Skip to content

Releases: ibondarenko1/m365-security-operations

v1.0.0 — Public release

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 19:06

First public release. The toolkit graduates from private development to community-facing v1.0.

Detect-and-remediate methodology for solo defenders running Microsoft 365 + Cloudflare in small organizations. Audits five domains in one command, produces a single ranked report, and ships ready-to-deploy remediation artifacts mapped to NIST CSF 2.0, NIST 800-53, ISO 27001, MITRE ATT&CK.

Try it in 30 seconds

```powershell
git clone https://github.com/ibondarenko1/m365-security-operations
cd m365-security-operations
./examples/run-mock.ps1
```

Produces complete sample report (58 findings across 5 domains) using bundled fixtures. No Azure access required.

What's in v1.0

5 audit scripts

  • audit-sentinel.ps1 (workspace, daily quota, retention, onboarding, rules, Fusion, Activity Log, data connectors, workbooks, hunting queries, playbooks, watchlists, UEBA, threat intelligence)
  • audit-defender-o365.ps1 (anti-phish impersonation, TenantAllowBlockList, DKIM, Strict Preset, ZAP, outbound thresholds, transport rules, attack simulation)
  • audit-dns-posture.ps1 (MX, SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, CAA, DNSSEC, SPF lookup count, DMARC sub-policy, MX backup, DKIM key strength)
  • audit-identity-posture.ps1 (CA policies, authorization policy, directory roles, sign-in logs, authentication methods, app consent, service principal credentials, named locations, cross-tenant access, sign-in risk, SSPR)
  • audit-defender-cloud.ps1 (per-plan pricing tier, Secure Score, recommendations by severity, Defender for AI, continuous export to Sentinel)

24+ remediation artifacts

  • 6 baseline Conditional Access policy JSONs (block legacy auth, MFA admins phishing-resistant, MFA all users, sign-in risk, user risk, compliant device for management portals) with deploy.ps1
  • 5 MITRE-mapped Sentinel Scheduled Analytics Rule ARM templates
  • 10 KQL hunting drill templates
  • 3 Defender for O365 remediation PowerShell scripts (impersonation enrollment, allow-list bulk add, Strict Preset assignment)
  • MTA-STS Cloudflare Worker + DNS deployment script
  • Identity + DNS audit reusable functions

Infrastructure

  • Schema-enforced finding output via lib/Finding.psm1 (SCHEMA.md v1.1)
  • Mock mode via lib/MockClient.psm1 — drop-in mocks for Graph + ARM + DNS + EXO
  • 16 sanitized fixtures in examples/fixtures/
  • 114 Pester tests
  • CI matrix on ubuntu-latest + windows-latest + macos-latest (PowerShell 7)
  • Static checks: JSON validation + PSScriptAnalyzer + KQL header check + fixture sanity

Documentation

  • README with mock-first quickstart
  • 5 end-to-end deployment walkthroughs (docs/walkthroughs/)
  • THREAT-MODEL.md — explicit scope statement (what catches, what doesn't)
  • FAQ.md — 20+ operator questions
  • 6 Architecture Decision Records (docs/adr/)
  • CONTRIBUTING.md with PR checklist
  • ROADMAP.md (public release plan)
  • LICENSE (MIT)

Generate-Report polish

  • Severity distribution ASCII histogram
  • MITRE ATT&CK tactic coverage section
  • Diff mode (`-CompareWith `)

Honest scope statement

The toolkit is opinionated for small-org cloud-only Microsoft 365 + Cloudflare. It does NOT cover:

  • Multi-tenant MSP management (use CIPP)
  • Federal compliance overlays (use CISA ScubaGear)
  • On-premises Active Directory
  • Endpoint detection at device level
  • Data Loss Prevention / Microsoft Purview
  • Penetration testing
  • M365 backup posture

Concentration enables depth: 60+ checks across 5 domains rather than surface-level coverage of 20.

Distribution

See `examples/LAUNCH.md` for the post-v1.0 distribution checklist. Companion blog post at `examples/launch-post.md`.

Contributing

See `CONTRIBUTING.md`. Most-valuable contributions: false-positive recognition patterns + new check proposals per `SCHEMA.md`.

Next: v1.1+ (community-driven)

Per `ROADMAP.md`: expanding per-domain checks, documentation_url backfill on all P3+ findings, community-requested checks via GitHub Issues.


Total project investment to v1.0: 7 phases, ~24 incremental commits, 6 sub-releases (v0.1 → v0.6), 114 Pester tests, 58 mock-mode findings, ~70 framework-tagged checks across 5 domains.

v0.6.0 — Documentation depth

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 19:02

Comprehensive documentation layer added. The repo now answers: how do I use it, what does it catch, what's the design rationale.

Walkthroughs

5 end-to-end deployment guides under docs/walkthroughs/:

  • Deploy Microsoft Sentinel on a fresh subscription
  • Harden Defender for Office 365 baseline
  • Deploy MTA-STS + TLS-RPT via Cloudflare
  • Deploy baseline Conditional Access policies (report-only → enforce)
  • Defender for Cloud tuning (Free vs Standard tier matching)

Each is operator-runnable copy-paste sequence with framework alignment summary.

Threat model

docs/THREAT-MODEL.md is honest scope:

  • Per-domain enumeration of what the toolkit catches
  • Explicit non-coverage (active threats, out-of-scope domains)
  • Trust boundaries
  • Attacker-subversion paths and mitigations

FAQ

docs/FAQ.md covers 20+ operator questions:

  • General toolkit positioning + competitor comparison
  • Running the toolkit (auth issues, missing modules, cross-platform)
  • Remediation artifact safety
  • Findings + reports (count drift between versions, custom checks)
  • Framework alignment usage with GRC platforms

Architecture Decision Records

docs/adr/ documents 6 significant design choices:

  1. Schema-first finding emission (versioned finding contract)
  2. Mock mode via fixture replay (adoption-barrier mitigation)
  3. PowerShell as primary language
  4. Out-of-scope domain boundaries (concentration over breadth)
  5. Framework anchors over operational specifics
  6. Severity rubric (P1/P2/P3 with deadlines, why not CVSS)

Each ADR follows the standard template: context, decision, consequences, alternatives considered.

Test coverage

114 Pester tests still passing. End-to-end mock run still produces 58 findings.

Next: v1.0 (public release)

Generate-Report polish (severity histogram, MITRE coverage map, diff mode), repo visibility flip, launch blog post, distribution channels.

v0.5.0 — Defender O365 + Defender Cloud depth + CI matrix

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 18:55

+9 checks across Defender for Office 365 and Defender for Cloud, plus cross-platform CI matrix.

New Defender for O365 checks (+6, mock-mode)

  • ZAP (Zero-hour Auto Purge) for phish disabled — P2 (loses post-delivery threat-removal)
  • ZAP for spam disabled — P3
  • Outbound spam recipient limit too permissive — P2 (compromised-account amplification)
  • Outbound spam no admin notification — P2 (threshold breaches invisible)
  • Transport rules count drift — P3 (review for stale rules)
  • Attack Simulation Training campaigns count — P3 (user-awareness baseline)

New Defender for Cloud checks (+3)

  • Recommendation severity breakdown with High-count gating
  • Defender for AI plane status (informational, model tracking + prompt-injection threats)
  • Continuous export to Sentinel configured

CI matrix

GitHub Actions now runs Pester suite on:

  • ubuntu-latest (PowerShell 7)
  • windows-latest (PowerShell 7 + naturally PS 5.1 coverage)
  • macos-latest (PowerShell 7)

Plus consolidated static-checks job: JSON validation, PSScriptAnalyzer (Error severity), KQL header check, fixture-data sanity check (non-synthetic GUID detection).

End-to-end mock: 58 findings

Up from 49 in v0.4.0. Distribution: 2 P1, 12 P2, 25 P3, 19 INFO.

Next: v0.6 (documentation depth)

Per-domain walkthroughs, threat model, FAQ, Architecture Decision Records.

v0.4.0 — Sentinel detection depth

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 18:34

+7 Sentinel posture checks targeting the operational surfaces a real SOC engineer monitors weekly.

New Sentinel checks

  • Data connectors configured. Zero connectors = structurally limited detection coverage. P2 finding when empty.
  • Workbooks deployed. Visibility dashboards over Sentinel data. Microsoft publishes 50+ free templates.
  • Hunting queries available. Proactive analyst layer above scheduled analytics rules.
  • Automation playbooks (Logic Apps). SOAR functionality for incident response automation.
  • Watchlists configured. Curated reference data (high-value assets, terminated employees, VIP users).
  • UEBA Entity Analytics enabled. Behavioral baseline scoring (requires Entra ID P2).
  • Threat Intelligence indicators. Sentinel TI feed ingestion (MISP, AlienVault OTX, MDTI).

Each carries documentation_url linking the relevant Microsoft Learn article.

End-to-end mock now produces 49 findings

Up from 42 in v0.3.0. Distribution: 2 P1, 9 P2, 22 P3, 16 INFO. The growing P3 count is expected — many Sentinel features are best-practice rather than critical-gap.

Test coverage

114 Pester tests passing.

Roadmap note

v0.5.0 will land Defender O365 +10 + Defender for Cloud +8 depth checks together with CI matrix (PS5.1, PS7 on Win/Linux/Mac) and Codecov integration. v0.6.0 adds documentation depth (walkthroughs, threat model, ADRs).

v0.3.0 — Per-domain depth: Identity + DNS

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 18:29

14 new checks across Identity and DNS domains. Total findings on mock run: 42 (was 30 in v0.2).

New Identity checks (+8)

  • Authentication methods policy (SMS deprecated, FIDO2 enablement)
  • Application consent policy (permissive default = consent-phishing exposure)
  • Service principal inventory + credential expiration within 60 days
  • Named locations defined
  • Cross-tenant access policy unrestricted inbound
  • Sign-in risk policy enabled (Identity Protection)
  • Self-service password reset enabled
  • Standing-admin multi-role detection refined

New DNS checks (+6)

  • CAA records configured (control which CAs can issue certs)
  • DNSSEC enabled (DS record at parent)
  • SPF lookup count nearing RFC 7208 max 10 (PermError risk)
  • DMARC sub-policy (sp=) explicitly defined
  • DKIM key strength manual-verification guidance
  • MX backup record awareness

Schema v1.1 — documentation_url field

Findings now carry an optional documentation_url pointing to authoritative external reference (Microsoft Learn, NIST, RFC). Generate-Report surfaces these as inline links.

Backward compatible — findings without the field continue to validate.

Test coverage

114 Pester tests passing. End-to-end mock run produces 42 findings across 5 domains.

Next: v0.4 (Sentinel + Defender O365 depth)

Per ROADMAP.md: Sentinel +10 checks (data connectors, workbooks, hunting queries, playbooks, watchlists, threat indicators, ML/UEBA, solutions, ingestion baselines), Defender O365 +10 checks (quarantine policies, priority account protection, ZAP, attack simulation, Safe Documents, anti-spoofing, outbound spam thresholds, connection filter, transport rules, bulk threshold).

v0.2.0 — Mock mode + onboarding

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 18:21

Mock mode lands. Tool can now be tried end-to-end without any Azure access.

What's new

  • ./examples/run-mock.ps1 produces a complete sample report (30 findings across 5 domains) in ~5 seconds. No az login, no tenant, no permissions required.
  • lib/MockClient.psm1 provides drop-in mocks for Graph, ARM, DNS, and Exchange Online calls. All audit scripts route through it when -MockMode is set.
  • examples/fixtures/ ships 16 sanitized JSON fixtures representing a typical small-org tenant with realistic posture gaps. All identifiers synthetic.
  • README quickstart leads with the mock path. Live-tenant path is section 2.

What's preserved

  • Live tenant audit (Phase 1 stabilization from v0.1.0) unchanged. Run with full ./run-audit.ps1 -TenantId ... -SubscriptionId ... -Domain ....
  • 114 Pester tests still passing.
  • Schema v1.0.0 unchanged; mock-mode output is structurally identical to live-mode output.

Adoption barrier dropped

Before v0.2: clone + Azure subscription + Graph permissions + Exchange Online module + 5-10 minutes of setup → see what the tool does.

After v0.2: clone + ./examples/run-mock.ps1 → see exactly what the tool does in 5 seconds.

Next: v0.3 (Per-domain depth — Identity + DNS)

Per ROADMAP.md: expanding Identity audit by +15 checks (PIM eligibility, app consent, service principal audit, named locations, etc.) and DNS by +8 checks (DNSSEC, CAA, DKIM key strength, etc.) plus per-finding documentation_url field.

v0.1.0 — Phase 1 stabilization

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 18:09

First tagged release. Phase 1 stabilization complete.

What's working

  • ./run-audit.ps1 orchestrates all 5 phase audits against a real M365 tenant + Azure subscription + Cloudflare-managed DNS zone, producing structured JSON findings per phase and an aggregated markdown report.
  • 114 Pester tests passing covering Finding module behavior + repo-wide structural integrity.
  • 5 audit scripts emit findings conformant to SCHEMA.md v1.0.0.
  • 6 baseline Conditional Access policy JSONs, 5 MITRE-mapped Sentinel ARM templates, 10 KQL hunting drills.
  • 4 remediation PowerShell templates for Defender O365 + DNS deployment via Cloudflare.
  • Generate-Report aggregates per-phase JSON into markdown with executive summary, ranked gap list, and framework coverage matrix.

Known limitations (will address in v0.2+)

  • No mock mode yet — running ./run-audit.ps1 requires an actual Azure subscription + Microsoft 365 tenant and az login. Mock mode arrives in v0.2.
  • Per-domain checks are intentionally shallow at this point (~5-7 per domain). Depth expansion across all 5 domains is v0.3-v0.5.
  • No GitHub Actions matrix across PS5.1/PS7 platforms yet. v0.5.
  • Defender for Office 365 audit requires ExchangeOnlineManagement PowerShell module — handled gracefully via OUT_OF_SCOPE finding when missing.

Repository status

Private. Public release targeted at v1.0 per ROADMAP.md.

Schema

SCHEMA.md version 1.0.0. Stable contract; future schema changes will bump the major version and be flagged in release notes.