rules/findings/m365/microsoft_defender/system/ms-defender-priority-accounts-lacks-strict-protection.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Defender", "serviceName": "Microsoft 365", "displayName": "Ensure Priority accounts have \u0027Strict protection\u0027 presets applied", "description": "\r\n\t\tPreset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable. Strict protection has the most aggressive protection of the 3 presets. \r\n\r\n\t\t* EOP: Anti-spam, Anti-malware and Anti-phishing \r\n\t\t* Defender: Spoof protection, Impersonation protection and Advanced phishing \r\n\t\t* Defender: Safe Links and Safe Attachments \r\n\r\n\t\t*NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead.*\r\n ", "rationale": "\r\n\t\tEnabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise. \r\n\t\tThe implementation of stringent, pre-defined policies may result in instances of false positive, however, the benefit of requiring the end-user to preview junk email before accessing their inbox outweighs the potential risk of mistakenly perceiving a malicious email as safe due to its placement in the inbox. \r\n ", "impact": "Strict policies are more likely to cause false positives in anti-spam, phishing, impersonation, spoofing and intelligence responses.", "remediation": { "text": "\r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.1.0", "reference": "2.4.2", "profile": [ "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "o365_secomp_pap_config", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "config.presetSecurityPolicy.priorityAccountsProtectedByEOP", "eq", "True" ], [ "config.presetSecurityPolicy.priorityAccountsProtectedByATP", "eq", "false" ] ], "operator": "and" } ] } ], "shouldExist": true, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "config.presetSecurityPolicy.priorityAccountsProtectedByEOP": "Exchange Online Protection Enabled", "config.presetSecurityPolicy.priorityAccountsProtectedByATP": "Defender For Office Protection", "config.presetSecurityPolicy.protectionType": "Protection Type" }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "config.presetSecurityPolicy" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { "presetSecurityPolicy.priorityAccountsProtectedByEOP": "Exchange Online Protection Enabled", "presetSecurityPolicy.priorityAccountsProtectedByATP": "Defender For Office Protection", "presetSecurityPolicy.protectionType": "Protection Type" }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure Priority accounts have \u0027Strict protection\u0027 presets applied", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "m365_exo_priority_account_strict_protection_not_enabled", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "microsoft365_2123" } |