Releases: ibondarenko1/m365-security-operations
Release list
v1.0.0 — Public release
First public release. The toolkit graduates from private development to community-facing v1.0.
Detect-and-remediate methodology for solo defenders running Microsoft 365 + Cloudflare in small organizations. Audits five domains in one command, produces a single ranked report, and ships ready-to-deploy remediation artifacts mapped to NIST CSF 2.0, NIST 800-53, ISO 27001, MITRE ATT&CK.
Try it in 30 seconds
```powershell
git clone https://github.com/ibondarenko1/m365-security-operations
cd m365-security-operations
./examples/run-mock.ps1
```
Produces complete sample report (58 findings across 5 domains) using bundled fixtures. No Azure access required.
What's in v1.0
5 audit scripts
- audit-sentinel.ps1 (workspace, daily quota, retention, onboarding, rules, Fusion, Activity Log, data connectors, workbooks, hunting queries, playbooks, watchlists, UEBA, threat intelligence)
- audit-defender-o365.ps1 (anti-phish impersonation, TenantAllowBlockList, DKIM, Strict Preset, ZAP, outbound thresholds, transport rules, attack simulation)
- audit-dns-posture.ps1 (MX, SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, CAA, DNSSEC, SPF lookup count, DMARC sub-policy, MX backup, DKIM key strength)
- audit-identity-posture.ps1 (CA policies, authorization policy, directory roles, sign-in logs, authentication methods, app consent, service principal credentials, named locations, cross-tenant access, sign-in risk, SSPR)
- audit-defender-cloud.ps1 (per-plan pricing tier, Secure Score, recommendations by severity, Defender for AI, continuous export to Sentinel)
24+ remediation artifacts
- 6 baseline Conditional Access policy JSONs (block legacy auth, MFA admins phishing-resistant, MFA all users, sign-in risk, user risk, compliant device for management portals) with deploy.ps1
- 5 MITRE-mapped Sentinel Scheduled Analytics Rule ARM templates
- 10 KQL hunting drill templates
- 3 Defender for O365 remediation PowerShell scripts (impersonation enrollment, allow-list bulk add, Strict Preset assignment)
- MTA-STS Cloudflare Worker + DNS deployment script
- Identity + DNS audit reusable functions
Infrastructure
- Schema-enforced finding output via lib/Finding.psm1 (SCHEMA.md v1.1)
- Mock mode via lib/MockClient.psm1 — drop-in mocks for Graph + ARM + DNS + EXO
- 16 sanitized fixtures in examples/fixtures/
- 114 Pester tests
- CI matrix on ubuntu-latest + windows-latest + macos-latest (PowerShell 7)
- Static checks: JSON validation + PSScriptAnalyzer + KQL header check + fixture sanity
Documentation
- README with mock-first quickstart
- 5 end-to-end deployment walkthroughs (docs/walkthroughs/)
- THREAT-MODEL.md — explicit scope statement (what catches, what doesn't)
- FAQ.md — 20+ operator questions
- 6 Architecture Decision Records (docs/adr/)
- CONTRIBUTING.md with PR checklist
- ROADMAP.md (public release plan)
- LICENSE (MIT)
Generate-Report polish
- Severity distribution ASCII histogram
- MITRE ATT&CK tactic coverage section
- Diff mode (`-CompareWith `)
Honest scope statement
The toolkit is opinionated for small-org cloud-only Microsoft 365 + Cloudflare. It does NOT cover:
- Multi-tenant MSP management (use CIPP)
- Federal compliance overlays (use CISA ScubaGear)
- On-premises Active Directory
- Endpoint detection at device level
- Data Loss Prevention / Microsoft Purview
- Penetration testing
- M365 backup posture
Concentration enables depth: 60+ checks across 5 domains rather than surface-level coverage of 20.
Distribution
See `examples/LAUNCH.md` for the post-v1.0 distribution checklist. Companion blog post at `examples/launch-post.md`.
Contributing
See `CONTRIBUTING.md`. Most-valuable contributions: false-positive recognition patterns + new check proposals per `SCHEMA.md`.
Next: v1.1+ (community-driven)
Per `ROADMAP.md`: expanding per-domain checks, documentation_url backfill on all P3+ findings, community-requested checks via GitHub Issues.
Total project investment to v1.0: 7 phases, ~24 incremental commits, 6 sub-releases (v0.1 → v0.6), 114 Pester tests, 58 mock-mode findings, ~70 framework-tagged checks across 5 domains.
v0.6.0 — Documentation depth
Comprehensive documentation layer added. The repo now answers: how do I use it, what does it catch, what's the design rationale.
Walkthroughs
5 end-to-end deployment guides under docs/walkthroughs/:
- Deploy Microsoft Sentinel on a fresh subscription
- Harden Defender for Office 365 baseline
- Deploy MTA-STS + TLS-RPT via Cloudflare
- Deploy baseline Conditional Access policies (report-only → enforce)
- Defender for Cloud tuning (Free vs Standard tier matching)
Each is operator-runnable copy-paste sequence with framework alignment summary.
Threat model
docs/THREAT-MODEL.md is honest scope:
- Per-domain enumeration of what the toolkit catches
- Explicit non-coverage (active threats, out-of-scope domains)
- Trust boundaries
- Attacker-subversion paths and mitigations
FAQ
docs/FAQ.md covers 20+ operator questions:
- General toolkit positioning + competitor comparison
- Running the toolkit (auth issues, missing modules, cross-platform)
- Remediation artifact safety
- Findings + reports (count drift between versions, custom checks)
- Framework alignment usage with GRC platforms
Architecture Decision Records
docs/adr/ documents 6 significant design choices:
- Schema-first finding emission (versioned finding contract)
- Mock mode via fixture replay (adoption-barrier mitigation)
- PowerShell as primary language
- Out-of-scope domain boundaries (concentration over breadth)
- Framework anchors over operational specifics
- Severity rubric (P1/P2/P3 with deadlines, why not CVSS)
Each ADR follows the standard template: context, decision, consequences, alternatives considered.
Test coverage
114 Pester tests still passing. End-to-end mock run still produces 58 findings.
Next: v1.0 (public release)
Generate-Report polish (severity histogram, MITRE coverage map, diff mode), repo visibility flip, launch blog post, distribution channels.
v0.5.0 — Defender O365 + Defender Cloud depth + CI matrix
+9 checks across Defender for Office 365 and Defender for Cloud, plus cross-platform CI matrix.
New Defender for O365 checks (+6, mock-mode)
- ZAP (Zero-hour Auto Purge) for phish disabled — P2 (loses post-delivery threat-removal)
- ZAP for spam disabled — P3
- Outbound spam recipient limit too permissive — P2 (compromised-account amplification)
- Outbound spam no admin notification — P2 (threshold breaches invisible)
- Transport rules count drift — P3 (review for stale rules)
- Attack Simulation Training campaigns count — P3 (user-awareness baseline)
New Defender for Cloud checks (+3)
- Recommendation severity breakdown with High-count gating
- Defender for AI plane status (informational, model tracking + prompt-injection threats)
- Continuous export to Sentinel configured
CI matrix
GitHub Actions now runs Pester suite on:
- ubuntu-latest (PowerShell 7)
- windows-latest (PowerShell 7 + naturally PS 5.1 coverage)
- macos-latest (PowerShell 7)
Plus consolidated static-checks job: JSON validation, PSScriptAnalyzer (Error severity), KQL header check, fixture-data sanity check (non-synthetic GUID detection).
End-to-end mock: 58 findings
Up from 49 in v0.4.0. Distribution: 2 P1, 12 P2, 25 P3, 19 INFO.
Next: v0.6 (documentation depth)
Per-domain walkthroughs, threat model, FAQ, Architecture Decision Records.
v0.4.0 — Sentinel detection depth
+7 Sentinel posture checks targeting the operational surfaces a real SOC engineer monitors weekly.
New Sentinel checks
- Data connectors configured. Zero connectors = structurally limited detection coverage. P2 finding when empty.
- Workbooks deployed. Visibility dashboards over Sentinel data. Microsoft publishes 50+ free templates.
- Hunting queries available. Proactive analyst layer above scheduled analytics rules.
- Automation playbooks (Logic Apps). SOAR functionality for incident response automation.
- Watchlists configured. Curated reference data (high-value assets, terminated employees, VIP users).
- UEBA Entity Analytics enabled. Behavioral baseline scoring (requires Entra ID P2).
- Threat Intelligence indicators. Sentinel TI feed ingestion (MISP, AlienVault OTX, MDTI).
Each carries documentation_url linking the relevant Microsoft Learn article.
End-to-end mock now produces 49 findings
Up from 42 in v0.3.0. Distribution: 2 P1, 9 P2, 22 P3, 16 INFO. The growing P3 count is expected — many Sentinel features are best-practice rather than critical-gap.
Test coverage
114 Pester tests passing.
Roadmap note
v0.5.0 will land Defender O365 +10 + Defender for Cloud +8 depth checks together with CI matrix (PS5.1, PS7 on Win/Linux/Mac) and Codecov integration. v0.6.0 adds documentation depth (walkthroughs, threat model, ADRs).
v0.3.0 — Per-domain depth: Identity + DNS
14 new checks across Identity and DNS domains. Total findings on mock run: 42 (was 30 in v0.2).
New Identity checks (+8)
- Authentication methods policy (SMS deprecated, FIDO2 enablement)
- Application consent policy (permissive default = consent-phishing exposure)
- Service principal inventory + credential expiration within 60 days
- Named locations defined
- Cross-tenant access policy unrestricted inbound
- Sign-in risk policy enabled (Identity Protection)
- Self-service password reset enabled
- Standing-admin multi-role detection refined
New DNS checks (+6)
- CAA records configured (control which CAs can issue certs)
- DNSSEC enabled (DS record at parent)
- SPF lookup count nearing RFC 7208 max 10 (PermError risk)
- DMARC sub-policy (sp=) explicitly defined
- DKIM key strength manual-verification guidance
- MX backup record awareness
Schema v1.1 — documentation_url field
Findings now carry an optional documentation_url pointing to authoritative external reference (Microsoft Learn, NIST, RFC). Generate-Report surfaces these as inline links.
Backward compatible — findings without the field continue to validate.
Test coverage
114 Pester tests passing. End-to-end mock run produces 42 findings across 5 domains.
Next: v0.4 (Sentinel + Defender O365 depth)
Per ROADMAP.md: Sentinel +10 checks (data connectors, workbooks, hunting queries, playbooks, watchlists, threat indicators, ML/UEBA, solutions, ingestion baselines), Defender O365 +10 checks (quarantine policies, priority account protection, ZAP, attack simulation, Safe Documents, anti-spoofing, outbound spam thresholds, connection filter, transport rules, bulk threshold).
v0.2.0 — Mock mode + onboarding
Mock mode lands. Tool can now be tried end-to-end without any Azure access.
What's new
./examples/run-mock.ps1produces a complete sample report (30 findings across 5 domains) in ~5 seconds. No az login, no tenant, no permissions required.lib/MockClient.psm1provides drop-in mocks for Graph, ARM, DNS, and Exchange Online calls. All audit scripts route through it when-MockModeis set.examples/fixtures/ships 16 sanitized JSON fixtures representing a typical small-org tenant with realistic posture gaps. All identifiers synthetic.- README quickstart leads with the mock path. Live-tenant path is section 2.
What's preserved
- Live tenant audit (Phase 1 stabilization from v0.1.0) unchanged. Run with full
./run-audit.ps1 -TenantId ... -SubscriptionId ... -Domain .... - 114 Pester tests still passing.
- Schema v1.0.0 unchanged; mock-mode output is structurally identical to live-mode output.
Adoption barrier dropped
Before v0.2: clone + Azure subscription + Graph permissions + Exchange Online module + 5-10 minutes of setup → see what the tool does.
After v0.2: clone + ./examples/run-mock.ps1 → see exactly what the tool does in 5 seconds.
Next: v0.3 (Per-domain depth — Identity + DNS)
Per ROADMAP.md: expanding Identity audit by +15 checks (PIM eligibility, app consent, service principal audit, named locations, etc.) and DNS by +8 checks (DNSSEC, CAA, DKIM key strength, etc.) plus per-finding documentation_url field.
v0.1.0 — Phase 1 stabilization
First tagged release. Phase 1 stabilization complete.
What's working
./run-audit.ps1orchestrates all 5 phase audits against a real M365 tenant + Azure subscription + Cloudflare-managed DNS zone, producing structured JSON findings per phase and an aggregated markdown report.- 114 Pester tests passing covering Finding module behavior + repo-wide structural integrity.
- 5 audit scripts emit findings conformant to
SCHEMA.mdv1.0.0. - 6 baseline Conditional Access policy JSONs, 5 MITRE-mapped Sentinel ARM templates, 10 KQL hunting drills.
- 4 remediation PowerShell templates for Defender O365 + DNS deployment via Cloudflare.
- Generate-Report aggregates per-phase JSON into markdown with executive summary, ranked gap list, and framework coverage matrix.
Known limitations (will address in v0.2+)
- No mock mode yet — running
./run-audit.ps1requires an actual Azure subscription + Microsoft 365 tenant and az login. Mock mode arrives in v0.2. - Per-domain checks are intentionally shallow at this point (~5-7 per domain). Depth expansion across all 5 domains is v0.3-v0.5.
- No GitHub Actions matrix across PS5.1/PS7 platforms yet. v0.5.
- Defender for Office 365 audit requires
ExchangeOnlineManagementPowerShell module — handled gracefully viaOUT_OF_SCOPEfinding when missing.
Repository status
Private. Public release targeted at v1.0 per ROADMAP.md.
Schema
SCHEMA.md version 1.0.0. Stable contract; future schema changes will bump the major version and be flagged in release notes.