Merge pull request #496 from NZLostboy/cis

Added CIS Checks 2.1.5, 2.1.6

powershell/Maester.psd1

@@ -142,6 +142,8 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
                'Test-MtCisAttachmentFilter',
                'Test-MtCisInternalMalwareNotification',
                'Test-MtCisSafeAttachment',
+               'Test-MtCisSafeAttachmentsAtpPolicy',
+               "Test-MtCisOutboundSpamFilterPolicy",
                'Test-MtConditionalAccessWhatIf',
                'Test-MtConnection',
                'Test-MtEidscaControl',

powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.md

@@ -0,0 +1,24 @@
+2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
+
+Description: Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.
+
+#### Remediation action:
+
+To set the Exchange Online Spam Policies:
+
+1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com)
+2. Under **Email & collaboration** select **Policies & rules**
+3. Select **Threat policies** then **Anti-spam**
+4. Click on the **Anti-spam outbound policy (default)**
+5. Select **Edit protection settings** then under **Notifications**
+6. Check **Send a copy of outbound messages that exceed these limits to these users and groups** then enter the desired email addresses
+7. Check **Notify these users and groups if a sender is blocked due to sending outbound spam** then enter the desired email addresses.
+8. Click **Save**.
+
+#### Related links
+
+* [Microsoft 365 Defender](https://security.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v3.1.0 - Page 76](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%

powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.ps1

@@ -0,0 +1,92 @@
+<#
+.SYNOPSIS
+Checks if Exchange Online Spam Policies are set to notify administrators
+
+.DESCRIPTION
+Ensure Exchange Online Spam Policies are set to notify administrators
+
+.EXAMPLE
+Test-MtCisOutboundSpamFilterPolicy
+
+Returns true if Exchange Online Spam Policies are set to notify administrators
+
+.LINK
+https://maester.dev/docs/commands/Test-MtCisOutboundSpamFilterPolicy
+#>
+function Test-MtCisOutboundSpamFilterPolicy {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection ExchangeOnline)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
+        return $null
+    }
+    elseif (!(Test-MtConnection SecurityCompliance)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedSecurityCompliance
+        return $null
+    }
+    elseif ($null -eq (Get-MtLicenseInformation -Product Mdo)) {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedMdo
+        return $null
+    }
+
+    Write-Verbose "Getting Outbound Spam Filter Policy..."
+    $policy = Get-MtExo -Request HostedOutboundSpamFilterPolicy
+
+    $OutboundSpamFilterPolicyCheckList = @()
+
+    #BccSuspiciousOutboundMail should be True
+    $OutboundSpamFilterPolicyCheckList += [pscustomobject] @{
+        "CheckName" = "BccSuspiciousOutboundMail"
+        "Value"     = "True"
+    }
+
+    #NotifyOutboundSpam should be True
+    $OutboundSpamFilterPolicyCheckList += [pscustomobject] @{
+        "CheckName" = "NotifyOutboundSpam"
+        "Value"     = "True"
+    }
+
+
+    Write-Verbose "Executing checks"
+    $failedCheckList = @()
+    foreach ($check in $OutboundSpamFilterPolicyCheckList) {
+
+        $checkResult = $policy | Where-Object { $_.($check.CheckName) -notmatch $check.Value }
+
+        if ($checkResult) {
+            #If the check fails, add it to the list so we can report on it later
+            $failedCheckList += $check.CheckName
+        }
+
+    }
+
+    $testResult = ($failedCheckList | Measure-Object).Count -eq 0
+
+    $portalLink = "https://security.microsoft.com/antispam"
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has Exchange Online Spam Policies set to notify administrators ($portalLink).`n`n%TestResult%"
+    }
+    else {
+        $testResultMarkdown = "Your tenant does not have Exchange Online Spam Policies set to notify administrators ($portalLink).`n`n%TestResult%"
+    }
+
+
+    $resultMd = "| Check Name | Result |`n"
+    $resultMd += "| --- | --- |`n"
+    foreach ($item in $OutboundSpamFilterPolicyCheckList) {
+        $itemResult = "❌ Fail"
+        if ($item.CheckName -notin $failedCheckList) {
+            $itemResult = "✅ Pass"
+        }
+        $resultMd += "| $($item.CheckName) | $($itemResult) |`n"
+    }
+
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultMd
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $testResult
+}

powershell/public/cis/Test-MtCisSafeAttachment.md

@@ -1,6 +1,6 @@
 2.1.4 (L2) Ensure Safe Attachments policy is enabled
 
-R**ationale:**
+**Rationale:**
 Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user's inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization's network.
 
 #### Remediation action:

powershell/public/cis/Test-MtCisSafeAttachment.ps1

@@ -75,7 +75,7 @@ function Test-MtCisSafeAttachment {
         $testResultMarkdown = "Well done. Your tenant has the safe attachment policy enabled ($portalLink).`n`n%TestResult%"
     }
     else {
-        $testResultMarkdown = "Your tenant does not have the the safe attachment policy enabled ($portalLink).`n`n%TestResult%"
+        $testResultMarkdown = "Your tenant does not have the safe attachment policy enabled ($portalLink).`n`n%TestResult%"
     }
 
 

powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.md

@@ -0,0 +1,24 @@
+2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
+
+Description: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files.
+
+#### Remediation action:
+
+To enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams:
+
+1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com)
+2. Under **Email & collaboration** select **Policies & rules**
+3. Select **Threat policies** then **Safe Attachments**
+4. Click on **Global settings**
+5. Click to **Enable Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**
+6. Click to **Enable Turn on Safe Documents for Office clients**
+7. Click to **Disable Allow people to click through Protected View even if Safe Documents identified the file as malicious**
+8. Click **Save**.
+
+#### Related links
+
+* [Microsoft 365 Defender](https://security.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v3.1.0 - Page 73](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%

powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.ps1

@@ -0,0 +1,97 @@
+<#
+.SYNOPSIS
+Checks if Safe Attachments for SharePoint, OneDrive, and Microsoft Teams are enabled
+
+.DESCRIPTION
+Safe Attachments for SharePoint, OneDrive, and Microsoft Teams should be enabled
+
+.EXAMPLE
+Test-MtCisSafeAttachmentsAtpPolicy
+
+Returns true if safe attachments are enabled for SharePoint, OneDrive, and Microsoft Teams
+
+.LINK
+https://maester.dev/docs/commands/Test-MtCisSafeAttachmentsAtpPolicy
+#>
+function Test-MtCisSafeAttachmentsAtpPolicy {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection ExchangeOnline)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
+        return $null
+    }
+    elseif (!(Test-MtConnection SecurityCompliance)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedSecurityCompliance
+        return $null
+    }
+    elseif ($null -eq (Get-MtLicenseInformation -Product Mdo)) {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedMdo
+        return $null
+    }
+
+    Write-Verbose "Getting 365 Atp Policy..."
+    $policy = Get-MtExo -Request AtpPolicyForO365
+
+    $atpPolicyCheckList = @()
+
+    #EnableATPForSPOTeamsODB should be True
+    $atpPolicyCheckList += [pscustomobject] @{
+        "CheckName" = "EnableATPForSPOTeamsODB"
+        "Value"     = "True"
+    }
+
+    #EnableSafeDocs should be True
+    $atpPolicyCheckList += [pscustomobject] @{
+        "CheckName" = "EnableSafeDocs"
+        "Value"     = "True"
+    }
+
+    #AllowSafeDocsOpen should be False
+    $atpPolicyCheckList += [pscustomobject] @{
+        "CheckName" = "AllowSafeDocsOpen"
+        "Value"     = "False"
+    }
+
+    Write-Verbose "Executing checks"
+    $failedCheckList = @()
+    foreach ($check in $atpPolicyCheckList) {
+
+        $checkResult = $policy | Where-Object { $_.($check.CheckName) -notmatch $check.Value }
+
+        if ($checkResult) {
+            #If the check fails, add it to the list so we can report on it later
+            $failedCheckList += $check.CheckName
+        }
+
+    }
+
+    $testResult = ($failedCheckList | Measure-Object).Count -eq 0
+
+    $portalLink = "https://security.microsoft.com/safeattachmentv2"
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has Safe Attachments for SharePoint, OneDrive, and Microsoft Teams enabled ($portalLink).`n`n%TestResult%"
+    }
+    else {
+        $testResultMarkdown = "Your tenant does not have Safe Attachments for SharePoint, OneDrive, and Microsoft Teams enabled ($portalLink).`n`n%TestResult%"
+    }
+
+
+    $resultMd = "| Check Name | Result |`n"
+    $resultMd += "| --- | --- |`n"
+    foreach ($item in $atpPolicyCheckList) {
+        $itemResult = "❌ Fail"
+        if ($item.CheckName -notin $failedCheckList) {
+            $itemResult = "✅ Pass"
+        }
+        $resultMd += "| $($item.CheckName) | $($itemResult) |`n"
+    }
+
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultMd
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $testResult
+}

powershell/public/cisa/exchange/Get-MtExo.ps1

@@ -41,26 +41,28 @@ function Get-MtExo {
     ### - add them to the hashtable below
     ### - confirm the command's return type is in OutputType (e.g. (Get-AcceptedDomain).GetType().Name)
     $commands = @{
-        "AcceptedDomain"               = "Get-AcceptedDomain"
-        "RemoteDomain"                 = "Get-RemoteDomain"
-        "TransportConfig"              = "Get-TransportConfig"
-        "TransportRule"                = "Get-TransportRule"
-        "OrganizationConfig"           = "Get-OrganizationConfig"
-        "DkimSigningConfig"            = "Get-DkimSigningConfig"
-        "SharingPolicy"                = "Get-SharingPolicy"
-        "DlpComplianceRule"            = "Get-DlpComplianceRule"
-        "DlpCompliancePolicy"          = "Get-DlpCompliancePolicy"
-        "MalwareFilterPolicy"          = "Get-MalwareFilterPolicy"
-        "HostedContentFilterPolicy"    = "Get-HostedContentFilterPolicy"
-        "HostedConnectionFilterPolicy" = "Get-HostedConnectionFilterPolicy"
-        "AntiPhishPolicy"              = "Get-AntiPhishPolicy"
-        "SafeAttachmentPolicy"         = "Get-SafeAttachmentPolicy"
-        "SafeLinksPolicy"              = "Get-SafeLinksPolicy"
-        "ATPBuiltInProtectionRule"     = "Get-ATPBuiltInProtectionRule"
-        "EOPProtectionPolicyRule"      = "Get-EOPProtectionPolicyRule"
-        "ATPProtectionPolicyRule"      = "Get-ATPProtectionPolicyRule"
-        "ProtectionAlert"              = "Get-ProtectionAlert"
-        "EXOMailbox"                   = "Get-EXOMailbox"
+        "AcceptedDomain"                 = "Get-AcceptedDomain"
+        "RemoteDomain"                   = "Get-RemoteDomain"
+        "TransportConfig"                = "Get-TransportConfig"
+        "TransportRule"                  = "Get-TransportRule"
+        "OrganizationConfig"             = "Get-OrganizationConfig"
+        "DkimSigningConfig"              = "Get-DkimSigningConfig"
+        "SharingPolicy"                  = "Get-SharingPolicy"
+        "DlpComplianceRule"              = "Get-DlpComplianceRule"
+        "DlpCompliancePolicy"            = "Get-DlpCompliancePolicy"
+        "MalwareFilterPolicy"            = "Get-MalwareFilterPolicy"
+        "HostedContentFilterPolicy"      = "Get-HostedContentFilterPolicy"
+        "HostedConnectionFilterPolicy"   = "Get-HostedConnectionFilterPolicy"
+        "AntiPhishPolicy"                = "Get-AntiPhishPolicy"
+        "SafeAttachmentPolicy"           = "Get-SafeAttachmentPolicy"
+        "SafeLinksPolicy"                = "Get-SafeLinksPolicy"
+        "HostedOutboundSpamFilterPolicy" = "Get-HostedOutboundSpamFilterPolicy"
+        "AtpPolicyForO365"               = "Get-AtpPolicyForO365"
+        "ATPBuiltInProtectionRule"       = "Get-ATPBuiltInProtectionRule"
+        "EOPProtectionPolicyRule"        = "Get-EOPProtectionPolicyRule"
+        "ATPProtectionPolicyRule"        = "Get-ATPProtectionPolicyRule"
+        "ProtectionAlert"                = "Get-ProtectionAlert"
+        "EXOMailbox"                     = "Get-EXOMailbox"
     }
 
 

tests/cis/Test-MtCisOutboundSpamFilterPolicy.Tests.ps1

@@ -0,0 +1,10 @@
+Describe "CIS" -Tag "CIS 2.1.6", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "Security", "All", "CIS M365 v3.1.0" {
+    It "2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators" {
+
+        $result = Test-MtCisOutboundSpamFilterPolicy
+
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "the Exchange Online Spam Policies are set to notify administrators."
+        }
+    }
+}

tests/cis/Test-MtCisSafeAttachment.Tests.ps1

@@ -1,4 +1,4 @@
-Describe "CIS" -Tag "CIS 2.1.4", "L2", "CIS E5 Level 5", "CIS E5", "CIS", "Security", "All", "CIS M365 v3.1.0" {
+Describe "CIS" -Tag "CIS 2.1.4", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "All", "CIS M365 v3.1.0" {
     It "2.1.4 (L2) Ensure Safe Attachments policy is enabled" {
 
         $result = Test-MtCisSafeAttachment

tests/cis/Test-MtCisSafeAttachmentsAtpPolicy.Tests.ps1

@@ -0,0 +1,10 @@
+Describe "CIS" -Tag "CIS 2.1.5", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "All", "CIS M365 v3.1.0" {
+    It "2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled" {
+
+        $result = Test-MtCisSafeAttachmentsAtpPolicy
+
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "the Safe Attachement policies for SharePoint, OneDrive, and Microsoft Teams are Enabled."
+        }
+    }
+}

website/docs/tests/cis/readme.md

@@ -41,5 +41,7 @@ See the [Installation guide](/docs/installation#optional-modules-and-permissions
 | Test-MtCisAttachmentFilter | 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled |
 | Test-MtCisInternalMalwareNotification | 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled |
 | Test-MtCisSafeAttachment | 2.1.4 (L2) Ensure Safe Attachments policy is enabled |
+| Test-MtCisSafeAttachmentsAtpPolicy | 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled |
+| Test-MtCisOutboundSpamFilterPolicy | 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators |
 
 TBD in this case refers to CIS "manual" checks. It might be possible to automate these, but skipping for now to focus on automated checks.