Skip to content

Commit

Permalink
Update Front Matter across SCBs and specific language in the Defender…
Browse files Browse the repository at this point in the history 
… SCB to match OCC approved language (#1398)

* Update defender.md

* Update aad.md

* Update exo.md

* Update aad.md

* Update defender.md

* Update powerbi.md

* Update powerplatform.md

* Update sharepoint.md

* Update teams.md

* Update removedpolicies.md

* added note to 6.3v1 on how to view and export logs that do not require G5 or E5

* added resources and note for audit retention.

* added note into the license requirement section

* formatting

* formatting

* Update PowerShell/ScubaGear/baselines/defender.md

Co-authored-by: Addam Schroll <[email protected]>

* Update section 7 license requirements

* Update group 6 license requirement section

* Update defender section 4 license requirements section.

---------

Co-authored-by: Addam Schroll <[email protected]>
  • Loading branch information
@ahuynhMITRE @schrolla
ahuynhMITRE and schrolla authored Nov 13, 2024
1 parent 4f4233c commit 63b0dec
Show file tree
Hide file tree
Showing 8 changed files with 58 additions and 73 deletions.
9 changes: 4 additions & 5 deletions PowerShell/ScubaGear/baselines/aad.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@

Microsoft Entra ID is a cloud-based identity and access control service that provides security and functional capabilities. This Secure Configuration Baseline (SCB) provides specific policies to help secure Microsoft Entra ID.

The Secure Cloud Business Applications (SCuBA) project run by the Cybersecurity and Infrastructure Security Agency (CISA) provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
The Secure Cloud Business Applications (SCuBA) project, run by the Cybersecurity and Infrastructure Security Agency (CISA), provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.

The CISA SCuBA SCBs for M365 help secure federal information assets stored within M365 cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government’s threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. Non-governmental organizations may also find value in applying these baselines to reduce risks.
The CISA SCuBA SCBs for M365 help secure federal information assets stored within M365 cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government’s threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. While use of these baselines will be mandatory for civilian Federal Government agencies, organizations outside of the Federal Government may also find these baselines to be useful references to help reduce risks.

The information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
For non-Federal users, the information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. Without limiting the generality of the foregoing, some controls and settings are not available in all products; CISA has no control over vendor changes to products offerings or features. Accordingly, these SCuBA SCBs for M365 may not be applicable to the products available to you. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

> This document is marked TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.
Expand Down Expand Up @@ -693,8 +693,7 @@ User activation of other highly privileged roles SHOULD trigger an alert.

### License Requirements

- Microsoft Entra ID PIM requires a Microsoft Entra ID P2 license.

- Policies [MS.AAD.7.4v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad74v1), [MS.AAD.7.5v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad75v1), [MS.AAD.7.6v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad76v1), [MS.AAD.7.7v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad77v1), [MS.AAD.7.8v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad78v1), and [MS.AAD.7.9v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad79v1) require a Microsoft Entra ID P2 license; however, a third-party Privileged Access Management (PAM) solution may also be used to satisfy the requirements. If a third-party solution is used, then a P2 license is not required for the respective policies.
### Implementation

The following implementation instructions that reference the Microsoft Entra ID PIM service will vary if using a third-party PAM system instead.
Expand Down
73 changes: 27 additions & 46 deletions PowerShell/ScubaGear/baselines/defender.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,45 +2,19 @@

# CISA M365 Security Configuration Baseline for Defender

Microsoft 365 (M365) Defender is a cloud-based enterprise defense suite that
coordinates prevention, detection, investigation, and response. This set
of tools and features are used to detect many types of attacks.

This baseline focuses on the features of Defender for Office 365, but
some settings are actually configured in the Microsoft Purview
compliance portal. However, for simplicity, both the
M365 Defender and Microsoft Purview compliance portal
items are contained in this baseline.

Generally, use of Microsoft Defender is not required by the baselines of
the core M365 products (Exchange Online, Teams, etc.). This baseline serves as
a guide should an agency elect to use Defender as their tool of choice. Please
note that some of the controls in the core baselines require the use of a
dedicated security tool, such as Defender.

In addition to these controls, agencies should consider using a cloud
access security broker to secure their environments as they adopt zero
trust principles.

The Secure Cloud Business Applications (SCuBA) project run by the Cybersecurity
and Infrastructure Security Agency (CISA) provides guidance and capabilities to
secure federal civilian executive branch (FCEB) agencies' cloud business
application environments and protect federal information that is created,
accessed, shared, and stored in those environments.

The CISA SCuBA SCBs for M365 help secure federal information assets stored within
M365 cloud business application environments through consistent, effective, and
manageable security configurations. CISA created baselines tailored to the federal
government's threats and risk tolerance with the knowledge that every organization
has different threat models and risk tolerance. Non-governmental organizations may
also find value in applying these baselines to reduce risks.

The information in this document is provided “as is” for INFORMATIONAL PURPOSES
ONLY. CISA does not endorse any commercial product or service, including any
subjects of analysis. Any reference to specific commercial entities or commercial
products, processes, or services by service mark, trademark, manufacturer, or
otherwise does not constitute or imply endorsement, recommendation, or favoritism
by CISA. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
Microsoft 365 (M365) Defender is a cloud-based enterprise defense suite that coordinates prevention, detection, investigation, and response. This set of tools and features are used to detect many types of attacks.

This baseline focuses on the features of Defender for Office 365, but some settings are actually configured in the Microsoft Purview compliance portal. However, for simplicity, both the M365 Defender and Microsoft Purview compliance portal items are contained in this baseline.

Generally, use of Microsoft Defender is not required by the baselines of the core M365 products (Exchange Online, Teams, etc.). Should an agency elect to use Defender as their tool of choice, agencies should apply these baseline settings. Please note that some of the controls in the core baselines require the use of a dedicated security tool that provides comparable protection as Defender. In addition to applying these controls, agencies should consider using a cloud access security broker to secure their environments as they adopt zero trust principles.

The Secure Cloud Business Applications (SCuBA) project, run by the Cybersecurity and Infrastructure Security Agency (CISA), provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.

The CISA SCuBA SCBs for M365 help secure federal information assets stored within M365 cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government’s threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. While use of these baselines will be mandatory for civilian Federal Government agencies, organizations outside of the Federal Government may also find these baselines to be useful references to help reduce risks.

For non-Federal users, the information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. Without limiting the generality of the foregoing, some controls and settings are not available in all products; CISA has no control over vendor changes to products offerings or features. Accordingly, these SCuBA SCBs for M365 may not be applicable to the products available to you. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.



> This document is marked TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.
Expand Down Expand Up @@ -158,7 +132,7 @@ Sensitive accounts SHALL be added to Defender for Office 365 protection in the s

### License Requirements

- Defender for Office 365 capabilities require Defender for Office 365 Plan 1 or 2. These are included with E5 and G5 and are available as add-ons for E3 and G3.
- Defender for Office 365 capabilities require Defender for Office 365 Plan 1 or 2. These are included with E5 and G5 and are available as add-ons for E3 and G3. However, third-party solutions can be used to meet this requirement. If a third-party solution is used, then a Defender for Office 365 Plan 1 or 2, E5, and G5 license is not required for the respective policies.

### Implementation

Expand Down Expand Up @@ -546,13 +520,15 @@ information by restricted apps and unwanted Bluetooth applications.

- DLP for Teams requires an E5 or G5 license. See [Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams \| Microsoft
Learn](https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-data-loss-prevention-data-loss-prevention-dlp-for-teams)
for more information.
for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.


- DLP for Endpoint requires an E5 or G5 license. See [Get started with
Endpoint data loss prevention - Microsoft Purview (compliance) \|
Microsoft
Learn](https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started?view=o365-worldwide)
for more information.
for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.


### Implementation

Expand Down Expand Up @@ -877,6 +853,11 @@ Related to Cybersecurity Incidents \| Office of Management and
- [Expanding cloud logging to give customers deeper security visibility \|
Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/)

- [Export, configure, and view audit log records | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-export-records)

- [Untitled Goose Tool Fact Sheet | CISA.](https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet)

- [Manage audit log retention policies | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy)

### License Requirements

Expand All @@ -886,8 +867,7 @@ Related to Cybersecurity Incidents \| Office of Management and

- Additionally, maintaining logs in the M365 environment for longer than
one year requires an add-on license. For more information, see
[Licensing requirements \| Microsoft
Learn](https://learn.microsoft.com/en-us/purview/audit-solutions-overview?view=o365-worldwide#licensing-requirements).
[Manage audit log retention policies | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy). However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.

### Implementation

Expand All @@ -911,7 +891,8 @@ Learn.](https://learn.microsoft.com/en-us/purview/audit-premium-setup?view=o365-

#### MS.DEFENDER.6.3v1 Instructions
To create one or more custom audit retention policies, if the default retention policy is not sufficient for agency needs, follow [Create an audit log retention policy](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy) instructions.
Ensure the duration selected in the retention policies is at least one year,
in accordance with OMB M-21-31.
Ensure the duration selected in the retention policies is at least one year, in accordance with OMB M-21-31.

As noted in the [License Requirements](https://github.com/cisagov/ScubaGear/baselines/defender.md#license-requirements-1) section above, the creation of a custom audit log retention policy and its retention in the M365 environment requires E5/G5 licenses or E3/G3 licenses with add-on compliance licenses. No additional license is required to view and export logs. To view and export audit logs follow [Export, configure, and view audit log records | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-export-records) and/or [Untitled Goose Tool Fact Sheet | CISA.](https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet)

**`TLP:CLEAR`**
Loading

0 comments on commit 63b0dec

Please sign in to comment.