Src/Compliance/CIS.M365.json
|
{ "_meta": { "title": "CIS Microsoft 365 Foundations Benchmark - Exchange Online Controls", "version": "v3.1.0", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "url": "https://www.cisecurity.org/benchmark/microsoft_365", "notes": "Level 1 (L1) = basic hygiene, applies to all orgs. Level 2 (L2) = defence-in-depth, higher security environments." }, "AntiSpam": { "checks": [ { "id": "CIS-M365-2.1.1", "CISControl": "2.1.1", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure that DKIM is enabled for all Exchange Online Domains", "staticStatus": null, "statusExpression": "if ($InboundSpamPolicyCount -ge 1) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "{InboundSpamPolicyCount} inbound anti-spam policy/policies are configured.", "remediation": "Review and harden the default inbound anti-spam policy in the Microsoft 365 Defender portal.", "tags": ["spam", "L1"] }, { "id": "CIS-M365-2.1.2", "CISControl": "2.1.2", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure the default anti-spam policy bulk threshold is 6 or lower", "staticStatus": null, "statusExpression": "if ($BulkThreshold -le 6) { '[OK]' } elseif ($BulkThreshold -le 7) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Bulk threshold set to {BulkThreshold}. CIS recommends 6 or lower.", "remediation": "Set BulkThreshold to 6 in all inbound anti-spam policies.", "tags": ["spam", "bulk", "L1"] }, { "id": "CIS-M365-2.1.3", "CISControl": "2.1.3", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure that spam filter high confidence spam action is set to quarantine", "staticStatus": null, "statusExpression": "if ($HighConfidenceSpamActionOk) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "High-confidence spam action: {HighConfidenceSpamAction}.", "remediation": "Set HighConfidenceSpamAction to Quarantine in all inbound anti-spam policies.", "tags": ["spam", "quarantine", "L1"] } ] }, "AntiMalware": { "checks": [ { "id": "CIS-M365-2.1.4", "CISControl": "2.1.4", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure anti-malware policies have the common attachment filter enabled", "staticStatus": null, "statusExpression": "if ($CommonAttachmentFilterEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "Common attachment filter enabled: {CommonAttachmentFilterEnabled}.", "remediation": "Enable the common attachment filter (EnableFileFilter = $true) in all anti-malware policies.", "tags": ["malware", "attachments", "L1"] }, { "id": "CIS-M365-2.1.5", "CISControl": "2.1.5", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure zero-hour auto purge (ZAP) is enabled", "staticStatus": null, "statusExpression": "if ($ZapForMalwareEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "ZAP for malware enabled: {ZapForMalwareEnabled}.", "remediation": "Enable ZapEnabled in anti-malware policy configuration.", "tags": ["malware", "ZAP", "L1"] } ] }, "AntiPhishing": { "checks": [ { "id": "CIS-M365-2.1.6", "CISControl": "2.1.6", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure Microsoft Defender anti-phishing policy is enabled with impersonation protection", "staticStatus": null, "statusExpression": "if ($ImpersonationProtectionEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "Impersonation protection enabled: {ImpersonationProtectionEnabled}.", "remediation": "Enable EnableUserImpersonation and EnableOrganizationDomainsProtection in anti-phishing policies.", "tags": ["phishing", "impersonation", "L1"] }, { "id": "CIS-M365-2.1.7", "CISControl": "2.1.7", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure anti-phishing policies enable spoof intelligence", "staticStatus": null, "statusExpression": "if ($SpoofIntelligenceEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "Spoof intelligence enabled: {SpoofIntelligenceEnabled}.", "remediation": "Set EnableSpoofIntelligence = $true in all anti-phishing policies.", "tags": ["phishing", "spoof", "L1"] }, { "id": "CIS-M365-2.1.8", "CISControl": "2.1.8", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure mailbox intelligence is enabled in anti-phishing policies", "staticStatus": null, "statusExpression": "if ($MailboxIntelligenceEnabled) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Mailbox intelligence enabled: {MailboxIntelligenceEnabled}.", "remediation": "Set EnableMailboxIntelligence and EnableMailboxIntelligenceProtection to $true.", "tags": ["phishing", "intelligence", "L2"] } ] }, "DKIM": { "checks": [ { "id": "CIS-M365-2.1.9", "CISControl": "2.1.9", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure DKIM is enabled for all Exchange Online domains", "staticStatus": null, "statusExpression": "if ($DkimEnabledDomainCount -eq $DkimTotalDomainCount -and $DkimTotalDomainCount -gt 0) { '[OK]' } elseif ($DkimEnabledDomainCount -gt 0) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{DkimEnabledDomainCount} of {DkimTotalDomainCount} domains have DKIM signing enabled.", "remediation": "Enable DKIM for all custom domains via the Microsoft 365 Defender portal or using Set-DkimSigningConfig -Enabled $true.", "tags": ["DKIM", "email-auth", "L1"] } ] }, "DMARC": { "checks": [ { "id": "CIS-M365-2.1.10", "CISControl": "2.1.10", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure DMARC Records are published for all Exchange Online Domains", "staticStatus": null, "statusExpression": "if ($DmarcDomainsCoveredPct -ge 100) { '[OK]' } elseif ($DmarcDomainsCoveredPct -ge 50) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{DmarcDomainsConfigured} of {DmarcDomainsTotal} domains have a DMARC record ({DmarcDomainsCoveredPct}%).", "remediation": "Publish a DMARC TXT record at _dmarc.<yourdomain> for all mail-enabled domains.", "tags": ["DMARC", "email-auth", "L1"] }, { "id": "CIS-M365-2.1.11", "CISControl": "2.1.11", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure DMARC policy is set to quarantine or reject", "staticStatus": null, "statusExpression": "if ($DmarcEnforcedDomainCount -ge $DmarcDomainsConfigured -and $DmarcDomainsConfigured -gt 0) { '[OK]' } elseif ($DmarcEnforcedDomainCount -gt 0) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{DmarcEnforcedDomainCount} of {DmarcDomainsConfigured} domains enforce DMARC (quarantine/reject).", "remediation": "Move all DMARC policies from p=none to p=quarantine then p=reject.", "tags": ["DMARC", "policy", "L1"] } ] }, "TransportRules": { "checks": [ { "id": "CIS-M365-2.1.12", "CISControl": "2.1.12", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure transport rules do not whitelist domains globally", "staticStatus": null, "statusExpression": "if ($RulesBypassingSpamCount -eq 0) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "{RulesBypassingSpamCount} transport rule(s) bypass spam filtering.", "remediation": "Remove or restrict transport rules using SCL overrides (-1). Avoid global domain bypass.", "tags": ["transport-rules", "L1"] }, { "id": "CIS-M365-2.1.13", "CISControl": "2.1.13", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure external email forwarding is disabled or restricted", "staticStatus": null, "statusExpression": "if ($ExternalForwardingRuleCount -eq 0) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "{ExternalForwardingRuleCount} transport rule(s) allow unrestricted external forwarding.", "remediation": "Block auto-forwarding to external domains via Remote Domain and transport rules.", "tags": ["transport-rules", "forwarding", "L1"] } ] }, "AuditLogging": { "checks": [ { "id": "CIS-M365-3.1.1", "CISControl": "3.1.1", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure Microsoft 365 audit log search is enabled", "staticStatus": null, "statusExpression": "if ($AdminAuditLogEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "Unified audit log enabled: {AdminAuditLogEnabled}.", "remediation": "Run: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true", "tags": ["auditing", "L1"] }, { "id": "CIS-M365-3.1.2", "CISControl": "3.1.2", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure mailboxes with audit bypass are reviewed", "staticStatus": null, "statusExpression": "if ($MailboxAuditBypassCount -eq 0) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{MailboxAuditBypassCount} mailbox(es) have audit bypass enabled.", "remediation": "Review and remove unnecessary audit bypass entries.", "tags": ["auditing", "mailbox", "L2"] } ] }, "SafeAttachments": { "checks": [ { "id": "CIS-M365-2.1.14", "CISControl": "2.1.14", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure Safe Attachments policy is enabled", "staticStatus": null, "statusExpression": "if ($SafeAttachPolicyCount -ge 1) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "{SafeAttachPolicyCount} Safe Attachments policy/policies enabled.", "remediation": "Enable Safe Attachments and assign policies to all users in the Defender for Office 365 portal.", "tags": ["safe-attachments", "defender", "L2"] }, { "id": "CIS-M365-2.1.15", "CISControl": "2.1.15", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure Safe Attachments for SharePoint, OneDrive, and Teams is enabled", "staticStatus": null, "statusExpression": "if ($SafeAttachForSPOEnabled) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Safe Attachments for SharePoint/OneDrive/Teams: {SafeAttachForSPOEnabled}.", "remediation": "Run: Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true", "tags": ["safe-attachments", "SharePoint", "L2"] } ] }, "SafeLinks": { "checks": [ { "id": "CIS-M365-2.1.16", "CISControl": "2.1.16", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure Safe Links policy is enabled for all users", "staticStatus": null, "statusExpression": "if ($SafeLinksPolicyCount -ge 1) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "{SafeLinksPolicyCount} Safe Links policy/policies enabled.", "remediation": "Enable Safe Links in Defender for Office 365 and assign policies to all users.", "tags": ["safe-links", "defender", "L2"] }, { "id": "CIS-M365-2.1.17", "CISControl": "2.1.17", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v3.1.0", "title": "Ensure Safe Links Do Not Rewrite URLs list is minimal", "staticStatus": null, "statusExpression": "if ($SafeLinksDoNotRewriteUrlCount -eq 0) { '[OK]' } elseif ($SafeLinksDoNotRewriteUrlCount -le 5) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{SafeLinksDoNotRewriteUrlCount} URL(s) excluded from Safe Links scanning.", "remediation": "Remove unnecessary DoNotRewriteUrls entries. Any exclusion creates risk.", "tags": ["safe-links", "exclusions", "L2"] } ] } } |