Clarify instructions for 'Defender version of this script" in EXO and Teams in ReportDetails

[gatesry]

Hello -

Thank you for your work on this. It's helped us get a foot-hold on the next steps to secure our environment. The reports reference this "Defender version of the script." Is that invoked through RunFunctionalTests.ps1?

https://github.com/cisagov/ScubaGear/blob/07b95a04fb709eb30db19874f96603f6e2b2cf6d/Rego/EXOConfig.rego#L354

[buidav]

Thank you for your work on this. It's helped us get a foot-hold on the next steps to secure our environment. The reports reference this "Defender version of the script." Is that invoked through RunFunctionalTests.ps1?

Hello, thanks for opening an issue.

For Exchange Online (EXO) baselines 2.8 to 2.17 and Microsoft Teams baselines 2.11 to 2.13, their requirements can be met using a 3rd Party tool or by using Defender for Office 365.

If you are using Defender for Office 365 to meet the requirements of this baseline the line "...run the Defender version of this script" refers to running with our tool Invoke-Scuba -ProductNames defender which will check your tenant's Defender for Office 365 (various settings in the Security and Compliance Center and the EXO admin center) and generate a report.

Running Invoke-Scuba with no specified parameter arguments will also generate a report for defender if you have already done so.

After generating a report for defender refer to the corresponding EXO/Teams baseline in the Defender report. For EXO baseline 2.8 the corresponding baseline to look at in the defender report is Defender baseline 2.2.

The mappings are listed in the relevant EXO baseline policies under the "2.* Resources" subheading in the EXO baseline document. Same with the Teams baseline document.

We'll keep this issue open to track changing the wording of "...run the Defender version of this script" to make the instructions clearer on what to do when you encounter this description.

[schrolla]

Work in tandem with EXO and Teams rego baseline automation update.

[schrolla]

@buidav @nanda-katikaneni Looks like EXO implemented a new DefenderMirrorDetails function to address this, but embedded the EXO product name in the resulting string. So Teams can't directly reuse it. For consistency, I'd recommend parameterizing the report function so that the product name can be specified so that any product could use it (incl Teams) to provide consistent language when referencing 3rd party solutions and Defender baseline references.

This would require updates to: 1) The utils\ReportUtils.rego to parameterize the DefenderMirrorDetails function. 2) The Rego\EXOConfig.rego to add the new parameter to the report function calls to maintain functionality. 3) Addition and use of the new function in Rego\TeamsConfig.rego for relevant tests.

There are other solutions, but that seems like the one that prioritizes consistency and reuse among the products and resulting reports.

[buidav]

@buidav @nanda-katikaneni Looks like EXO implemented a new DefenderMirrorDetails function to address this, but embedded the EXO product name in the resulting string. So Teams can't directly reuse it. For consistency, I'd recommend parameterizing the report function so that the product name can be specified so that any product could use it (incl Teams) to provide consistent language when referencing 3rd party solutions and Defender baseline references.

I realized my oopsie after the PR was merged. Should be somewhat easy to modify the function for reuse.

[schrolla]

Issue #619 relates to this issue and it can be resolved via that issue which is scheduled for the next release cycle. Ref'd this issue in that one so full history is available for consideration. Will be addressed via that issue so closing here.