diff --git a/.github/workflows/Collecter.yml b/.github/workflows/Collecter.yml new file mode 100644 index 00000000..b37531d2 --- /dev/null +++ b/.github/workflows/Collecter.yml @@ -0,0 +1,41 @@ +name: Run Collector + +on: + push: + branches: [Compliance-Engine] + +jobs: + run-collector: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Install deps + run: pip install google-api-python-client google-auth google-auth-httplib2 google-auth-oauthlib + + - name: Run GCP Access Collector + env: + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + run: | + python3 engine/GCPAccess.py + mv iam_policy.json test-configs/iam_policy.json + mv networks.json test-configs/networks.json + + - name: Commit and push IAM policy & networks config + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add test-configs/iam_policy.json + git add test-configs/networks.json + git diff --cached --quiet && echo "No changes to commit" || git commit -m "Update iam_policy.json & networks.json" + git push origin Compliance-Engine + diff --git a/.github/workflows/gryp.yml b/.github/workflows/gryp.yml new file mode 100644 index 00000000..efe78ee2 --- /dev/null +++ b/.github/workflows/gryp.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Grype vulnerability scan + +on: + push: + branches: [Compliance-Engine] + pull_request: + # The branches below must be a subset of the branches above + branches: [Compliance-Engine] + schedule: + - cron: '37 20 * * 4' + +permissions: + contents: read + +jobs: + Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: Check out the code + uses: actions/checkout@v4 + + - name: Build the Docker image + run: docker build -t compliance-engine-workflows:latest -f docker/engine.Dockerfile . + + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@v3 + id: scan + + with: + image: docker:compliance-engine-workflows:latest + fail-build: true + severity-cutoff: critical + + - name: Upload vulnerability report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/README.md b/README.md deleted file mode 100644 index 805ba9bb..00000000 --- a/README.md +++ /dev/null @@ -1 +0,0 @@ -# AutoAudit \ No newline at end of file diff --git a/engine/README.md b/engine/README.md index fa6ea879..805ba9bb 100644 --- a/engine/README.md +++ b/engine/README.md @@ -1 +1 @@ -# AutoAudit Engine Team \ No newline at end of file +# AutoAudit \ No newline at end of file diff --git a/engine/cloudbuild-engine-docker.yml b/engine/cloudbuild-engine-docker.yml deleted file mode 100644 index 57dac9ef..00000000 --- a/engine/cloudbuild-engine-docker.yml +++ /dev/null @@ -1,31 +0,0 @@ -# engine/cloudbuild-docker-build.yaml -steps: - # Build Docker Image - - name: 'gcr.io/cloud-builders/docker' - args: - - 'build' - - '-t' - - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' - - '--build-arg' - - 'ENV=${_ENV_NAME}' - - '-f' - - 'engine/docker/engine.Dockerfile' - - '.' - # The `dir` specifies the working directory for the build context - # Adjust this if your Dockerfile or source context is not at the root - # or specifically in the 'engine' directory relative to the trigger. - dir: 'engine' # Assuming engine.Dockerfile is in engine/docker/ and context is `engine/` - - # Push Docker Image to Artifact Registry - - name: 'gcr.io/cloud-builders/docker' - args: - - 'push' - - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' - -# Specify the images to be pushed to Artifact Registry -images: - - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' - -# Define custom substitutions to be passed from GitHub Actions -substitutions: - _ENV_NAME: 'default' # A default value for safety diff --git a/engine/docker/engine.Dockerfile b/engine/docker/engine.Dockerfile index bd312b23..56e08bda 100644 --- a/engine/docker/engine.Dockerfile +++ b/engine/docker/engine.Dockerfile @@ -2,8 +2,8 @@ FROM python:3.11-slim WORKDIR /app -COPY engine/engine/ ./engine/ -COPY engine/rules/ ./rules/ -COPY engine/test-configs/ ./test-configs/ +COPY engine/ ./engine/ +COPY rules/ ./rules/ +COPY test-configs/ ./test-configs/ CMD ["python", "engine/main.py"] diff --git a/engine/engine/.trigger b/engine/engine/.trigger index 6183eec9..53526546 100644 --- a/engine/engine/.trigger +++ b/engine/engine/.trigger @@ -1 +1,2 @@ abcdaas +a diff --git a/engine/engine/GCPAccess.py b/engine/engine/GCPAccess.py new file mode 100644 index 00000000..3df698c9 --- /dev/null +++ b/engine/engine/GCPAccess.py @@ -0,0 +1,36 @@ +from google.oauth2 import service_account +from googleapiclient.discovery import build +from google.auth import default +import json +import os + +service_account_info = json.loads(os.environ["GCP_CREDENTIALS"]) +creds = service_account.Credentials.from_service_account_info( + service_account_info, + scopes=["https://www.googleapis.com/auth/cloud-platform"], +) + +crm_policy = build("cloudresourcemanager", "v3", credentials=creds) +crm_compute = build("compute", "v1", credentials=creds) + +project_id = "coastal-stone-470308-a0" +res_name = f"projects/{project_id}" + +policy = crm_policy.projects().getIamPolicy( + resource=res_name, + body={"options": {"requestedPolicyVersion": 3}} +).execute() + +networks = [] +req = crm_compute.networks().list(project=project_id) +while req is not None: + resp = req.execute() + networks.extend(resp.get("items", [])) + req = crm_compute.networks().list_next(previous_request=req, previous_response=resp) + +with open("iam_policy.json", "w") as f: + json.dump(policy, f, indent=2) + +with open("networks.json", "w") as f: + json.dump(networks, f, indent=2) + diff --git a/engine/engine/Helpers.rego b/engine/engine/Helpers.rego new file mode 100644 index 00000000..219e9752 --- /dev/null +++ b/engine/engine/Helpers.rego @@ -0,0 +1,32 @@ +package AutoAudit_tester.engine.Helpers + +import future.keywords.in + +get(path) = v if { + parts := split(path, ".") + some i + pv := walk(input)[i] + p := pv[0] + v := pv[1] + p == parts +} +equals(path, expected) if { + get(path) == expected +} + +in_whitelist(path, allowed) if { + val := get(path) + val in allowed +} +not_in_blacklist(path, blocked) if { + val := get(path) + not val in blocked +} +status(bool) = s if { + bool + s := "Compliant" +} +status(bool) = s if { + not bool + s := "NonCompliant" +} diff --git a/engine/engine/main.py b/engine/engine/main.py index 7faee936..f885d004 100644 --- a/engine/engine/main.py +++ b/engine/engine/main.py @@ -1,61 +1,31 @@ import json import os +def load_mock_config(path="test-configs/compliant.json"): + with open(path) as f: + return json.load(f) + -# Load a JSON config file (mock tenant settings) -def load_config(path="test-configs/compliant.json"): - """Load the configuration JSON file. Returns an empty dict if file not found or invalid.""" - try: - with open(path) as f: - return json.load(f) - except FileNotFoundError: - print(f"❌ Config file not found: {path}") - return {} - except json.JSONDecodeError: - print(f"❌ Invalid JSON in config file: {path}") - return {} - - -# Load all JSON rules from the rules directory def load_rules(directory="rules"): - """Load all JSON rules from the given directory. Skips invalid files.""" rules = [] - if not os.path.exists(directory): - print(f"❌ Rules directory not found: {directory}") - return rules - for file in os.listdir(directory): if file.endswith(".json"): - try: - with open(os.path.join(directory, file)) as f: - rule = json.load(f) - # Validate required keys - if all(k in rule for k in ("id_level_2", "tags", - "expected_value", "evaluation_path", - "description")): - rules.append(rule) - else: - print(f"⚠️ Skipping {file}: Missing required keys") - except json.JSONDecodeError: - print(f"⚠️ Invalid JSON in {file}") + with open(os.path.join(directory, file)) as f: + rule = json.load(f) + rules.append(rule) return rules - -# Helper to get nested value using dot notation (e.g. "azure_ad.mfa_status") def get_value_from_path(config, path): - """Extract a value from nested JSON using a dot-separated path.""" - keys = path.split(".") - for key in keys: - if isinstance(config, dict): - config = config.get(key, {}) + placeholder_value = config + for key in path.split("."): + if isinstance(placeholder_value, dict): + placeholder_value = placeholder_value.get(key, {}) else: return None - return config if config != {} else None - + return placeholder_value + -# Evaluate one rule against the config def evaluate_rule(rule, config): - """Compare the expected setting with the actual config value.""" expected = rule.get("expected_value") value = get_value_from_path(config, rule.get("evaluation_path")) @@ -63,33 +33,35 @@ def evaluate_rule(rule, config): return True, "Pass" return False, f"{rule['tags']} = {value}, expected {expected}" - -# Main function to run all rules and show results def main(): - config = load_config() # Load tenant configuration - rules = load_rules() # Load all CIS rules - - if not config or not rules: - print("❌ No config or rules found. Exiting.") - return + config = load_mock_config() + rules = load_rules() passed, failed = 0, 0 for rule in rules: result, reason = evaluate_rule(rule, config) status = "PASS" if result else "FAIL" - print(f"[{status}] {rule['id_level_2']} - {rule['description']}") + print(f"[{status}] {rule['id_level_2']} - {rule['title']}") + if not result: - print(f" Reason: {reason}") + print("") + print(" --- Cause of Failure ---") + print(f" Description : {rule['description']}") + print(f" Reason : {reason}") + print(f" Remediation : {rule['remediation']}") + print("") + print(" --- Risk Assessment ---") + print(f" Risk Level : {rule['risk']}") + print(f" Impact : {rule['impact']}") + print(f" Likelihood : {rule['likelihood']}") + print(f" Overall : {rule['risk_level']}") + print("-------------------------------------------------------------------") + passed += result failed += not result - - # Summary output - print("\n📊 Summary:") - print(f" Total Rules: {len(rules)}") - print(f" ✅ Passeds: {passed}") - print(f" ❌ Failed: {failed}") - + print(f"\nSummary: {passed} rules passed, {failed} rules failed") + if __name__ == "__main__": - main() + main() \ No newline at end of file diff --git a/engine/iam_policy.json b/engine/iam_policy.json new file mode 100644 index 00000000..f29a225e --- /dev/null +++ b/engine/iam_policy.json @@ -0,0 +1,26 @@ +{ + "version": 1, + "etag": "BwY9aQGbYhE=", + "bindings": [ + { + "role": "roles/compute.serviceAgent", + "members": [ + "serviceAccount:service-162922847862@compute-system.iam.gserviceaccount.com" + ] + }, + { + "role": "roles/editor", + "members": [ + "serviceAccount:162922847862@cloudservices.gserviceaccount.com", + "serviceAccount:sa-noperms@coastal-stone-470308-a0.iam.gserviceaccount.com", + "serviceAccount:162922847862-compute@developer.gserviceaccount.com" + ] + }, + { + "role": "roles/owner", + "members": [ + "user:AdityaHindocha3@gmail.com" + ] + } + ] +} \ No newline at end of file diff --git a/engine/py_test.py b/engine/py_test.py deleted file mode 100644 index 3bd6db52..00000000 --- a/engine/py_test.py +++ /dev/null @@ -1,9 +0,0 @@ -def add(a, b): - return a + b - - -def subtract(a, b): - return a + b - - -print(add(5, 1100)) diff --git a/engine/rules/1.1.1.json b/engine/rules/1.1.1.json index c01d00da..db6cf91f 100644 --- a/engine/rules/1.1.1.json +++ b/engine/rules/1.1.1.json @@ -12,6 +12,9 @@ "evaluation_path": "user.OnPremisesSyncEnabled", "remediation": "Migrate hybrid admin accounts to new cloud-only accounts and update roles accordingly.", "risk": "High", + "impact": "Moderate", + "likelihood": "2", + "risk_level": "Low", "tags": [ "MFA", "Identity", diff --git a/engine/rules/1.1.2.json b/engine/rules/1.1.2.json index 8b0cc05e..3d17f789 100644 --- a/engine/rules/1.1.2.json +++ b/engine/rules/1.1.2.json @@ -9,12 +9,15 @@ "description": "Emergency access or \ufffdbreak glass\ufffd accounts are limited for emergency scenarios where normal administrative accounts are unavailable.", "expected_value": "Two emergency access accounts defined", "comparison": "Manual validation", - "evaluation_path": "Microsoft 365 admin center > Users > Active Users and Entra admin center > Protection > Conditional Access", + "evaluation_path": "user.WithTwoEmergencyAccs", "remediation": "Create two cloud-only accounts with Global Admin role, no license, exclude from Conditional Access rules.", "risk": "High", + "impact": "Serious", + "likelihood": "2", + "risk_level": "Moderate", "tags": [ "Accounts", "EmergencyAccess", "GlobalAdmin" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.1.3.json b/engine/rules/1.1.3.json index 760c70f8..658b2fbd 100644 --- a/engine/rules/1.1.3.json +++ b/engine/rules/1.1.3.json @@ -9,11 +9,14 @@ "description": "Between two and four global administrators should be designated in the tenant to ensure redundancy and limit exposure.", "expected_value": "2\ufffd4 Global Administrators", "comparison": "Count and range check", - "evaluation_path": "Microsoft 365 admin center > Roles > Global Administrator", + "evaluation_path": "user.globalAdmins", "remediation": "Add or remove users from Global Admin role to maintain 2\ufffd4 total.", "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "AdminAccounts", "PrivilegeManagement" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.1.4.json b/engine/rules/1.1.4.json index f4613824..24d7cbd1 100644 --- a/engine/rules/1.1.4.json +++ b/engine/rules/1.1.4.json @@ -9,12 +9,15 @@ "description": "Administrative accounts should not use licenses with applications to reduce attack surface.", "expected_value": "License with no user applications (e.g. Entra ID P1/P2)", "comparison": "License check", - "evaluation_path": "Microsoft 365 admin center > Users > Active users > License column", + "evaluation_path": "user.licenses", "remediation": "Assign minimal license or Entra ID P1/P2 to admin accounts. Use PIM if applicable.", "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "Licensing", "AdminAccounts", "LeastPrivilege" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.2.1.json b/engine/rules/1.2.1.json index 9a14c94b..3261eef5 100644 --- a/engine/rules/1.2.1.json +++ b/engine/rules/1.2.1.json @@ -9,12 +9,15 @@ "description": "Ensure that only organizationally managed and approved public groups exist to prevent unauthorized access to internal data.", "expected_value": "No groups with public visibility", "comparison": "Group.Visibility != Public", - "evaluation_path": "Microsoft 365 admin center > Teams & groups > Active teams & groups", + "evaluation_path": "groups.approved", "remediation": "Change group privacy from Public to Private in group settings.", "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "Groups", "Privacy", "AccessControl" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.2.2.json b/engine/rules/1.2.2.json index 1dd967fd..b3bc203f 100644 --- a/engine/rules/1.2.2.json +++ b/engine/rules/1.2.2.json @@ -12,6 +12,9 @@ "evaluation_path": "mailboxes.shared", "remediation": "Uncheck the 'Sign-in allowed' option under mailbox settings.", "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "Mailbox", "AccountAccess", diff --git a/engine/rules/1.3.1.json b/engine/rules/1.3.1.json index 157dd7b8..0c4b6748 100644 --- a/engine/rules/1.3.1.json +++ b/engine/rules/1.3.1.json @@ -9,12 +9,15 @@ "description": "Avoid enforcing periodic password changes unless a compromise is suspected.", "expected_value": "Set passwords to never expire", "comparison": "PasswordExpiration == Never", - "evaluation_path": "Microsoft 365 admin center > Org Settings > Security & Privacy > Password expiration policy", + "evaluation_path": "password.expiration", "remediation": "Enable the 'Set passwords to never expire' option in org settings.", "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "PasswordPolicy", "UserSettings", "Authentication" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.3.2.json b/engine/rules/1.3.2.json index 47303906..8e8c6470 100644 --- a/engine/rules/1.3.2.json +++ b/engine/rules/1.3.2.json @@ -9,12 +9,15 @@ "description": "Limit idle session timeout for unmanaged devices to reduce session hijack risks.", "expected_value": "Idle timeout set to = 3 hours", "comparison": "IdleTimeout <= 3h", - "evaluation_path": "Microsoft 365 admin center > Org settings > Security & privacy > Idle session timeout", + "evaluation_path": "session.idleTimeout", "remediation": "Configure timeout policy in settings for unmanaged device sessions.", "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "SessionTimeout", "DeviceManagement", "UnmanagedAccess" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.3.3.json b/engine/rules/1.3.3.json index 22e57b74..1713ad62 100644 --- a/engine/rules/1.3.3.json +++ b/engine/rules/1.3.3.json @@ -9,12 +9,15 @@ "description": "Prevent external calendar sharing to avoid data leakage and preserve internal privacy.", "expected_value": "External sharing disabled", "comparison": "CalendarSharing == InternalOnly", - "evaluation_path": "Microsoft 365 admin center > Settings > Org settings > Calendar", + "evaluation_path": "calendar.externalSharing", "remediation": "Disable external calendar sharing in org settings.", "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "Calendar", "ExternalSharing", "Privacy" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.3.4.json b/engine/rules/1.3.4.json index 46a887f0..0c4118e8 100644 --- a/engine/rules/1.3.4.json +++ b/engine/rules/1.3.4.json @@ -9,12 +9,15 @@ "description": "Restrict user ability to register applications to control third-party integrations.", "expected_value": "App registration disabled for users", "comparison": "AppRegistration == Disabled", - "evaluation_path": "Microsoft Entra admin center > User settings > App registrations", + "evaluation_path": "apps.userOwned", "remediation": "Disable 'Users can register applications' in user settings.", "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "UserApps", "ThirdPartyAccess", "AppRegistration" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.3.5.json b/engine/rules/1.3.5.json index 2c3cff99..958cdf76 100644 --- a/engine/rules/1.3.5.json +++ b/engine/rules/1.3.5.json @@ -9,12 +9,15 @@ "description": "Enable internal phishing detection for Microsoft Forms to prevent credential harvesting.", "expected_value": "Phishing protection enabled", "comparison": "FormsPhishingProtection == On", - "evaluation_path": "Microsoft 365 admin center > Settings > Org settings > Microsoft Forms", + "evaluation_path": "forms.phishingProtection", "remediation": "Enable internal phishing protection in Microsoft Forms settings.", "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "Forms", "PhishingProtection", "ThreatDetection" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.3.6.json b/engine/rules/1.3.6.json index 1c4af230..c76e4941 100644 --- a/engine/rules/1.3.6.json +++ b/engine/rules/1.3.6.json @@ -9,12 +9,15 @@ "description": "Require explicit customer approval before Microsoft can access customer content.", "expected_value": "Customer lockbox enabled", "comparison": "Lockbox == Enabled", - "evaluation_path": "Microsoft 365 compliance center > Solutions > Customer Lockbox", + "evaluation_path": "customer.lockbox", "remediation": "Enable Customer Lockbox via Microsoft 365 compliance center.", "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "CustomerLockbox", "AccessControl", "DataProtection" ] -} \ No newline at end of file +} diff --git a/engine/rules/1.3.7.json b/engine/rules/1.3.7.json index 21657916..5e2e1d82 100644 --- a/engine/rules/1.3.7.json +++ b/engine/rules/1.3.7.json @@ -12,6 +12,9 @@ "evaluation_path": "office.ThirdPartyStorage", "remediation": "Disable integration with third-party storage services.", "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "Storage", "ExternalServices", diff --git a/engine/rules/1.3.8.json b/engine/rules/1.3.8.json index 5553c9f6..2b34cf52 100644 --- a/engine/rules/1.3.8.json +++ b/engine/rules/1.3.8.json @@ -12,6 +12,9 @@ "evaluation_path": "sway.externalSharing", "remediation": "Manually disable external sharing for Sway presentations.", "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", "tags": [ "Sway", "ContentSharing", diff --git a/engine/rules/2.1.1.json b/engine/rules/2.1.1.json new file mode 100644 index 00000000..ca27f666 --- /dev/null +++ b/engine/rules/2.1.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.1", + "title": "Ensure Safe Links for Office Applications is Enabled", + "profile": "E5", + "level": "L2", + "status": "Automated", + "description": "Safe Links scans URLs in Office docs to prevent malicious site access.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.safeLinksOfficeEnabled", + "remediation": "Enable Safe Links for Office via Microsoft 365 Defender portal.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "SafeLinks", + "Office" + ] +} diff --git a/engine/rules/2.1.10.json b/engine/rules/2.1.10.json new file mode 100644 index 00000000..dcc6b33d --- /dev/null +++ b/engine/rules/2.1.10.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.10", + "title": "Ensure DMARC Records for all Exchange Online domains are published", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "DMARC verifies alignment between SPF, DKIM, and sender domain.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.dmarcRecordsPublished", + "remediation": "Publish DMARC DNS TXT records for all Exchange Online domains.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "DMARC", + "EmailAuth" + ] +} diff --git a/engine/rules/2.1.11.json b/engine/rules/2.1.11.json new file mode 100644 index 00000000..d57c64d2 --- /dev/null +++ b/engine/rules/2.1.11.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.11", + "title": "Ensure comprehensive attachment filtering is applied", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Applies filtering for a wide range of risky file types.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.comprehensiveAttachmentFilterEnabled", + "remediation": "Configure comprehensive attachment filtering in Microsoft Defender.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Attachments", + "Malware" + ] +} diff --git a/engine/rules/2.1.12.json b/engine/rules/2.1.12.json new file mode 100644 index 00000000..6ea9b272 --- /dev/null +++ b/engine/rules/2.1.12.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.12", + "title": "Ensure the connection filter IP allow list is not used", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents bypassing spam filters via IP allow lists.", + "expected_value": "FALSE", + "comparison": "equals", + "evaluation_path": "exchange.connectionFilterIpAllowListUsed", + "remediation": "Remove IP addresses from connection filter allow list.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Spam", + "EmailFiltering" + ] +} diff --git a/engine/rules/2.1.13.json b/engine/rules/2.1.13.json new file mode 100644 index 00000000..929c266a --- /dev/null +++ b/engine/rules/2.1.13.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.13", + "title": "Ensure the connection filter safe list is off", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents safe list from bypassing spam/malware detection.", + "expected_value": "FALSE", + "comparison": "equals", + "evaluation_path": "exchange.connectionFilterSafeListEnabled", + "remediation": "Disable safe list in connection filter settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Spam", + "EmailFiltering" + ] +} diff --git a/engine/rules/2.1.14.json b/engine/rules/2.1.14.json new file mode 100644 index 00000000..43e48aad --- /dev/null +++ b/engine/rules/2.1.14.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.14", + "title": "Ensure inbound anti-spam policies do not contain allowed domains", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents whitelisted domains from bypassing spam filters.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.inboundAntiSpamNoAllowedDomains", + "remediation": "Remove allowed domains from inbound anti-spam policies.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Spam", + "EmailFiltering" + ] +} diff --git a/engine/rules/2.1.2.json b/engine/rules/2.1.2.json new file mode 100644 index 00000000..d0df4e57 --- /dev/null +++ b/engine/rules/2.1.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.2", + "title": "Ensure the Common Attachment Types Filter is enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Blocks common dangerous file types from being received.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.commonAttachmentFilterEnabled", + "remediation": "Enable common attachment filter in Microsoft 365 security settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Attachments", + "Malware" + ] +} diff --git a/engine/rules/2.1.3.json b/engine/rules/2.1.3.json new file mode 100644 index 00000000..ade49e2c --- /dev/null +++ b/engine/rules/2.1.3.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.3", + "title": "Ensure notifications to internal users sending malware is Enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Notifies senders if they attempt to send malware internally.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.internalUserNotificationMalwareEnabled", + "remediation": "Enable malware notification to internal senders in security policies.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Notifications", + "Malware" + ] +} diff --git a/engine/rules/2.1.4.json b/engine/rules/2.1.4.json new file mode 100644 index 00000000..5e5876e1 --- /dev/null +++ b/engine/rules/2.1.4.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.4", + "title": "Ensure Safe Attachments policy is enabled", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Scans email attachments for malware before delivery.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.safeAttachmentsPolicyEnabled", + "remediation": "Configure and enable Safe Attachments policy in Microsoft Defender.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "SafeAttachments", + "Malware" + ] +} diff --git a/engine/rules/2.1.5.json b/engine/rules/2.1.5.json new file mode 100644 index 00000000..cebf8367 --- /dev/null +++ b/engine/rules/2.1.5.json @@ -0,0 +1,23 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.5", + "title": "Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Extends Safe Attachments scanning to cloud storage and Teams content.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.safeAttachmentsSPOTEnabled", + "remediation": "Enable Safe Attachments for SharePoint, OneDrive, and Teams in security settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "SafeAttachments", + "SharePoint", + "Teams" + ] +} diff --git a/engine/rules/2.1.6.json b/engine/rules/2.1.6.json new file mode 100644 index 00000000..ffd53989 --- /dev/null +++ b/engine/rules/2.1.6.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.6", + "title": "Ensure Exchange Online Spam Policies are set to notify administrators", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Configures spam policies to alert admins when spam is detected.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.exchangeSpamNotifyAdmins", + "remediation": "Configure spam notification settings in Exchange Online Protection.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Spam", + "Exchange" + ] +} diff --git a/engine/rules/2.1.7.json b/engine/rules/2.1.7.json new file mode 100644 index 00000000..850c927b --- /dev/null +++ b/engine/rules/2.1.7.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.7", + "title": "Ensure that an anti-phishing policy has been created", + "profile": "E5", + "level": "L2", + "status": "Manual", + "description": "Anti-phishing policies detect and block impersonation and phishing attempts.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "defender.antiPhishPolicyCreated", + "remediation": "Create anti-phishing policies in Microsoft 365 Security & Compliance center.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "AntiPhishing", + "Identity" + ] +} diff --git a/engine/rules/2.1.8.json b/engine/rules/2.1.8.json new file mode 100644 index 00000000..8629abad --- /dev/null +++ b/engine/rules/2.1.8.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.8", + "title": "Ensure that SPF records are published for all Exchange Domains", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "SPF prevents spoofed mail by specifying authorized sending servers.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.spfRecordsPublished", + "remediation": "Publish SPF DNS TXT records for all Exchange domains.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "SPF", + "DNS" + ] +} diff --git a/engine/rules/2.1.9.json b/engine/rules/2.1.9.json new file mode 100644 index 00000000..51ef91eb --- /dev/null +++ b/engine/rules/2.1.9.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.1, + "id_level_2": "2.1.9", + "title": "Ensure that DKIM is enabled for all Exchange Online Domains", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "DKIM adds a digital signature to verify sender identity.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.dkimEnabled", + "remediation": "Enable DKIM signing for all Exchange Online domains.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "DKIM", + "EmailAuth" + ] +} diff --git a/engine/rules/2.2.1.json b/engine/rules/2.2.1.json new file mode 100644 index 00000000..d14bcaea --- /dev/null +++ b/engine/rules/2.2.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.2, + "id_level_2": "2.2.1", + "title": "Ensure emergency access account activity is monitored", + "profile": "E5", + "level": "L1", + "status": "Manual", + "description": "Monitors usage of emergency access accounts to detect abuse.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "cloudApps.emergencyAccessMonitored", + "remediation": "Configure monitoring for emergency access accounts in Defender for Cloud Apps.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "EmergencyAccess", + "Monitoring" + ] +} diff --git a/engine/rules/2.4.1.json b/engine/rules/2.4.1.json new file mode 100644 index 00000000..bf32db14 --- /dev/null +++ b/engine/rules/2.4.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.4, + "id_level_2": "2.4.1", + "title": "Ensure Priority account protection is enabled and configured", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Provides enhanced protection for high-value accounts.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "system.priorityAccountProtectionEnabled", + "remediation": "Enable Priority Account Protection in Microsoft Defender.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "PriorityAccount", + "Identity" + ] +} diff --git a/engine/rules/2.4.2.json b/engine/rules/2.4.2.json new file mode 100644 index 00000000..840c38ad --- /dev/null +++ b/engine/rules/2.4.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.4, + "id_level_2": "2.4.2", + "title": "Ensure Priority accounts have 'Strict protection' presets applied", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Applies stricter security settings to priority accounts.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "system.priorityAccountStrictProtectionApplied", + "remediation": "Apply strict protection presets to all priority accounts.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "PriorityAccount", + "Identity" + ] +} diff --git a/engine/rules/2.4.3.json b/engine/rules/2.4.3.json new file mode 100644 index 00000000..e7dec073 --- /dev/null +++ b/engine/rules/2.4.3.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.4, + "id_level_2": "2.4.3", + "title": "Ensure Microsoft Defender for Cloud Apps is enabled and configured", + "profile": "E5", + "level": "L1", + "status": "Manual", + "description": "Activates Defender for Cloud Apps for monitoring and control.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "system.defenderCloudAppsEnabled", + "remediation": "Enable and configure Defender for Cloud Apps in Microsoft 365 Security portal.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "CloudApps", + "CASB" + ] +} diff --git a/engine/rules/2.4.4.json b/engine/rules/2.4.4.json new file mode 100644 index 00000000..33447968 --- /dev/null +++ b/engine/rules/2.4.4.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft 365 Defender", + "id_level_1": 2.4, + "id_level_2": "2.4.4", + "title": "Ensure Zero-hour auto purge for Microsoft Teams is on", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Automatically removes suspected phishing/malware messages from Teams chats.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "system.zeroHourAutoPurgeTeamsEnabled", + "remediation": "Enable Zero-hour auto purge in Microsoft Teams security settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Teams", + "Malware" + ] +} diff --git a/engine/rules/3.1.1.json b/engine/rules/3.1.1.json new file mode 100644 index 00000000..ca3dec99 --- /dev/null +++ b/engine/rules/3.1.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Purview", + "id_level_1": 3.1, + "id_level_2": "3.1.1", + "title": "Ensure Microsoft 365 audit log search is Enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Enables centralized logging and search capabilities for compliance and security investigations.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "purview.auditLogSearchEnabled", + "remediation": "Enable Microsoft 365 audit log search in the Purview compliance portal.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Audit", + "Logging" + ] +} diff --git a/engine/rules/3.2.1.json b/engine/rules/3.2.1.json new file mode 100644 index 00000000..110db8a9 --- /dev/null +++ b/engine/rules/3.2.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Purview", + "id_level_1": 3.2, + "id_level_2": "3.2.1", + "title": "Ensure DLP policies are enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Data Loss Prevention policies monitor and restrict sharing of sensitive content.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "purview.dlpPoliciesEnabled", + "remediation": "Create and enable DLP policies in Purview to protect sensitive information.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "DLP", + "DataProtection" + ] +} diff --git a/engine/rules/3.2.2.json b/engine/rules/3.2.2.json new file mode 100644 index 00000000..10c12aae --- /dev/null +++ b/engine/rules/3.2.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Purview", + "id_level_1": 3.2, + "id_level_2": "3.2.2", + "title": "Ensure DLP policies are enabled for Microsoft Teams", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Extends DLP protections to chats and files shared in Microsoft Teams.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "purview.dlpPoliciesTeamsEnabled", + "remediation": "Enable DLP policies for Teams in Purview compliance portal.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "DLP", + "Teams" + ] +} diff --git a/engine/rules/3.3.1.json b/engine/rules/3.3.1.json new file mode 100644 index 00000000..eef29517 --- /dev/null +++ b/engine/rules/3.3.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Purview", + "id_level_1": 3.3, + "id_level_2": "3.3.1", + "title": "Ensure Information Protection sensitivity label policies are published", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Publishes sensitivity label policies to classify and protect documents and emails.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "purview.sensitivityLabelPoliciesPublished", + "remediation": "Publish sensitivity label policies in Purview compliance portal.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "SensitivityLabels", + "DataProtection" + ] +} diff --git a/engine/rules/5.1.1.json b/engine/rules/5.1.1.json new file mode 100644 index 00000000..63aa413d --- /dev/null +++ b/engine/rules/5.1.1.json @@ -0,0 +1,19 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.1", + "title": "Overview", + "profile": "nan", + "level": "nan", + "status": "nan", + "description": "nan", + "expected_value": "", + "comparison": "nan", + "evaluation_path": "nan", + "remediation": "nan", + "risk": "nan", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [] +} diff --git a/engine/rules/5.1.2.json b/engine/rules/5.1.2.json new file mode 100644 index 00000000..39edfd93 --- /dev/null +++ b/engine/rules/5.1.2.json @@ -0,0 +1,21 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.2", + "title": "Ensure 'LinkedIn account connections' is disabled", + "profile": "E3 E5", + "level": "L2", + "status": "Manual", + "description": "Disables LinkedIn connections integration to reduce data exposure.", + "expected_value": "FALSE", + "comparison": "equals", + "evaluation_path": "entra.linkedInAccountConnectionsEnabled", + "remediation": "Turn off LinkedIn account connections in User settings.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Privacy" + ] +} diff --git a/engine/rules/5.1.3.json b/engine/rules/5.1.3.json new file mode 100644 index 00000000..7bf78b97 --- /dev/null +++ b/engine/rules/5.1.3.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.3", + "title": "Ensure a dynamic group for guest users is created", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Maintains a dynamic group containing all guests for easier targeting of policies and reviews.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.dynamicGroupGuestsExists", + "remediation": "Create a dynamic group with rule “(user.userType -eq 'Guest')”.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Guests", + "Groups" + ] +} diff --git a/engine/rules/5.1.4.json b/engine/rules/5.1.4.json new file mode 100644 index 00000000..f673656c --- /dev/null +++ b/engine/rules/5.1.4.json @@ -0,0 +1,19 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.4", + "title": "Devices", + "profile": "nan", + "level": "nan", + "status": "nan", + "description": "nan", + "expected_value": "", + "comparison": "nan", + "evaluation_path": "nan", + "remediation": "nan", + "risk": "nan", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [] +} diff --git a/engine/rules/5.1.5.json b/engine/rules/5.1.5.json new file mode 100644 index 00000000..d284cfc7 --- /dev/null +++ b/engine/rules/5.1.5.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.5", + "title": "Ensure the admin consent workflow is enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Enables admin consent workflow so users can request app access securely.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.adminConsentWorkflowEnabled", + "remediation": "Turn on admin consent workflow and designate reviewers.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Apps", + "Consent" + ] +} diff --git a/engine/rules/5.1.6.json b/engine/rules/5.1.6.json new file mode 100644 index 00000000..b7f35fe9 --- /dev/null +++ b/engine/rules/5.1.6.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.6", + "title": "Ensure guest user invitations are limited to the Guest Inviter role", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Only users in Guest Inviter (or designated roles) can invite guests.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.guestInvitationRoleLimited", + "remediation": "Limit guest invitation permissions to “Guest Inviter” or specific roles/groups.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Guests", + "Governance" + ] +} diff --git a/engine/rules/5.1.7.json b/engine/rules/5.1.7.json new file mode 100644 index 00000000..8c166ee8 --- /dev/null +++ b/engine/rules/5.1.7.json @@ -0,0 +1,19 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.7", + "title": "User experiences", + "profile": "nan", + "level": "nan", + "status": "nan", + "description": "nan", + "expected_value": "", + "comparison": "nan", + "evaluation_path": "nan", + "remediation": "nan", + "risk": "nan", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [] +} diff --git a/engine/rules/5.1.8.json b/engine/rules/5.1.8.json new file mode 100644 index 00000000..9ab47742 --- /dev/null +++ b/engine/rules/5.1.8.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.1, + "id_level_2": "5.1.8", + "title": "Ensure that password hash sync is enabled for hybrid deployments", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Enables PHS for resilient hybrid authentication and risk evaluation.", + "expected_value": true, + "comparison": "equals", + "evaluation_path": "entra.passwordHashSyncEnabled", + "remediation": "Enable Password Hash Synchronization (or document equivalent secure sign-in approach).", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Hybrid", + "Auth" + ] +} diff --git a/engine/rules/5.2.1.json b/engine/rules/5.2.1.json new file mode 100644 index 00000000..5dd59f23 --- /dev/null +++ b/engine/rules/5.2.1.json @@ -0,0 +1,19 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.2, + "id_level_2": "5.2.1", + "title": "Identity Protection", + "profile": "nan", + "level": "nan", + "status": "nan", + "description": "nan", + "expected_value": "", + "comparison": "nan", + "evaluation_path": "nan", + "remediation": "nan", + "risk": "nan", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [] +} diff --git a/engine/rules/5.2.2.3.json b/engine/rules/5.2.2.3.json new file mode 100644 index 00000000..0a425e7d --- /dev/null +++ b/engine/rules/5.2.2.3.json @@ -0,0 +1,21 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.2, + "id_level_2": "5.2.2.3", + "title": "Enable Conditional Access policies to block legacy authentication", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Ensure Conditional Access policies are configured to block all legacy authentication protocols to prevent attacks that bypass MFA.", + "expected_value": "Legacy authentication blocked", + "comparison": "equals", + "evaluation_path": "user.conditional_access.policies.block_legacy_auth", + "remediation": "Configure a Conditional Access policy in Microsoft Entra ID that targets all users and resources, blocks Exchange ActiveSync and other legacy clients, and excludes only documented break-glass accounts.", + "risk": "High", + "tags": [ + "ConditionalAccess", + "LegacyAuth", + "Authentication", + "MFA" + ] +} diff --git a/engine/rules/5.2.2.json b/engine/rules/5.2.2.json new file mode 100644 index 00000000..65256f81 --- /dev/null +++ b/engine/rules/5.2.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.2, + "id_level_2": "5.2.2", + "title": "Ensure the device code sign-in flow is blocked", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Blocks device code flow to reduce phishing/device compromise paths.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.ca.blockDeviceCodeFlow", + "remediation": "Conditional Access authentication flows: disable device code flow.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "CA", + "AuthFlow" + ] +} diff --git a/engine/rules/5.2.3.json b/engine/rules/5.2.3.json new file mode 100644 index 00000000..03a83e1e --- /dev/null +++ b/engine/rules/5.2.3.json @@ -0,0 +1,21 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.2, + "id_level_2": "5.2.3", + "title": "Ensure system-preferred multifactor authentication is enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Uses system‑preferred MFA to automatically choose strongest available factor.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.authMethods.systemPreferredMfa", + "remediation": "Enable system‑preferred MFA in Authentication Methods policy.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "MFA" + ] +} diff --git a/engine/rules/5.2.4.json b/engine/rules/5.2.4.json new file mode 100644 index 00000000..2b4ff16d --- /dev/null +++ b/engine/rules/5.2.4.json @@ -0,0 +1,21 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.2, + "id_level_2": "5.2.4", + "title": "Ensure 'Self service password reset enabled' is set to 'All'", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Enables SSPR for all users.", + "expected_value": "All", + "comparison": "equals", + "evaluation_path": "entra.ssprScope", + "remediation": "Set SSPR “Enabled” scope to All.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "SSPR" + ] +} diff --git a/engine/rules/5.3.1.json b/engine/rules/5.3.1.json new file mode 100644 index 00000000..b5300b58 --- /dev/null +++ b/engine/rules/5.3.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.3, + "id_level_2": "5.3.1", + "title": "Ensure 'Privileged Identity Management' is used to manage roles", + "profile": "E5", + "level": "L2", + "status": "Automated", + "description": "Uses PIM for time‑bound/elevated access and approvals/auditing.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.pimUsedForRoles", + "remediation": "Enable PIM; convert permanent assignments to eligible; configure approvals/notifications.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "PIM", + "LeastPrivilege" + ] +} diff --git a/engine/rules/5.3.2.json b/engine/rules/5.3.2.json new file mode 100644 index 00000000..ae9afae9 --- /dev/null +++ b/engine/rules/5.3.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.3, + "id_level_2": "5.3.2", + "title": "Ensure 'Access reviews' for Guest Users are configured", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Periodic reviews of guest user access.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.accessReviews.guestsConfigured", + "remediation": "Create recurring access reviews targeting guest users/dynamic guest group.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "AccessReviews", + "Guests" + ] +} diff --git a/engine/rules/5.3.3.json b/engine/rules/5.3.3.json new file mode 100644 index 00000000..7f4d7567 --- /dev/null +++ b/engine/rules/5.3.3.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.3, + "id_level_2": "5.3.3", + "title": "Ensure 'Access reviews' for privileged roles are configured", + "profile": "E5", + "level": "L1", + "status": "Automated", + "description": "Periodic reviews of users with privileged roles.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.accessReviews.privilegedConfigured", + "remediation": "Create recurring access reviews for admin roles/groups.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "AccessReviews", + "Privileged" + ] +} diff --git a/engine/rules/5.3.4.json b/engine/rules/5.3.4.json new file mode 100644 index 00000000..ea9e2585 --- /dev/null +++ b/engine/rules/5.3.4.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.3, + "id_level_2": "5.3.4", + "title": "Ensure approval is required for Global Administrator role activation", + "profile": "E5", + "level": "L1", + "status": "Manual", + "description": "Requires approval before GA role elevation (PIM).", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.pim.gaActivationRequiresApproval", + "remediation": "In PIM, require approval for GA activation and assign approvers.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "PIM", + "Approvals" + ] +} diff --git a/engine/rules/5.3.5.json b/engine/rules/5.3.5.json new file mode 100644 index 00000000..2090dcf7 --- /dev/null +++ b/engine/rules/5.3.5.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Entra admin center", + "id_level_1": 5.3, + "id_level_2": "5.3.5", + "title": "Ensure approval is required for Privileged Role Administrator activation", + "profile": "E5", + "level": "L1", + "status": "Manual", + "description": "Requires approval before PRA role elevation (PIM).", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "entra.pim.praActivationRequiresApproval", + "remediation": "In PIM, require approval for PRA activation and assign approvers.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "PIM", + "Approvals" + ] +} diff --git a/engine/rules/6.1.1.json b/engine/rules/6.1.1.json new file mode 100644 index 00000000..151f46fe --- /dev/null +++ b/engine/rules/6.1.1.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.1, + "id_level_2": "6.1.1", + "title": "Ensure 'AuditDisabled' organizationally is set to 'False'", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Ensures mailbox audit logging is not globally disabled.", + "expected_value": "FALSE", + "comparison": "equals", + "evaluation_path": "exchange.auditDisabled", + "remediation": "Set `AuditDisabled` to False in Exchange Online organization config.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Audit", + "Logging" + ] +} diff --git a/engine/rules/6.1.2.json b/engine/rules/6.1.2.json new file mode 100644 index 00000000..96e71f67 --- /dev/null +++ b/engine/rules/6.1.2.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.1, + "id_level_2": "6.1.2", + "title": "Ensure mailbox audit actions are configured", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Configures mailbox actions to log for owner/delegate/admin access.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.mailboxAuditActionsConfigured", + "remediation": "Configure mailbox audit log actions in Exchange Online.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Audit", + "Logging" + ] +} diff --git a/engine/rules/6.1.3.json b/engine/rules/6.1.3.json new file mode 100644 index 00000000..679bab44 --- /dev/null +++ b/engine/rules/6.1.3.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.1, + "id_level_2": "6.1.3", + "title": "Ensure 'AuditBypassEnabled' is not enabled on mailboxes", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents bypassing mailbox audit logging.", + "expected_value": "FALSE", + "comparison": "equals", + "evaluation_path": "exchange.auditBypassEnabled", + "remediation": "Ensure `AuditBypassEnabled` is False for all mailboxes.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Audit", + "Logging" + ] +} diff --git a/engine/rules/6.2.1.json b/engine/rules/6.2.1.json new file mode 100644 index 00000000..532a4926 --- /dev/null +++ b/engine/rules/6.2.1.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.2, + "id_level_2": "6.2.1", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents automatic forwarding to external recipients.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.mailForwardingDisabled", + "remediation": "Disable mail forwarding in transport rules and mailbox settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "MailFlow", + "DataLeak" + ] +} diff --git a/engine/rules/6.2.2.json b/engine/rules/6.2.2.json new file mode 100644 index 00000000..d74218ee --- /dev/null +++ b/engine/rules/6.2.2.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.2, + "id_level_2": "6.2.2", + "title": "Ensure mail transport rules do not whitelist specific domains", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents bypassing spam/malware filters by whitelisting domains.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.transportRulesNoWhitelist", + "remediation": "Remove domain whitelist conditions from transport rules.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "MailFlow", + "Filtering" + ] +} diff --git a/engine/rules/6.2.3.json b/engine/rules/6.2.3.json new file mode 100644 index 00000000..227dc73c --- /dev/null +++ b/engine/rules/6.2.3.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.2, + "id_level_2": "6.2.3", + "title": "Ensure email from external senders is identified", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Adds an external sender warning tag to emails.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.externalSenderIdentification", + "remediation": "Enable external sender identification in Exchange Online.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "MailFlow", + "Awareness" + ] +} diff --git a/engine/rules/6.3.1.json b/engine/rules/6.3.1.json new file mode 100644 index 00000000..a6a469ea --- /dev/null +++ b/engine/rules/6.3.1.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.3, + "id_level_2": "6.3.1", + "title": "Ensure users installing Outlook add-ins is not allowed", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Prevents users from installing add-ins that may introduce vulnerabilities.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.blockOutlookAddIns", + "remediation": "Restrict add-in installation via Outlook settings or admin controls.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Outlook", + "AddIns" + ] +} diff --git a/engine/rules/6.5.1.json b/engine/rules/6.5.1.json new file mode 100644 index 00000000..59b817b0 --- /dev/null +++ b/engine/rules/6.5.1.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.5, + "id_level_2": "6.5.1", + "title": "Ensure modern authentication for Exchange Online is enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Enables modern authentication to replace legacy/basic auth protocols.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.modernAuthEnabled", + "remediation": "Enable modern authentication in Exchange Online organization settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Auth", + "ModernAuth" + ] +} diff --git a/engine/rules/6.5.2.json b/engine/rules/6.5.2.json new file mode 100644 index 00000000..17dc58b6 --- /dev/null +++ b/engine/rules/6.5.2.json @@ -0,0 +1,21 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.5, + "id_level_2": "6.5.2", + "title": "Ensure MailTips are enabled for end users", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Provides MailTips warnings to help avoid misdirected messages.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.mailTipsEnabled", + "remediation": "Enable MailTips in Exchange Online organization config.", + "risk": "Low", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Awareness" + ] +} diff --git a/engine/rules/6.5.3.json b/engine/rules/6.5.3.json new file mode 100644 index 00000000..9331ffcc --- /dev/null +++ b/engine/rules/6.5.3.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.5, + "id_level_2": "6.5.3", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Prevents use of external storage providers that may bypass security controls.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.restrictExternalStorageProviders", + "remediation": "Restrict additional storage providers via OWA mailbox policies.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Outlook", + "DataLeak" + ] +} diff --git a/engine/rules/6.5.4.json b/engine/rules/6.5.4.json new file mode 100644 index 00000000..467272b0 --- /dev/null +++ b/engine/rules/6.5.4.json @@ -0,0 +1,22 @@ +{ + "product": "Exchange admin center", + "id_level_1": 6.5, + "id_level_2": "6.5.4", + "title": "Ensure SMTP AUTH is disabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Disables SMTP AUTH protocol unless specifically required.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "exchange.smtpAuthDisabled", + "remediation": "Disable SMTP AUTH in tenant settings; enable only for approved accounts.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Auth", + "LegacyAuth" + ] +} diff --git a/engine/rules/7.2.1.json b/engine/rules/7.2.1.json new file mode 100644 index 00000000..8bf6c0a2 --- /dev/null +++ b/engine/rules/7.2.1.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.1", + "title": "Ensure modern authentication for SharePoint applications is required", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Requires modern authentication to block basic auth access to SharePoint.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.modernAuthRequired", + "remediation": "Enable modern auth for SharePoint in tenant settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Auth", + "ModernAuth" + ] +} diff --git a/engine/rules/7.2.10.json b/engine/rules/7.2.10.json new file mode 100644 index 00000000..1b813f11 --- /dev/null +++ b/engine/rules/7.2.10.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.10", + "title": "Ensure reauthentication with verification code is restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Requires reauth with verification code only when appropriate.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.reauthVerificationCodeRestricted", + "remediation": "Configure reauth restrictions for verification codes in SharePoint admin center.", + "risk": "Low", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Auth", + "Reauth" + ] +} diff --git a/engine/rules/7.2.11.json b/engine/rules/7.2.11.json new file mode 100644 index 00000000..77e05132 --- /dev/null +++ b/engine/rules/7.2.11.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.11", + "title": "Ensure the SharePoint default sharing link permission is set", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Sets default sharing link permission to least privilege.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.defaultSharingLinkPermissionSet", + "remediation": "Configure default sharing link permission in SharePoint admin center.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/7.2.2.json b/engine/rules/7.2.2.json new file mode 100644 index 00000000..4af516ea --- /dev/null +++ b/engine/rules/7.2.2.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.2", + "title": "Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Enables secure B2B collaboration for SharePoint and OneDrive via Entra ID.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.azureAdB2BIntegrationEnabled", + "remediation": "Enable Azure AD B2B integration in SharePoint admin settings.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "B2B", + "Collaboration" + ] +} diff --git a/engine/rules/7.2.3.json b/engine/rules/7.2.3.json new file mode 100644 index 00000000..3a77327d --- /dev/null +++ b/engine/rules/7.2.3.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.3", + "title": "Ensure external content sharing is restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Restricts external sharing to approved levels (e.g., specific people).", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.externalSharingRestricted", + "remediation": "Configure external sharing settings for SharePoint to most restrictive necessary.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/7.2.4.json b/engine/rules/7.2.4.json new file mode 100644 index 00000000..6c75aa13 --- /dev/null +++ b/engine/rules/7.2.4.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.4", + "title": "Ensure OneDrive content sharing is restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Restricts OneDrive content sharing to approved levels.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "onedrive.contentSharingRestricted", + "remediation": "Configure OneDrive external sharing settings in admin center.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/7.2.5.json b/engine/rules/7.2.5.json new file mode 100644 index 00000000..2522442a --- /dev/null +++ b/engine/rules/7.2.5.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.5", + "title": "Ensure SharePoint guest users cannot share items they don't own", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Prevents guest users from sharing files/folders they are not the owner of.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.guestsCannotShareNotOwned", + "remediation": "Disable sharing for guest users without ownership in SharePoint settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "Guests" + ] +} diff --git a/engine/rules/7.2.6.json b/engine/rules/7.2.6.json new file mode 100644 index 00000000..63b0a47b --- /dev/null +++ b/engine/rules/7.2.6.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.6", + "title": "Ensure SharePoint external sharing is managed through domain whitelist/blacklist", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Controls external sharing using domain-based allow/block lists.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.externalDomainAllowBlockList", + "remediation": "Configure SharePoint domain restrictions for sharing.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/7.2.7.json b/engine/rules/7.2.7.json new file mode 100644 index 00000000..286df79c --- /dev/null +++ b/engine/rules/7.2.7.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.7", + "title": "Ensure link sharing is restricted in SharePoint and OneDrive", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Limits link sharing to secure link types (e.g., specific people).", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.linkSharingRestricted", + "remediation": "Configure link sharing settings in SharePoint and OneDrive admin centers.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/7.2.8.json b/engine/rules/7.2.8.json new file mode 100644 index 00000000..3b290f0b --- /dev/null +++ b/engine/rules/7.2.8.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.8", + "title": "Ensure external sharing is restricted by security group", + "profile": "E3 E5", + "level": "L2", + "status": "Manual", + "description": "Restricts sharing privileges to members of a designated security group.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.externalSharingBySecurityGroup", + "remediation": "Configure security group for sharing privileges in SharePoint admin center.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "Governance" + ] +} diff --git a/engine/rules/7.2.9.json b/engine/rules/7.2.9.json new file mode 100644 index 00000000..0aae0125 --- /dev/null +++ b/engine/rules/7.2.9.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.2, + "id_level_2": "7.2.9", + "title": "Ensure guest access to a site or OneDrive will expire automatically", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Sets expiration period for guest access to resources.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.guestAccessExpiryConfigured", + "remediation": "Configure expiration policy for guest access in SharePoint/OneDrive.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Guests", + "Governance" + ] +} diff --git a/engine/rules/7.3.1.json b/engine/rules/7.3.1.json new file mode 100644 index 00000000..3739476f --- /dev/null +++ b/engine/rules/7.3.1.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.3, + "id_level_2": "7.3.1", + "title": "Ensure Office 365 SharePoint infected files are disallowed for download", + "profile": "E5", + "level": "L2", + "status": "Automated", + "description": "Blocks download of detected infected files in SharePoint.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.blockInfectedFileDownload", + "remediation": "Configure malware detection and blocking in SharePoint admin settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Malware", + "Download" + ] +} diff --git a/engine/rules/7.3.2.json b/engine/rules/7.3.2.json new file mode 100644 index 00000000..954005de --- /dev/null +++ b/engine/rules/7.3.2.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.3, + "id_level_2": "7.3.2", + "title": "Ensure OneDrive sync is restricted for unmanaged devices", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Prevents syncing files to unmanaged/unknown devices.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "onedrive.restrictSyncUnmanagedDevices", + "remediation": "Configure OneDrive admin center to block sync on unmanaged devices.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sync", + "Devices" + ] +} diff --git a/engine/rules/7.3.3.json b/engine/rules/7.3.3.json new file mode 100644 index 00000000..bbaff429 --- /dev/null +++ b/engine/rules/7.3.3.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.3, + "id_level_2": "7.3.3", + "title": "Ensure custom script execution is restricted on personal sites", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Prevents running custom scripts on personal OneDrive/SharePoint sites.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.restrictCustomScriptsPersonalSites", + "remediation": "Configure custom script setting in SharePoint admin center.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Scripts", + "Governance" + ] +} diff --git a/engine/rules/7.3.4.json b/engine/rules/7.3.4.json new file mode 100644 index 00000000..25b606e5 --- /dev/null +++ b/engine/rules/7.3.4.json @@ -0,0 +1,22 @@ +{ + "product": "SharePoint admin center", + "id_level_1": 7.3, + "id_level_2": "7.3.4", + "title": "Ensure custom script execution is restricted on site collections", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents running custom scripts on all site collections.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "sharepoint.restrictCustomScriptsSiteCollections", + "remediation": "Configure custom script setting in SharePoint admin center.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Scripts", + "Governance" + ] +} diff --git a/engine/rules/8.1.1.json b/engine/rules/8.1.1.json new file mode 100644 index 00000000..25b3b564 --- /dev/null +++ b/engine/rules/8.1.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.1, + "id_level_2": "8.1.1", + "title": "Ensure external file sharing in Teams is enabled for only approved cloud storage services", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Restricts external file sharing to approved cloud storage providers.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.externalFileSharingApprovedProviders", + "remediation": "Configure Teams external file sharing settings to limit to approved providers.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/8.1.2.json b/engine/rules/8.1.2.json new file mode 100644 index 00000000..39d44fbb --- /dev/null +++ b/engine/rules/8.1.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.1, + "id_level_2": "8.1.2", + "title": "Ensure users can't send emails to a channel email address", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents sending email to Teams channels to reduce spam/phishing risk.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.blockChannelEmail", + "remediation": "Disable channel email addresses in Teams settings.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Email", + "Teams" + ] +} diff --git a/engine/rules/8.2.1.json b/engine/rules/8.2.1.json new file mode 100644 index 00000000..894e8d37 --- /dev/null +++ b/engine/rules/8.2.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.2, + "id_level_2": "8.2.1", + "title": "Ensure external domains are restricted in the Teams admin center", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Limits Teams communication to approved external domains.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.externalDomainsRestricted", + "remediation": "Configure allowed/blocked domain list for external access.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "External", + "Teams" + ] +} diff --git a/engine/rules/8.2.2.json b/engine/rules/8.2.2.json new file mode 100644 index 00000000..a11fdbf2 --- /dev/null +++ b/engine/rules/8.2.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.2, + "id_level_2": "8.2.2", + "title": "Ensure communication with unmanaged Teams users is disabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Blocks Teams chats/meetings with unmanaged users.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.blockUnmanagedUsers", + "remediation": "Disable communication with unmanaged users in Teams external access settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "External", + "Teams" + ] +} diff --git a/engine/rules/8.2.3.json b/engine/rules/8.2.3.json new file mode 100644 index 00000000..4ddd3620 --- /dev/null +++ b/engine/rules/8.2.3.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.2, + "id_level_2": "8.2.3", + "title": "Ensure external Teams users cannot initiate conversations", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents external users from initiating new chats.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.blockExternalUsersInitiateChats", + "remediation": "Configure Teams external access to block chat initiation from external users.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "External", + "Chat" + ] +} diff --git a/engine/rules/8.2.4.json b/engine/rules/8.2.4.json new file mode 100644 index 00000000..3c896150 --- /dev/null +++ b/engine/rules/8.2.4.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.2, + "id_level_2": "8.2.4", + "title": "Ensure communication with Skype users is disabled", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Blocks Teams communication with Skype consumer accounts.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.blockSkypeUsers", + "remediation": "Disable Skype federation in Teams settings.", + "risk": "Low", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "External", + "Skype" + ] +} diff --git a/engine/rules/8.4.1.json b/engine/rules/8.4.1.json new file mode 100644 index 00000000..e8efa025 --- /dev/null +++ b/engine/rules/8.4.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.4, + "id_level_2": "8.4.1", + "title": "Ensure app permission policies are configured", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Defines which apps are allowed/blocked for Teams users.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.appPermissionPoliciesConfigured", + "remediation": "Configure Teams app permission policies in Teams admin center.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Apps", + "Governance" + ] +} diff --git a/engine/rules/8.5.1.json b/engine/rules/8.5.1.json new file mode 100644 index 00000000..24b96f73 --- /dev/null +++ b/engine/rules/8.5.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.1", + "title": "Ensure anonymous users can't join a meeting", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Blocks anonymous users from joining meetings.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.blockAnonymousJoin", + "remediation": "Set meeting policy to block anonymous users.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "External" + ] +} diff --git a/engine/rules/8.5.2.json b/engine/rules/8.5.2.json new file mode 100644 index 00000000..205d9673 --- /dev/null +++ b/engine/rules/8.5.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.2", + "title": "Ensure anonymous users and dial-in callers can't start a meeting", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Prevents unauthenticated users from starting meetings.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.blockAnonymousStart", + "remediation": "Disable anonymous and PSTN callers from starting meetings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "External" + ] +} diff --git a/engine/rules/8.5.3.json b/engine/rules/8.5.3.json new file mode 100644 index 00000000..7f879fd8 --- /dev/null +++ b/engine/rules/8.5.3.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.3", + "title": "Ensure only people in my org can bypass the lobby", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Restricts lobby bypass to internal users only.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.lobbyBypassInternalOnly", + "remediation": "Configure lobby bypass to internal users in meeting policies.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "Lobby" + ] +} diff --git a/engine/rules/8.5.4.json b/engine/rules/8.5.4.json new file mode 100644 index 00000000..8a81380a --- /dev/null +++ b/engine/rules/8.5.4.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.4", + "title": "Ensure users dialing in can't bypass the lobby", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "PSTN dial-in participants must wait in lobby until admitted.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.pstnBypassLobbyDisabled", + "remediation": "Disable PSTN lobby bypass in meeting settings.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "PSTN" + ] +} diff --git a/engine/rules/8.5.5.json b/engine/rules/8.5.5.json new file mode 100644 index 00000000..5d626838 --- /dev/null +++ b/engine/rules/8.5.5.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.5", + "title": "Ensure meeting that does not allow anonymous users", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Blocks meeting creation that allows anonymous join.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.noAnonymousAllowed", + "remediation": "Restrict meeting creation to authenticated participants only.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "Policy" + ] +} diff --git a/engine/rules/8.5.6.json b/engine/rules/8.5.6.json new file mode 100644 index 00000000..5103a86a --- /dev/null +++ b/engine/rules/8.5.6.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.6", + "title": "Ensure only organizers and co-organizers can present", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Restricts presenter role to meeting organizers/co-organizers.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.onlyOrganizersCanPresent", + "remediation": "Set meeting policy to restrict presenters to organizers.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "Roles" + ] +} diff --git a/engine/rules/8.5.7.json b/engine/rules/8.5.7.json new file mode 100644 index 00000000..0074090f --- /dev/null +++ b/engine/rules/8.5.7.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.7", + "title": "Ensure external participants can't give or request control", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents external meeting participants from taking/requesting screen control.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.blockExternalControl", + "remediation": "Disable “Allow external control” in Teams meeting policy.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "Sharing" + ] +} diff --git a/engine/rules/8.5.8.json b/engine/rules/8.5.8.json new file mode 100644 index 00000000..2e082922 --- /dev/null +++ b/engine/rules/8.5.8.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.8", + "title": "Ensure external meeting chat is off", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Disables chat for meetings with external participants.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.externalChatOff", + "remediation": "Turn off chat in meeting policy for external participants.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "Chat" + ] +} diff --git a/engine/rules/8.5.9.json b/engine/rules/8.5.9.json new file mode 100644 index 00000000..2d19a7e2 --- /dev/null +++ b/engine/rules/8.5.9.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.5, + "id_level_2": "8.5.9", + "title": "Ensure meeting recording is off by default", + "profile": "E3 E5", + "level": "L2", + "status": "Automated", + "description": "Disables automatic meeting recording.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.meetings.recordingOffByDefault", + "remediation": "Set meeting policy default recording option to Off.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Meetings", + "Recording" + ] +} diff --git a/engine/rules/8.6.1.json b/engine/rules/8.6.1.json new file mode 100644 index 00000000..8e1b027e --- /dev/null +++ b/engine/rules/8.6.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Teams admin center", + "id_level_1": 8.6, + "id_level_2": "8.6.1", + "title": "Ensure users can report security concerns in Teams", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Allows reporting of suspicious messages within Teams.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "teams.messaging.securityReportEnabled", + "remediation": "Enable “Report a security concern” in Teams messaging policy.", + "risk": "Low", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Security", + "Awareness" + ] +} diff --git a/engine/rules/9.1.1.json b/engine/rules/9.1.1.json new file mode 100644 index 00000000..5a223776 --- /dev/null +++ b/engine/rules/9.1.1.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.1", + "title": "Ensure guest user access is restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Restricts Fabric guest user access permissions.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.restrictGuestAccess", + "remediation": "Configure guest access restrictions in Fabric admin center.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Guests", + "Governance" + ] +} diff --git a/engine/rules/9.1.10.json b/engine/rules/9.1.10.json new file mode 100644 index 00000000..0e7e29e9 --- /dev/null +++ b/engine/rules/9.1.10.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.10", + "title": "Ensure only approved APIs by Service Principals are permitted", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Restricts API access to approved Service Principals.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.approvedServicePrincipalsOnly", + "remediation": "Limit API permissions to approved Service Principals in Fabric admin center.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "API", + "Governance" + ] +} diff --git a/engine/rules/9.1.11.json b/engine/rules/9.1.11.json new file mode 100644 index 00000000..f4137447 --- /dev/null +++ b/engine/rules/9.1.11.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.11", + "title": "Ensure app permission grants are reviewed", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Periodically reviews and revokes unnecessary app permissions.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.reviewAppPermissionGrants", + "remediation": "Schedule periodic review of app permissions in Fabric admin center.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Apps", + "Governance" + ] +} diff --git a/engine/rules/9.1.2.json b/engine/rules/9.1.2.json new file mode 100644 index 00000000..b5120ff1 --- /dev/null +++ b/engine/rules/9.1.2.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.2", + "title": "Ensure external user invitations are restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Limits which users can send Fabric invitations to external accounts.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.restrictExternalInvitations", + "remediation": "Restrict external invitation privileges to specific users/groups.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Guests", + "Governance" + ] +} diff --git a/engine/rules/9.1.3.json b/engine/rules/9.1.3.json new file mode 100644 index 00000000..2078a7a4 --- /dev/null +++ b/engine/rules/9.1.3.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.3", + "title": "Ensure guest access to content is restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Controls guest access level to Fabric content.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.restrictGuestContentAccess", + "remediation": "Configure Fabric guest access level settings to least privilege.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Guests", + "Governance" + ] +} diff --git a/engine/rules/9.1.4.json b/engine/rules/9.1.4.json new file mode 100644 index 00000000..994fe05d --- /dev/null +++ b/engine/rules/9.1.4.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.4", + "title": "Ensure 'Publish to web' is restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Automated", + "description": "Prevents unrestricted public sharing of Fabric content.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.publishToWebRestricted", + "remediation": "Disable “Publish to web” or restrict to approved users.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/9.1.5.json b/engine/rules/9.1.5.json new file mode 100644 index 00000000..2b1e9010 --- /dev/null +++ b/engine/rules/9.1.5.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.5", + "title": "Ensure 'Interact with and share R and Python' visuals is disabled", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Prevents execution of R/Python scripts embedded in Fabric visuals.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.disableRpythonVisuals", + "remediation": "Disable R/Python visuals in Fabric admin settings.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Security", + "Scripts" + ] +} diff --git a/engine/rules/9.1.6.json b/engine/rules/9.1.6.json new file mode 100644 index 00000000..3916a5d3 --- /dev/null +++ b/engine/rules/9.1.6.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.6", + "title": "Ensure 'Allow users to apply sensitivity labels for content' is enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Allows classification and labeling of content in Fabric.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.enableSensitivityLabels", + "remediation": "Enable Microsoft Purview sensitivity labeling integration in Fabric.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Labels", + "Compliance" + ] +} diff --git a/engine/rules/9.1.7.json b/engine/rules/9.1.7.json new file mode 100644 index 00000000..e0d60a70 --- /dev/null +++ b/engine/rules/9.1.7.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.7", + "title": "Ensure shareable links are restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Restricts Fabric shareable links to approved scopes.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.restrictShareableLinks", + "remediation": "Configure shareable link policy to limit scope and duration.", + "risk": "Medium", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/9.1.8.json b/engine/rules/9.1.8.json new file mode 100644 index 00000000..9ff6d252 --- /dev/null +++ b/engine/rules/9.1.8.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.8", + "title": "Ensure enabling of external data sharing is restricted", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Controls whether Fabric content can be shared externally.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.restrictExternalDataSharing", + "remediation": "Set external data sharing option to disabled or restricted in Fabric admin settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "External" + ] +} diff --git a/engine/rules/9.1.9.json b/engine/rules/9.1.9.json new file mode 100644 index 00000000..e4c0cd69 --- /dev/null +++ b/engine/rules/9.1.9.json @@ -0,0 +1,22 @@ +{ + "product": "Microsoft Fabric", + "id_level_1": 9.1, + "id_level_2": "9.1.9", + "title": "Ensure 'Block Reshare/Copy Authentication' is enabled", + "profile": "E3 E5", + "level": "L1", + "status": "Manual", + "description": "Prevents recipients from resharing or copying authentication data.", + "expected_value": "TRUE", + "comparison": "equals", + "evaluation_path": "fabric.blockReshareCopyAuth", + "remediation": "Enable “Block Reshare/Copy Authentication” in Fabric settings.", + "risk": "High", + "impact": "", + "likelihood": "", + "risk_level": "", + "tags": [ + "Sharing", + "Governance" + ] +} diff --git a/engine/rules/CIS_GCP_1_5.rego b/engine/rules/CIS_GCP_1_5.rego new file mode 100644 index 00000000..2738921d --- /dev/null +++ b/engine/rules/CIS_GCP_1_5.rego @@ -0,0 +1,6 @@ +package AutoAudit_tester.rules.CIS_GCP_1_5 +import data.AutoAudit_tester.engine.Helpers + +result.no_admin := Helpers.status( + Helpers.not_in_blacklist("bindings.role", {"roles/owner","roles/editor"}) +) diff --git a/engine/test-configs/compliant.json b/engine/test-configs/compliant.json index b4d27026..392070a4 100644 --- a/engine/test-configs/compliant.json +++ b/engine/test-configs/compliant.json @@ -5,5 +5,35 @@ }, "microsoft_forms": { "phishing_protection": "enabled" + }, + "user" : { + "OnPremisesSyncEnabled" : "False", + "conditional_access": { + "policies": { + "block_legacy_auth": "Legacy authentication blocked" + } + } + }, + "purview" : { + + }, + "entra" : { + + }, + "exchange" : { + + }, + "sharepoint" : { + + }, + "teams" : { + + }, + "defender" : { + + }, + "fabric" : { + } + } \ No newline at end of file diff --git a/engine/test-configs/iam_policy.json b/engine/test-configs/iam_policy.json new file mode 100644 index 00000000..f29a225e --- /dev/null +++ b/engine/test-configs/iam_policy.json @@ -0,0 +1,26 @@ +{ + "version": 1, + "etag": "BwY9aQGbYhE=", + "bindings": [ + { + "role": "roles/compute.serviceAgent", + "members": [ + "serviceAccount:service-162922847862@compute-system.iam.gserviceaccount.com" + ] + }, + { + "role": "roles/editor", + "members": [ + "serviceAccount:162922847862@cloudservices.gserviceaccount.com", + "serviceAccount:sa-noperms@coastal-stone-470308-a0.iam.gserviceaccount.com", + "serviceAccount:162922847862-compute@developer.gserviceaccount.com" + ] + }, + { + "role": "roles/owner", + "members": [ + "user:AdityaHindocha3@gmail.com" + ] + } + ] +} \ No newline at end of file diff --git a/engine/test-configs/networks.json b/engine/test-configs/networks.json new file mode 100644 index 00000000..5f430dcf --- /dev/null +++ b/engine/test-configs/networks.json @@ -0,0 +1,60 @@ +[ + { + "kind": "compute#network", + "id": "5399391690813187728", + "creationTimestamp": "2025-08-28T01:51:11.237-07:00", + "name": "default", + "description": "Default network for the project", + "selfLink": "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/global/networks/default", + "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/global/networks/5399391690813187728", + "autoCreateSubnetworks": true, + "subnetworks": [ + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-north2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-southeast1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-central2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/me-west1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west12/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west10/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-northeast3/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-east4/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-east1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-west4/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/africa-south1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/southamerica-east1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-west3/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-southwest1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-west2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-southeast2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-northeast1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/australia-southeast1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-northeast2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/northamerica-northeast1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-north1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-south2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-south1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west4/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/australia-southeast2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-east2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-east1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/asia-south1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/me-central1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-west1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west9/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west8/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-central1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west6/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/us-east5/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/northamerica-south1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west3/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/northamerica-northeast2/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/southamerica-west1/subnetworks/default", + "https://www.googleapis.com/compute/v1/projects/coastal-stone-470308-a0/regions/europe-west2/subnetworks/default" + ], + "routingConfig": { + "routingMode": "REGIONAL", + "bgpBestPathSelectionMode": "LEGACY" + }, + "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL" + } +] \ No newline at end of file