ScubaGear icon indicating copy to clipboard operation
ScubaGear copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Missing licenses not reported for Defender policy groups 2 and 4

Open tkol2022 opened this issue 2 years ago • 2 comments

🐛 Summary

Several polices in the Defender baseline have a requirement for the Defender for Office 365 Plan 1 license but the respective Rego code does not check for licenses. Therefore it is not clear that the tool is producing accurate results in G3 tenants?

  • Policy 1.1 relies on the Get-ATPProtectionPolicyRule cmdlet which requires the Defender for Office 365 Plan 1 license but there are no checks for licenses in the Rego code and therefore it is unclear if the ScubaGear report is accurate when running against a G3 tenant.

  • Baseline section 2 license requirements state that "Impersonation protection and advanced phishing thresholds require Defender for Office 365 Plan 1 or 2" but there are no checks for licenses in the section 2 Rego code and therefore it is not clear if the ScubaGear report is accurate when running in a G3 tenant?

  • Baseline section 4 license requirements state that "DLP for Teams requires an E5 or G5 license" but there are no checks for licenses in the section 4 Rego code and therefore it is not clear if the ScubaGear report is accurate when running in a G3 tenant? The same license requirement is mentioned for "DLP for Endpoint".

tkol2022 avatar Oct 13 '23 22:10 tkol2022

Reviewed 12/14

@schrolla @buidav can you please review and see if this bug is still valid? If it is OBE, you can close this out.

tkol2022 avatar Dec 14 '23 21:12 tkol2022

🐛 Summary

Several polices in the Defender baseline have a requirement for the Defender for Office 365 Plan 1 license but the respective Rego code does not check for licenses. Therefore it is not clear that the tool is producing accurate results in G3 tenants?

* Policy 1.1 relies on the Get-ATPProtectionPolicyRule cmdlet which requires the Defender for Office 365 Plan 1 license but there are no checks for licenses in the Rego code and therefore it is unclear if the ScubaGear report is accurate when running against a G3 tenant.

Policy 1.1 can be met in a G3 tenant as preset security profiles work in E3/G3. When no Defender for Office P1/P2 is included, inclusion in the preset security profile just doesn't include the additional licensed Defender for Office365 protections. The code, therefore, should not include license warnings in non-E5/G5 tenants for policy 1.1 and it handles the case appropriately in E3/G3 tenants by ignoring a lack of ATPProtectionPolicyRule results. Existing unit and functional tests handle this case and report correct results.

Note that policy 1.3 and 1.5, which specifically reference the Defender for Office365 requirements not present in E3/G3 do include license warnings as needed.

No fix required for policy 1.1. Works as intended.

* Baseline section 2 license requirements state that "Impersonation protection and advanced phishing thresholds require Defender for Office 365 Plan 1 or 2" but there are no checks for licenses in the section 2 Rego code and therefore it is not clear if the ScubaGear report is accurate when running in a G3 tenant?

This does appear to be a gap. I would say it doesn't make the report inaccurate (as the tenant does lack the protections and fails to meet the policy), but it does make the report details imprecise (as the message reported does not indicate the issue is due to a missing license). ApplyLicenseWarnings should be added to the checks for policies 2.1-2.3.

* Baseline section 4 license requirements state that "DLP for Teams requires an E5 or G5 license" but there are no checks for licenses in the section 4 Rego code and therefore it is not clear if the ScubaGear report is accurate when running in a G3 tenant? The same license requirement is mentioned for "DLP for Endpoint".

This does appear to be a gap. I would say it doesn't make the report inaccurate (as the tenant does lack of DLP protections fails to meet the policy), but it does make the report details imprecise (as the message reported does not indicate the issue is due to a missing license). ApplyLicenseWarnings should be added to the checks for policies 4.1-4.4.

Overall, need to apply license warnings to checks for policy groups 2 and 4 to improve details of results, however results are correct in E3/G3 if incomplete. Straightforward fix.

schrolla avatar Dec 15 '23 15:12 schrolla