rules/findings/m365/microsoft_teams/messaging/ms-teams-users-can-report-security-concerns-not-configured.json

{
    "args": [
         
    ],
    "provider": "Microsoft365",
    "serviceType": "Microsoft Teams",
    "serviceName": "Microsoft 365",
    "displayName": "Ensure users can report security concerns in Teams",
    "description": "\r\n\t\tUser reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass:\r\n\t\t* In the Teams admin center: On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can\u0027t report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant. \r\n\t\t* In the Microsoft 365 Defender portal: On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page. \r\n\t\t* Defender - Report message destinations: This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement. \r\n ",
    "rationale": "Users will be able to more quickly and systematically alert administrators of suspicious malicious messages within Teams. The content of these messages may be sensitive in nature and therefore should be kept within the organization and not shared with Microsoft without first consulting company policy.",
    "impact": "Enabling message reporting has an impact beyond just addressing security concerns. When users of the platform report a message, the content could include messages that are threatening or harassing in nature, possibly stemming from colleagues. Due to this the security staff responsible for reviewing and acting on these reports should be equipped with the skills to discern and appropriately direct such messages to the relevant departments, such as Human Resources (HR).",
    "remediation": {
        "text": "\r\n\t\t\t###### To remediate using the UI: \r\n\t\t\t1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. \r\n\t\t\t2. Click to expand Messaging select Messaging policies. \r\n\t\t\t3. Click Global (Org-wide default). \r\n\t\t\t4. Set Report a security concern to On. \r\n\t\t\t5. Next, navigate to Microsoft 365 Defender https://security.microsoft.com/ \r\n\t\t\t6. Click on Settings \u003e Email \u0026 collaboration \u003e User reported settings. \r\n\t\t\t7. Scroll to Microsoft Teams. \r\n\t\t\t8. Check Monitor reported messages in Microsoft Teams and Save. \r\n\t\t\t9. Set Send reported messages to: to My reporting mailbox only with reports configured to be sent to authorized staff. \r\n\t",
        "code": {
            "powerShell": null,
            "iac": null,
            "terraform": null,
            "other": null
        }
    },
    "recommendation": null,
    "references": [
        "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide"
    ],
    "compliance": [
        {
            "name": "CIS Microsoft 365 Foundations Benchmark",
            "version": "6.0.1",
            "reference": "8.6.1",
            "profile": [
                "E3 Level 1",
                "E5 Level 1"
            ]
        }
    ],
    "level": "medium",
    "tags": [
         
    ],
    "rule": {
        "path": "o365_teams_user_messaging_policy",
        "subPath": null,
        "selectCondition": {
             
        },
        "query": [
            {
                "filter": [
                    {
                        "conditions": [
                            [
                                "Identity",
                                "eq",
                                "Global"
                            ],
                            [
                                "AllowSecurityEndUserReporting",
                                "eq",
                                "False"
                            ]
                        ],
                        "operator": "and"
                    }
                ]
            }
        ],
        "shouldExist": null,
        "returnObject": null,
        "removeIfNotExists": null
    },
    "output": {
        "html": {
            "data": {
                "properties": {
                    "Identity": "Identity",
                    "Description": "Description",
                    "AllowMemes": "Allow Memes",
                    "AllowSecurityEndUserReporting": "AllowSecurityEndUserReporting"
                },
                "expandObject": null
            },
            "table": "default",
            "decorate": [
                 
            ],
            "emphasis": [
                 
            ],
            "actions": {
                "objectData": {
                    "properties": [
                        "*"
                    ],
                    "expandObject": null,
                    "limit": null
                },
                "showGoToButton": "True",
                "showModalButton": "True",
                "directLink": null
            }
        },
        "text": {
            "data": {
                "properties": {
                    "Identity": "Identity",
                    "Description": "Description",
                    "AllowMemes": "Allow Memes",
                    "AllowSecurityEndUserReporting": "AllowSecurityEndUserReporting"
                },
                "expandObject": null
            },
            "status": {
                "keyName": [
                     
                ],
                "message": "Ensure users can report security concerns in Teams",
                "defaultMessage": null
            },
            "properties": {
                "resourceName": "Identity",
                "resourceId": "ConfigId",
                "resourceType": "TeamsMessagingPolicy"
            },
            "onlyStatus": false
        }
    },
    "idSuffix": "teams_users_report_security_concerns_not_configured",
    "notes": [
         
    ],
    "categories": [
         
    ],
    "immutable_properties": [
        "Identity",
        "ConfigId",
        "Key.SchemaId.XName.name"
    ],
    "id": "microsoft365_2177"
}