rules/findings/m365/microsoft_defender/system/ms-defender-priority-account-protection-not-enabled.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Defender", "serviceName": "Microsoft 365", "displayName": "Ensure Priority account protection is enabled and configured", "description": "\r\n\t\tIdentify priority accounts to utilize Microsoft 365\u0027s advanced custom security features. This is an essential tool to bolster protection for users who are frequently targeted due to their critical positions, such as executives, leaders, managers, or others who have access to sensitive, confidential, financial, or high-priority information. \r\n\t\tOnce these accounts are identified, several services and features can be enabled, including threat policies, enhanced sign-in protection through conditional access policies, and alert policies, enabling faster response times for incident response teams.\r\n ", "rationale": "\r\n\t\tEnabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise. \r\n\t\tTo address this, Microsoft 365 and Microsoft Defender for Office 365 offer several key features that provide extra security, including the identification of incidents and alerts involving priority accounts and the use of built-in custom protections designed specifically for them. \r\n ", "impact": null, "remediation": { "text": "\r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/microsoft-365/admin/setup/priority-accounts", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.1.0", "reference": "2.4.1", "profile": [ "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "o365_secomp_pap_config", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "config.priorityAccountProtectionEnabled", "eq", "True" ], [ "config.protectedUsers", "eq", "true" ], [ "config.phishAlertPolicy.enabled", "eq", "true" ], [ "config.malwareAlertPolicy.enabled", "eq", "true" ] ], "operator": "and" } ] } ], "shouldExist": true, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "config.priorityAccountProtectionEnabled": "Priority Account Enabled", "config.protectedUsers": "Protected Users", "config.phishAlertPolicy.enabled": "Phish Policy", "config.malwareAlertPolicy.enabled": "Malware Policy" }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "config" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure Priority account protection is enabled and configured", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "m365_exo_priority_account_not_enabled", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "microsoft365_2122" } |