cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.68k stars 222 forks source link

MS.EXO.16.1v1 instructions contain a circular reference with the Defender baseline #565

Closed tkol2022 closed 4 months ago

tkol2022 commented 1 year ago

💡 Summary

When following the instructions for policy MS.EXO.16.1v1 I found myself in a circular reference which is bad for usability. The instruction links me to Defender and then the Defender instructions for 5.1 step 4 send me right back to the same EXO policy section to reference the list of alerts I'm supposed to configure. I'm wondering if we can improve the user experience here.

image image image

Implementation notes

Dependencies

This work is somewhat dependent on issue #401 which explores decoupling EXO and Defender. If those are decoupled then it would impact the need to perform this issue, which may become OBE.

schrolla commented 4 months ago

@tkol2022 I see two possible approaches to addressing the circular reference. 1) We remove the alert policy from EXO and put it entirely within Defender. This means, however, tenants that may only use Exchange or leverage external capabilities rather than Defender would not have an EXO SCB policy item for this sort of alerting. So I believe this option leaves a gap. 2) We can just remove the need for "flipping" between the two SCBs for implementation by replicating the list of alerts directly in the Defender baseline. This means replication and a need to keep these lists in sync going forward, but for the purpose of making the documents easier to follow and stand on their own more easily. At least, Defender would be as EXO often references Defender if that is being used as the mechanism to secure Exchange Online.

So my initial thought is #2. It is straightforward in terms of implementation (just replicate the alert listing in Defender SCB). The downside being the need to keep these two documents synced. However, given how interlinked Defender and EXO are regardless, anyone editing either should really be comparing them together when making updates anyway. So I don't see this as a significant additional ask when the upside is better readability and easier implementation by readers.

You can see a candidate update in the associated branch here. Thoughts?

tkol2022 commented 4 months ago

Sounds like a plan.

As an aside, some of the alerts mentioned in the EXO baseline sound like they are specific to the Defender product. For example I'm not sure if a third party system would have an alert named "Suspicious Connector Activity".

schrolla commented 4 months ago

Sounds like a plan.

As an aside, some of the alerts mentioned in the EXO baseline sound like they are specific to the Defender product. For example I'm not sure if a third party system would have an alert named "Suspicious Connector Activity".

The Connector in question is a mail flow connector and is very Exchange specific as, per Microsoft, connectors are "a collection of instructions that customize the way your email flows to and from your Microsoft 365 or Office 365 organization." [1] All of the alerts are specific to Exchange as they either directly reference email and/or a user action on an email (such as clicking a potentially malicious URL from a received email when safe links is enabled).

[1] https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow