Skip to content

Commit ca78ede

Browse files
authored
Merge branch 'main' into 2020-securitysuite-1
2 parents fa67521 + c7ef394 commit ca78ede

65 files changed

Lines changed: 5071 additions & 1744 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

PowerShell/ScubaGear/Modules/Orchestrator.psm1

Lines changed: 294 additions & 51 deletions
Large diffs are not rendered by default.

PowerShell/ScubaGear/Modules/Permissions/PermissionsHelper.psm1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ Function Get-ScubaGearPermissions {
1919
The switch to indicate that the permissions are to be retrieved for a service principal
2020
2121
.PARAMETER Product
22-
The product for which the permissions are to be retrieved. Options are 'aad', 'exo', 'securitysuite', 'teams', 'sharepoint', 'powerplatform'. Can be an array of products and used in pipeline
22+
The product for which the permissions are to be retrieved. Options are 'aad', 'exo', 'defender', 'securitysuite', 'teams', 'sharepoint', 'powerplatform'. Can be an array of products and used in pipeline. 'securitysuite' is an alias for 'defender' (the Security Suite).
2323
2424
.PARAMETER Environment
2525
The Environment for which the permissions are to be retrieved. Options are 'commercial', 'gcc', 'gcchigh', 'dod'. Default is 'commercial'
@@ -108,7 +108,7 @@ Function Get-ScubaGearPermissions {
108108
[switch]$ServicePrincipal,
109109

110110
[Parameter(Mandatory = $true, ParameterSetName = 'ServicePrincipal',ValueFromPipeline=$true)]
111-
[ValidateSet('aad', 'exo', 'securitysuite', 'teams', 'sharepoint', 'powerplatform', '*')]
111+
[ValidateSet('aad', 'exo', 'defender', 'securitysuite', 'teams', 'sharepoint', 'scubatank', 'powerplatform', '*')]
112112
[string[]]$Product,
113113

114114
[Parameter(Mandatory = $false)]

PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -176,7 +176,7 @@ function Export-AADProvider {
176176
$PrivilegedRoles = ConvertTo-Json @()
177177
$Tracker.AddUnSuccessfulCommand("Get-PrivilegedRole")
178178
$Tracker.AddUnSuccessfulCommand("Get-PrivilegedUser")
179-
$PrivilegedServicePrincipals = ConvertTo-Json @()
179+
$PrivilegedServicePrincipals = @{}
180180
}
181181

182182
##### This block gathers information on risky API permissions related to application/service principal objects
@@ -259,9 +259,8 @@ function Export-AADProvider {
259259
#####
260260
##### End slowest functions block
261261

262-
# PrivilegedServicePrincipals is converted to JSON here because earlier it is used as a PowerShell object.
263-
$PrivilegedServicePrincipals = ConvertTo-Json $PrivilegedServicePrincipals
264-
$PrivilegedServicePrincipals = if ($null -eq $PrivilegedServicePrincipals) {"{}"} else {$PrivilegedServicePrincipals}
262+
# PrivilegedServicePrincipals is converted to JSON here because it is a PowerShell Hashtable.
263+
$PrivilegedServicePrincipalsJson = ConvertTo-Json $PrivilegedServicePrincipals -Depth 5
265264

266265
# This conversion to JSON needs to be last because other blocks above here rely on the $ServicePlans object in its PowerShell form.
267266
$ServicePlans = ConvertTo-Json -Depth 3 @($ServicePlans)
@@ -275,7 +274,7 @@ function Export-AADProvider {
275274
"cap_table_data": $CapTableData,
276275
"authorization_policies": $AuthZPolicies,
277276
"privileged_users": $PrivilegedUsers,
278-
"privileged_service_principals": $PrivilegedServicePrincipals,
277+
"privileged_service_principals": $PrivilegedServicePrincipalsJson,
279278
"privileged_roles": $PrivilegedRoles,
280279
"service_plans": $ServicePlans,
281280
"directory_settings": $DirectorySettings,

PowerShell/ScubaGear/Modules/Providers/ExportSecuritySuiteProvider.psm1

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,13 +49,23 @@ function Export-SecuritySuiteProvider {
4949
}
5050
}
5151

52+
# Get the tenant's provisioned service plans via Graph. These are used to
53+
# determine whether the tenant has the per-user license (E5 / E5 Compliance /
54+
# E5 eDiscovery and Audit add-on) required to retain audit logs beyond 180
55+
# days for MS.SECURITYSUITE.5.2v1. The Rego looks at the service_plans list.
56+
$SubscribedSku = $Tracker.TryCommand("Get-MgBetaSubscribedSku", @{"M365Environment"=$M365Environment; "GraphDirect"=$true})
57+
$ServicePlans = $SubscribedSku.ServicePlans | Where-Object -Property ProvisioningStatus -eq -Value "Success"
58+
$ServicePlans = ConvertTo-Json -Depth 3 @($ServicePlans)
59+
5260
# Regular Exchange i.e non IPPSSession cmdlets
5361
$AdminAuditLogConfig = ConvertTo-Json @($Tracker.TryCommand("Get-AdminAuditLogConfig"))
5462
$ProtectionPolicyRule = ConvertTo-Json @($Tracker.TryCommand("Get-EOPProtectionPolicyRule"))
5563
$AntiPhishPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-AntiPhishPolicy"))
5664
$AntiPhishRule = ConvertTo-Json @($Tracker.TryCommand("Get-AntiPhishRule"))
5765
$AcceptedDomains = ConvertTo-Json @($Tracker.TryCommand("Get-AcceptedDomain"))
5866
$ConnectionFilter = ConvertTo-Json @($Tracker.TryCommand("Get-HostedConnectionFilterPolicy"))
67+
$SafeLinksPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-SafeLinksPolicy"))
68+
$SafeLinksRule = ConvertTo-Json @($Tracker.TryCommand("Get-SafeLinksRule"))
5969
$HostedContentFilterPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-HostedContentFilterPolicy"))
6070
$HostedContentFilterRules = ConvertTo-Json @($Tracker.TryCommand("Get-HostedContentFilterRule"))
6171
$AntiMalwarePolicy = ConvertTo-Json @($Tracker.TryCommand("Get-MalwareFilterPolicy"))
@@ -107,10 +117,11 @@ function Export-SecuritySuiteProvider {
107117
}
108118
catch {
109119
Write-Warning "Error running Connect-IPPSSession: $($_.Exception.Message)`n$($_.ScriptStackTrace)"
110-
Write-Warning "Omitting the following commands: Get-DlpCompliancePolicy, Get-DlpComplianceRule, and Get-ProtectionAlert."
120+
Write-Warning "Omitting the following commands: Get-DlpCompliancePolicy, Get-DlpComplianceRule, Get-ProtectionAlert, and Get-UnifiedAuditLogRetentionPolicy."
111121
$Tracker.AddUnSuccessfulCommand("Get-DlpCompliancePolicy")
112122
$Tracker.AddUnSuccessfulCommand("Get-DlpComplianceRule")
113123
$Tracker.AddUnSuccessfulCommand("Get-ProtectionAlert")
124+
$Tracker.AddUnSuccessfulCommand("Get-UnifiedAuditLogRetentionPolicy")
114125
}
115126
if ($IPPSConnected) {
116127
if (Get-Command Get-DlpCompliancePolicy -ErrorAction SilentlyContinue) {
@@ -147,13 +158,18 @@ function Export-SecuritySuiteProvider {
147158
# We need to specify the depth because the data contains some
148159
# nested tables.
149160
$DLPComplianceRules = ConvertTo-Json -Depth 3 $DLPComplianceRules
161+
162+
# Audit log retention policies are managed through the Security &
163+
# Compliance session and are needed to evaluate MS.SECURITYSUITE.5.2v1.
164+
$UnifiedAuditLogRetentionPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-UnifiedAuditLogRetentionPolicy"))
150165
}
151166
else {
152167
$DLPCompliancePolicy = ConvertTo-Json @()
153168
$DLPComplianceRules = ConvertTo-Json @()
154169
$ProtectionAlert = ConvertTo-Json @()
155170
$DLPComplianceRules = ConvertTo-Json @()
156171
$DLPLicense = ConvertTo-Json $false
172+
$UnifiedAuditLogRetentionPolicy = ConvertTo-Json @()
157173
}
158174

159175
$SuccessfulCommands = ConvertTo-Json @($Tracker.GetSuccessfulCommands())
@@ -174,7 +190,11 @@ function Export-SecuritySuiteProvider {
174190
"protection_alerts": $ProtectionAlert,
175191
"admin_audit_log_config": $AdminAuditLogConfig,
176192
"atp_policy_for_o365": $ATPPolicy,
193+
"service_plans": $ServicePlans,
194+
"unified_audit_log_retention_policies": $UnifiedAuditLogRetentionPolicy,
177195
"conn_filter": $ConnectionFilter,
196+
"safe_links_policies": $SafeLinksPolicy,
197+
"safe_links_rules": $SafeLinksRule,
178198
"defender_license": $DefenderLicense,
179199
"defender_dlp_license": $DLPLicense,
180200
"hosted_content_filter_policies": $HostedContentFilterPolicies,

0 commit comments

Comments
 (0)