Skip to content

Commit 24d99c3

Browse files
authored
Merge branch 'main' into 2043-PP31-tenant-isolation-returns-hotfix
2 parents 2d2bd9f + bec7d05 commit 24d99c3

5 files changed

Lines changed: 791 additions & 31 deletions

File tree

PowerShell/ScubaGear/Modules/Providers/ExportSecuritySuiteProvider.psm1

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,8 @@ function Export-SecuritySuiteProvider {
5656
$AntiPhishRule = ConvertTo-Json @($Tracker.TryCommand("Get-AntiPhishRule"))
5757
$AcceptedDomains = ConvertTo-Json @($Tracker.TryCommand("Get-AcceptedDomain"))
5858
$ConnectionFilter = ConvertTo-Json @($Tracker.TryCommand("Get-HostedConnectionFilterPolicy"))
59+
$SafeLinksPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-SafeLinksPolicy"))
60+
$SafeLinksRule = ConvertTo-Json @($Tracker.TryCommand("Get-SafeLinksRule"))
5961
$HostedContentFilterPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-HostedContentFilterPolicy"))
6062
$HostedContentFilterRules = ConvertTo-Json @($Tracker.TryCommand("Get-HostedContentFilterRule"))
6163

@@ -167,6 +169,8 @@ function Export-SecuritySuiteProvider {
167169
"admin_audit_log_config": $AdminAuditLogConfig,
168170
"atp_policy_for_o365": $ATPPolicy,
169171
"conn_filter": $ConnectionFilter,
172+
"safe_links_policies": $SafeLinksPolicy,
173+
"safe_links_rules": $SafeLinksRule,
170174
"defender_license": $DefenderLicense,
171175
"defender_dlp_license": $DLPLicense,
172176
"hosted_content_filter_policies": $HostedContentFilterPolicies,

PowerShell/ScubaGear/Rego/SecuritySuiteConfig.rego

Lines changed: 114 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ import data.utils.securitysuite.PartnerDomainConfig
1313
import data.utils.securitysuite.PartnerDomainImpersonationCompliant
1414
import data.utils.securitysuite.UserImpersonationCompliant
1515
import data.utils.securitysuite.UserWarningsCompliant
16+
import data.utils.securitysuite.PresetRecipientsCovered
17+
import data.utils.securitysuite.RuleFieldEmpty
1618
import data.utils.securitysuite.PresetPolicyCoversAllRecipients
1719
import data.utils.securitysuite.CustomRuleCoversAllRecipients
1820
import data.utils.report.ReportDetailsArray
@@ -696,40 +698,136 @@ tests contains {
696698
#
697699
# MS.SECURITYSUITE.7.1v1
698700
#--
701+
702+
# Highest priority corresponds to the lowest priority number
703+
HighestPriorityEnabledRuleCoversAllRecipients := Rule if {
704+
some Rule in input.safe_links_rules
705+
Rule.State == "Enabled"
706+
RuleFieldEmpty(Rule.SentTo)
707+
RuleFieldEmpty(Rule.SentToMemberOf)
708+
RuleFieldEmpty(Rule.RecipientDomainIs)
709+
not LowerPriorityEnabledRuleExists(Rule)
710+
}
711+
712+
LowerPriorityEnabledRuleExists(Rule) if {
713+
some OtherRule in input.safe_links_rules
714+
OtherRule.State == "Enabled"
715+
RuleFieldEmpty(OtherRule.SentTo)
716+
RuleFieldEmpty(OtherRule.SentToMemberOf)
717+
RuleFieldEmpty(OtherRule.RecipientDomainIs)
718+
OtherRule.Priority < Rule.Priority
719+
}
720+
721+
default AppliedPolicy := "Built-In Protection Policy"
722+
AppliedPolicy := HighestPriorityEnabledRuleCoversAllRecipients.SafeLinksPolicy
723+
724+
default CustomPolicySafeLinksEnabled := false
725+
CustomPolicySafeLinksEnabled if {
726+
some Policy in input.safe_links_policies
727+
Policy.Identity == AppliedPolicy
728+
Policy.EnableSafeLinksForEmail == true
729+
Policy.EnableSafeLinksForTeams == true
730+
Policy.EnableSafeLinksForOffice == true
731+
Policy.EnableForInternalSenders == true
732+
}
733+
734+
default ReportDetails7_1 := "URL comparison with a block-list is NOT enabled for URLs in emails, Teams messages, and Office documents."
735+
ReportDetails7_1 := "URL comparison with a block-list is enabled via the standard or strict preset security policies." if {
736+
PresetRecipientsCovered
737+
}
738+
739+
ReportDetails7_1 := concat("", ["URL comparison with a block-list is enabled via policy ", AppliedPolicy, "."]) if {
740+
not PresetRecipientsCovered
741+
CustomPolicySafeLinksEnabled
742+
}
743+
744+
default SafeLinksCompliant := false
745+
SafeLinksCompliant if {
746+
ReportDetails7_1 != "URL comparison with a block-list is NOT enabled for URLs in emails, Teams messages, and Office documents."
747+
}
748+
699749
tests contains {
700750
"PolicyId": "MS.SECURITYSUITE.7.1v1",
701-
"Criticality": "Should/Not-Implemented",
702-
"Commandlet": [],
703-
"ActualValue": [],
704-
"ReportDetails": NotCheckedDetails("MS.SECURITYSUITE.7.1v1"),
705-
"RequirementMet": false
751+
"Criticality": "Should",
752+
"Commandlet": ["Get-SafeLinksPolicy", "Get-SafeLinksRule", "Get-EOPProtectionPolicyRule"],
753+
"ActualValue": {"SafeLinks_Rules": input.safe_links_rules, "SafeLinks_Policies": input.safe_links_policies},
754+
"ReportDetails": ReportDetails7_1,
755+
"RequirementMet": SafeLinksCompliant
706756
}
707-
#--
757+
#--
708758

709759
#
710760
# MS.SECURITYSUITE.7.2v1
711761
#--
762+
763+
default CustomPolicyScanURLsEnabled := false
764+
CustomPolicyScanURLsEnabled := true if {
765+
some Policy in input.safe_links_policies
766+
Policy.Identity == AppliedPolicy
767+
Policy.ScanUrls == true
768+
Policy.DeliverMessageAfterScan == true
769+
}
770+
771+
default ReportDetails7_2 := "Direct download links are NOT scanned for malware."
772+
ReportDetails7_2 := "Direct download links are scanned for malware via the standard or strict preset security policies." if {
773+
PresetRecipientsCovered
774+
}
775+
776+
ReportDetails7_2 := concat("", ["Direct download links are scanned for malware via policy ", AppliedPolicy, "."]) if {
777+
not PresetRecipientsCovered
778+
CustomPolicyScanURLsEnabled
779+
}
780+
781+
default ScanURLsCompliant := false
782+
ScanURLsCompliant if {
783+
ReportDetails7_2 != "Direct download links are NOT scanned for malware."
784+
}
785+
712786
tests contains {
713787
"PolicyId": "MS.SECURITYSUITE.7.2v1",
714-
"Criticality": "Should/Not-Implemented",
715-
"Commandlet": [],
716-
"ActualValue": [],
717-
"ReportDetails": NotCheckedDetails("MS.SECURITYSUITE.7.2v1"),
718-
"RequirementMet": false
788+
"Criticality": "Should",
789+
"Commandlet": ["Get-SafeLinksPolicy", "Get-SafeLinksRule", "Get-EOPProtectionPolicyRule"],
790+
"ActualValue": {"SafeLinks_Rules": input.safe_links_rules, "SafeLinks_Policies": input.safe_links_policies},
791+
"ReportDetails": ReportDetails7_2,
792+
"RequirementMet": ScanURLsCompliant
719793
}
720794
#--
721795

722796
#
723797
# MS.SECURITYSUITE.7.3v1
724798
#--
799+
800+
default CustomPolicyTrackClicksEnabled := false
801+
CustomPolicyTrackClicksEnabled := true if {
802+
some Policy in input.safe_links_policies
803+
Policy.Identity == AppliedPolicy
804+
Policy.TrackClicks == true
805+
}
806+
807+
default ReportDetails7_3 := "User click tracking is NOT enabled."
808+
ReportDetails7_3 := "User click tracking is enabled via the standard or strict preset security policies." if {
809+
PresetRecipientsCovered
810+
}
811+
812+
ReportDetails7_3 := concat("", ["User click tracking is enabled via policy ", AppliedPolicy, "."]) if {
813+
not PresetRecipientsCovered
814+
CustomPolicyTrackClicksEnabled
815+
}
816+
817+
default TrackClicksCompliant := false
818+
TrackClicksCompliant if {
819+
ReportDetails7_3 != "User click tracking is NOT enabled."
820+
}
821+
725822
tests contains {
726823
"PolicyId": "MS.SECURITYSUITE.7.3v1",
727-
"Criticality": "Should/Not-Implemented",
728-
"Commandlet": [],
729-
"ActualValue": [],
730-
"ReportDetails": NotCheckedDetails("MS.SECURITYSUITE.7.3v1"),
731-
"RequirementMet": false
824+
"Criticality": "Should",
825+
"Commandlet": ["Get-SafeLinksPolicy", "Get-SafeLinksRule", "Get-EOPProtectionPolicyRule"],
826+
"ActualValue": {"SafeLinks_Rules": input.safe_links_rules, "SafeLinks_Policies": input.safe_links_policies},
827+
"ReportDetails": ReportDetails7_3,
828+
"RequirementMet": TrackClicksCompliant
732829
}
830+
733831
#--
734832

735833

PowerShell/ScubaGear/Testing/Unit/Rego/SecuritySuite/SecuritySuiteBaseConfig.rego

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,58 @@ ProtectionPolicyRules := [
6363
}
6464
]
6565

66+
SafeLinksPolicies := [
67+
{
68+
"EnableSafeLinksForEmail": true,
69+
"EnableSafeLinksForTeams": true,
70+
"EnableSafeLinksForOffice": true,
71+
"EnableForInternalSenders": true,
72+
"ScanUrls": true,
73+
"DeliverMessageAfterScan": true,
74+
"TrackClicks": true,
75+
"Identity": "Compliant Custom Policy"
76+
},
77+
{
78+
"EnableSafeLinksForEmail": false,
79+
"EnableSafeLinksForTeams": false,
80+
"EnableSafeLinksForOffice": false,
81+
"EnableForInternalSenders": false,
82+
"ScanUrls": false,
83+
"DeliverMessageAfterScan": false,
84+
"TrackClicks": false,
85+
"Identity": "Non-Compliant Custom Policy"
86+
},
87+
{
88+
"EnableSafeLinksForEmail": true,
89+
"EnableSafeLinksForTeams": true,
90+
"EnableSafeLinksForOffice": true,
91+
"EnableForInternalSenders": false,
92+
"ScanUrls": true,
93+
"DeliverMessageAfterScan": true,
94+
"TrackClicks": true,
95+
"Identity": "Built-In Protection Policy"
96+
}]
97+
98+
SafeLinksRules := [
99+
{
100+
"SafeLinksPolicy": "Compliant Custom Policy",
101+
"State": "Enabled",
102+
"Priority": 0,
103+
"Identity": "Compliant Custom Policy",
104+
"SentTo": null,
105+
"SentToMemberOf": null,
106+
"RecipientDomainIs": null
107+
},
108+
{
109+
"SafeLinksPolicy": "Non-Compliant Custom Policy",
110+
"State": "Enabled",
111+
"Priority": 1,
112+
"Identity": "Non-Compliant Custom Policy",
113+
"SentTo": null,
114+
"SentToMemberOf": null,
115+
"RecipientDomainIs": null
116+
}]
117+
66118
AntiPhishPolicies := [
67119
{
68120
"Identity": "Standard Preset Security Policy1659535429826",

0 commit comments

Comments
 (0)