528/)
+ - [T1195: Supply Chain Compromise][]
+ - [T1528: Steal Application Access Token][]
### Resources
-- [Use app permission policies to control user access to apps \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoftteams/teams-app-permission-policies)
+- [Use app permission policies to control user access to apps \| Microsoft Learn][]
-- [Upload your app in Microsoft Teams \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload)
+- [Upload your app in Microsoft Teams \| Microsoft Learn][]
### License Requirements
@@ -583,7 +583,7 @@ should offer services comparable to those offered by Microsoft.
Though using Microsoft's DLP solution is not strictly
required, guidance for configuring Microsoft's DLP solution can be found in following section of the CISA M365 Security Configuration Baseline for Defender for Office 365.
-- [Data Loss Prevention \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#4-data-loss-prevention)
+- [Data Loss Prevention \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
### Policies
@@ -594,8 +594,8 @@ A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services
- _Rationale:_ Teams users may inadvertently disclose sensitive information to unauthorized individuals. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.
- _Last modified:_ July 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1213: Data from Information Repositories][]
+ - [T1530: Data from Cloud Storage][]
#### MS.TEAMS.6.2v1
The DLP solution SHALL protect personally identifiable information (PII)
@@ -606,39 +606,39 @@ and Social Security numbers (SSNs) via email SHALL be restricted.
- _Rationale:_ Teams users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized sharing of sensitive information.
- _Last modified:_ July 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
- - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+ - [T1213: Data from Information Repositories][]
+ - [T1530: Data from Cloud Storage][]
### Resources
-- [Plan for data loss prevention (DLP) \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp?view=o365-worldwide)
+- [Plan for data loss prevention (DLP) \| Microsoft Learn][]
- [Personally identifiable information (PII) \|
- NIST](https://csrc.nist.gov/glossary/term/personally_identifiable_information#:~:text=NISTIR%208259,2%20under%20PII%20from%20EGovAct)
+ NIST][]
- [Sensitive information \|
- NIST](https://csrc.nist.gov/glossary/term/sensitive_information)
+ NIST][]
### License Requirements
-- DLP for Teams within Microsoft Purview requires an E5 or G5 license. See [Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams \| Microsoft Learn](https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-data-loss-prevention-data-loss-prevention-dlp-for-teams)
+- DLP for Teams within Microsoft Purview requires an E5 or G5 license. See [Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams \| Microsoft Learn][]
for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.
### Implementation
#### MS.TEAMS.6.1v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP][] for additional guidance.
#### MS.TEAMS.6.2v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP][] for additional guidance.
## 7. Malware Scanning
Malware scanning protects M365 Teams assets from malicious software. Several commercial anti-malware solutions detect and prevent computer viruses, malware, and other malicious software from being introduced into M365 Teams. Agencies may select any product that meets the requirements outlined in this baseline policy group. If the agency is using Microsoft Defender to implement malware scanning, see the following policies of the CISA M365 Security Configuration Baseline for Defender for Office 365 for additional guidance.
-- [MS.DEFENDER.3.1v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#msdefender31v1)
+- [MS.DEFENDER.3.1v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365][]
- Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.
### Policies
@@ -650,8 +650,8 @@ Attachments included with Teams messages SHOULD be scanned for malware.
- _Rationale:_ Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.
- _Last modified:_ July 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
#### MS.TEAMS.7.2v1
Users SHOULD be prevented from opening or downloading files detected as malware.
@@ -660,18 +660,18 @@ Users SHOULD be prevented from opening or downloading files detected as malware.
- _Rationale:_ Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.
- _Last modified:_ July 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
+ - [T1204: User Execution][]
+ - [T1204.002: Malicious File][]
### Resources
- [Safe Attachments in Microsoft Defender for Office 365 \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about?view=o365-worldwide#safe-attachments-policy-settings)
+ Learn][]
- [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams \| Microsoft
- Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide)
+ Learn][]
### License Requirements
@@ -682,11 +682,11 @@ Users SHOULD be prevented from opening or downloading files detected as malware.
#### MS.TEAMS.7.1v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [Safe Attachments](./defender.md#implementation-2) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [Safe Attachments][] for additional guidance.
#### MS.TEAMS.7.2v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [Safe Attachments](./defender.md#implementation-2) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [Safe Attachments][] for additional guidance.
## 8. Link Protection
@@ -712,7 +712,7 @@ If all checks pass, the user is redirected to the original URL.
Microsoft Defender includes link-scanning capabilities. Using Microsoft Defender is not strictly required for this purpose; any product fulfilling the requirements outlined in this baseline policy group may be used.
If the agency uses Microsoft Defender to meet this baseline policy group, see the following policy of the CISA M365 Security Configuration Baseline for Defender for Office 365 for additional guidance.
-- [MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365](./defender.md#msdefender13v1).
+- [MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365][].
- All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy.
### Policies
@@ -724,12 +724,12 @@ URL comparison with a blocklist SHOULD be enabled.
- _Rationale:_ Users may be directed to malicious websites via links in Teams. Blocking access to known malicious URLs can help prevent users from accessing known malicious websites.
- _Last modified:_ July 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
- - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1189: Drive-by Compromise](https://attack.mitre.org/techniques/T1189/)
+ - [T1204: User Execution][]
+ - [T1204.001: Malicious Link][]
+ - [T1204.002: Malicious File][]
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1189: Drive-by Compromise][]
#### MS.TEAMS.8.2v1
User click tracking SHOULD be enabled.
@@ -738,19 +738,19 @@ User click tracking SHOULD be enabled.
- _Rationale:_ Users may click on malicious links in Teams, leading to compromise or authorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.
- _Last modified:_ July 2023
- _MITRE ATT&CK TTP Mapping:_
- - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
- - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
- - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- - [T1189: Drive-by Compromise](https://attack.mitre.org/techniques/T1189/)
+ - [T1204: User Execution][]
+ - [T1204.001: Malicious Link][]
+ - [T1204.002: Malicious File][]
+ - [T1566: Phishing][]
+ - [T1566.001: Spearphishing Attachment][]
+ - [T1189: Drive-by Compromise][]
### Resources
- [Recommended settings for EOP and Microsoft Defender for Office 365
- security \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365)
+ security \| Microsoft Learn][]
-- [Set up Safe Links policies in Microsoft Defender for Office 365 \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide)
+- [Set up Safe Links policies in Microsoft Defender for Office 365 \| Microsoft Learn][]
### License Requirements
@@ -760,11 +760,11 @@ User click tracking SHOULD be enabled.
#### MS.TEAMS.8.1v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [standard or strict preset security policy](defender.md#msdefender13v1-instructions) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [standard or strict preset security policy][] for additional guidance.
#### MS.TEAMS.8.2v1 Instructions
-Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [standard or strict preset security policy](defender.md#msdefender13v1-instructions) for additional guidance.
+Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [standard or strict preset security policy][] for additional guidance.
[^1]: Note that B2B guest users and all anonymous users except for
@@ -798,3 +798,75 @@ record meetings:
8. Select **Apply**.
**`TLP:CLEAR`**
+
+[M365]: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/LICENSE
+[Azure]: https://github.com/MicrosoftDocs/azure-docs/blob/main/LICENSE
+[M365 E3]: https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans
+[G3]: https://www.microsoft.com/en-us/microsoft-365/government
+[RFC 2119]: https://datatracker.ietf.org/doc/html/rfc2119
+[T1078: Valid Accounts]: https://attack.mitre.org/techniques/T1078/
+[T1078.001: Default Accounts]: https://attack.mitre.org/techniques/T1078/001/
+[Manage who can present and request control in Microsoft Teams \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control
+[Meeting policy settings \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference#meetings
+[Teams cloud meeting recording \| Microsoft
+Learn ]: https://learn.microsoft.com/en-us/microsoftteams/cloud-recording
+[Assign policies in Teams – getting started \| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoftteams/policy-assignment-overview
+[Live Event Recording Policies \| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoftteams/teams-live-events/live-events-recording-policies
+[Interagency Collaboration
+Program]: https://community.max.gov/display/Egov/Interagency+Collaboration+Program
+[T1199: Trusted Relationship]: https://attack.mitre.org/techniques/T1199/
+[T1204: User Execution]: https://attack.mitre.org/techniques/T1204/
+[T1204.001: Malicious Link]: https://attack.mitre.org/techniques/T1204/001/
+[IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoftteams/manage-external-access
+[Teams settings and policies reference \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings
+[Use guest access and external access to collaborate with people
+ outside your organization \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations
+[Manage chat with external Teams users not managed by an organization
+\| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoftteams/manage-external-access#manage-chat-with-external-teams-users-not-managed-by-an-organization
+[Manage chat with external Teams users not
+managed by an
+organization]: https://learn.microsoft.com/en-us/microsoftteams/manage-external-access#manage-chat-with-external-teams-users-not-managed-by-an-organization
+[T1567: Exfiltration Over Web Service]: https://attack.mitre.org/techniques/T1567/
+[Configure external meetings and chat with Skype for Business Server \| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoftteams/external-meetings-skype-for-business-server-hybrid
+[Skype for Business Online to Be Retired in 2021 \| Microsoft Teams
+Blog]: https://techcommunity.microsoft.com/t5/microsoft-teams-blog/skype-for-business-online-to-be-retired-in-2021/ba-p/777833
+[T1204.002: Malicious File]: https://attack.mitre.org/techniques/T1204/002/
+[Email Integration \| Microsoft
+Learn]: https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference#email-integration
+[T1195: Supply Chain Compromise]: https://attack.mitre.org/techniques/T1195/
+[T1528: Steal Application Access Token]: https://attack.mitre.org/techniques/T1528/
+[Use app permission policies to control user access to apps \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoftteams/teams-app-permission-policies
+[Upload your app in Microsoft Teams \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload
+[Data Loss Prevention \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#4-data-loss-prevention
+[T1213: Data from Information Repositories]: https://attack.mitre.org/techniques/T1213/
+[T1530: Data from Cloud Storage]: https://attack.mitre.org/techniques/T1530/
+[Plan for data loss prevention (DLP) \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp?view=o365-worldwide
+[Personally identifiable information (PII) \|
+ NIST]: https://csrc.nist.gov/glossary/term/personally_identifiable_information#:~:text=NISTIR%208259,2%20under%20PII%20from%20EGovAct
+[Sensitive information \|
+ NIST]: https://csrc.nist.gov/glossary/term/sensitive_information
+[Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams \| Microsoft Learn]: https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-data-loss-prevention-data-loss-prevention-dlp-for-teams
+[DLP]: ./defender.md#implementation-3
+[MS.DEFENDER.3.1v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#msdefender31v1
+[T1566: Phishing]: https://attack.mitre.org/techniques/T1566/
+[T1566.001: Spearphishing Attachment]: https://attack.mitre.org/techniques/T1566/001/
+[Safe Attachments in Microsoft Defender for Office 365 \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about?view=o365-worldwide#safe-attachments-policy-settings
+[Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft
+ Teams \| Microsoft
+ Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide
+[Safe Attachments]: ./defender.md#implementation-2
+[MS.DEFENDER.1.3v1 \| CISA M365 Security Configuration Baseline for Defender for Office 365]: ./defender.md#msdefender13v1
+[T1189: Drive-by Compromise]: https://attack.mitre.org/techniques/T1189/
+[Recommended settings for EOP and Microsoft Defender for Office 365
+ security \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365
+[Set up Safe Links policies in Microsoft Defender for Office 365 \| Microsoft Learn]: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide
+[standard or strict preset security policy]: defender.md#msdefender13v1-instructions
\ No newline at end of file
diff --git a/baselines/README.md b/baselines/README.md
index 108b239b18..6ab37bbe42 100644
--- a/baselines/README.md
+++ b/baselines/README.md
@@ -1,10 +1,19 @@
The baselines have been moved into the ScubaGear PowerShell module for easier distribution. Individual baselines can be visited directly at the links below:
-- [Microsoft Entra ID](../PowerShell/ScubaGear/baselines/aad.md)
-- [Defender](../PowerShell/ScubaGear/baselines/defender.md)
-- [Exchange Online](../PowerShell/ScubaGear/baselines/exo.md)
-- [Power BI](../PowerShell/ScubaGear/baselines/powerbi.md)
-- [Power Platform](../PowerShell/ScubaGear/baselines/powerplatform.md)
-- [SharePoint & OneDrive](../PowerShell/ScubaGear/baselines/sharepoint.md)
-- [Teams](../PowerShell/ScubaGear/baselines/teams.md)
-- [Removed Policies](../PowerShell/ScubaGear/baselines/removedpolicies.md)
+- [Microsoft Entra ID][]
+- [Defender][]
+- [Exchange Online][]
+- [Power BI][]
+- [Power Platform][]
+- [SharePoint & OneDrive][]
+- [Teams][]
+- [Removed Policies][]
+
+[Microsoft Entra ID]: ../PowerShell/ScubaGear/baselines/aad.md
+[Defender]: ../PowerShell/ScubaGear/baselines/defender.md
+[Exchange Online]: ../PowerShell/ScubaGear/baselines/exo.md
+[Power BI]: ../PowerShell/ScubaGear/baselines/powerbi.md
+[Power Platform]: ../PowerShell/ScubaGear/baselines/powerplatform.md
+[SharePoint & OneDrive]: ../PowerShell/ScubaGear/baselines/sharepoint.md
+[Teams]: ../PowerShell/ScubaGear/baselines/teams.md
+[Removed Policies]: ../PowerShell/ScubaGear/baselines/removedpolicies.md
\ No newline at end of file