Skip to content

v1.0.0 — Public release

Latest

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 19:06

First public release. The toolkit graduates from private development to community-facing v1.0.

Detect-and-remediate methodology for solo defenders running Microsoft 365 + Cloudflare in small organizations. Audits five domains in one command, produces a single ranked report, and ships ready-to-deploy remediation artifacts mapped to NIST CSF 2.0, NIST 800-53, ISO 27001, MITRE ATT&CK.

Try it in 30 seconds

```powershell
git clone https://github.com/ibondarenko1/m365-security-operations
cd m365-security-operations
./examples/run-mock.ps1
```

Produces complete sample report (58 findings across 5 domains) using bundled fixtures. No Azure access required.

What's in v1.0

5 audit scripts

  • audit-sentinel.ps1 (workspace, daily quota, retention, onboarding, rules, Fusion, Activity Log, data connectors, workbooks, hunting queries, playbooks, watchlists, UEBA, threat intelligence)
  • audit-defender-o365.ps1 (anti-phish impersonation, TenantAllowBlockList, DKIM, Strict Preset, ZAP, outbound thresholds, transport rules, attack simulation)
  • audit-dns-posture.ps1 (MX, SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, CAA, DNSSEC, SPF lookup count, DMARC sub-policy, MX backup, DKIM key strength)
  • audit-identity-posture.ps1 (CA policies, authorization policy, directory roles, sign-in logs, authentication methods, app consent, service principal credentials, named locations, cross-tenant access, sign-in risk, SSPR)
  • audit-defender-cloud.ps1 (per-plan pricing tier, Secure Score, recommendations by severity, Defender for AI, continuous export to Sentinel)

24+ remediation artifacts

  • 6 baseline Conditional Access policy JSONs (block legacy auth, MFA admins phishing-resistant, MFA all users, sign-in risk, user risk, compliant device for management portals) with deploy.ps1
  • 5 MITRE-mapped Sentinel Scheduled Analytics Rule ARM templates
  • 10 KQL hunting drill templates
  • 3 Defender for O365 remediation PowerShell scripts (impersonation enrollment, allow-list bulk add, Strict Preset assignment)
  • MTA-STS Cloudflare Worker + DNS deployment script
  • Identity + DNS audit reusable functions

Infrastructure

  • Schema-enforced finding output via lib/Finding.psm1 (SCHEMA.md v1.1)
  • Mock mode via lib/MockClient.psm1 — drop-in mocks for Graph + ARM + DNS + EXO
  • 16 sanitized fixtures in examples/fixtures/
  • 114 Pester tests
  • CI matrix on ubuntu-latest + windows-latest + macos-latest (PowerShell 7)
  • Static checks: JSON validation + PSScriptAnalyzer + KQL header check + fixture sanity

Documentation

  • README with mock-first quickstart
  • 5 end-to-end deployment walkthroughs (docs/walkthroughs/)
  • THREAT-MODEL.md — explicit scope statement (what catches, what doesn't)
  • FAQ.md — 20+ operator questions
  • 6 Architecture Decision Records (docs/adr/)
  • CONTRIBUTING.md with PR checklist
  • ROADMAP.md (public release plan)
  • LICENSE (MIT)

Generate-Report polish

  • Severity distribution ASCII histogram
  • MITRE ATT&CK tactic coverage section
  • Diff mode (`-CompareWith `)

Honest scope statement

The toolkit is opinionated for small-org cloud-only Microsoft 365 + Cloudflare. It does NOT cover:

  • Multi-tenant MSP management (use CIPP)
  • Federal compliance overlays (use CISA ScubaGear)
  • On-premises Active Directory
  • Endpoint detection at device level
  • Data Loss Prevention / Microsoft Purview
  • Penetration testing
  • M365 backup posture

Concentration enables depth: 60+ checks across 5 domains rather than surface-level coverage of 20.

Distribution

See `examples/LAUNCH.md` for the post-v1.0 distribution checklist. Companion blog post at `examples/launch-post.md`.

Contributing

See `CONTRIBUTING.md`. Most-valuable contributions: false-positive recognition patterns + new check proposals per `SCHEMA.md`.

Next: v1.1+ (community-driven)

Per `ROADMAP.md`: expanding per-domain checks, documentation_url backfill on all P3+ findings, community-requested checks via GitHub Issues.


Total project investment to v1.0: 7 phases, ~24 incremental commits, 6 sub-releases (v0.1 → v0.6), 114 Pester tests, 58 mock-mode findings, ~70 framework-tagged checks across 5 domains.