Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug with MS.DEFENDER.1.4v1 - "Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy." #1050

Closed
sgendron50 opened this issue Apr 2, 2024 · 2 comments
Closed

Bug with MS.DEFENDER.1.4v1 - "Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy." #1050

sgendron50 opened this issue Apr 2, 2024 · 2 comments
Assignees
@schrolla
Labels
public-reported This issue is reported by the public users of the tool.

Comments

@sgendron50
Copy link

🐛 Summary

Control ID MS.DEFENDER.1.4v1 is reporting failure, however, there are accounts added to the Exchange Online Protection in the strict preset security policy.

To reproduce

Steps to reproduce the behavior:

Navigate to Defender --> Email & Collaboration --> Policies & Rules --> Threat Policies --> Preset Security Policies --> Manage Protection Settings under Strict Protection. Add users to Apply Exchange Online Protection.

Expected behavior

Control ID would report Success.
@buidav buidav added the public-reported This issue is reported by the public users of the tool. label Apr 2, 2024
@schrolla
Copy link
Collaborator

schrolla commented Apr 3, 2024
edited
Loading

Thank you for your report, @sgendron50. Assuming you are using the latest ScubaGear release v1.1.1, note that any of the policies that mentions sensitive accounts requires that those accounts are defined via policy variables in a ScubaGear configuration file for each of the associated policies. So, for example, if you designate the account johndoe@example.com as a sensitive account. Then, for MS.DEFENDER.1.4v1 you would need a configuration file that includes, at a minimum, the following:

defender:
  MS.DEFENDER.1.4v1:
    SensitiveAccounts:
      IncludedUsers:
       - johndoe@example.com

Otherwise, the check will assume the account listed in the policy is not a sensitive account and that sensitive accounts have not been defined, which results in a warning. You can similarly define sensitive groups and domains. For a more complete configuration that sets sensitive users, groups, and domains for each of the sensitive account related policies see the example Defender configuration in https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Sample-Config-Files/defender-config.yaml. Note that you only need the defender section of the configuration example now that ScubaGear supports mixing command line and config file options.
You can then run ScubaGear referencing the config file like so Invoke-Scuba -ConfigFilePath defender-sg-config.yaml -p defender to run using the config and assess just defender.

@schrolla schrolla self-assigned this Apr 3, 2024
@sgendron50
Copy link
Author

You are correct, @schrolla. Closing this issue.

This was referenced Apr 3, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@schrolla schrolla

Labels
public-reported This issue is reported by the public users of the tool.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@buidav @schrolla @sgendron50