CIS 2.1.4

maester365 · Sep 22, 2024 · f57df8f · f57df8f
1 parent 6e0a967
commit f57df8f
Show file tree

Hide file tree

Showing 5 changed files with 137 additions and 1 deletion.
diff --git a/powershell/Maester.psd1 b/powershell/Maester.psd1
@@ -141,6 +141,7 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
                'Test-MtCisSafeLink',
                'Test-MtCisAttachmentFilter',
                'Test-MtCisInternalMalwareNotification',
+               'Test-MtCisSafeAttachment',
                'Test-MtConditionalAccessWhatIf',
                'Test-MtConnection',
                'Test-MtEidscaControl',

diff --git a/powershell/public/cis/Test-MtCisSafeAttachment.md b/powershell/public/cis/Test-MtCisSafeAttachment.md
@@ -0,0 +1,27 @@
+2.1.4 (L2) Ensure Safe Attachments policy is enabled
+
+R**ationale:**
+Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user's inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization's network.
+
+#### Remediation action:
+
+To enable the Safe Attachments policy:
+1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com).
+2. Click to expand **E-mail & Collaboration** select **Policies & rules**.
+3. On the Policies & rules page select **Threat policies**.
+4. Under **Policies** select **Safe Attachments**.
+5. Click + **Create**.
+6. Create a Policy Name and Description, and then click **Next**.
+7. Select all valid domains and click Next.
+8. Select **Block**.
+9. Quarantine policy is **AdminOnlyAccessPolicy**.
+10. Leave **Enable redirect** unchecked.
+11. Click **Next** and finally **Submit**.
+
+#### Related links
+
+* [Microsoft 365 Defender](https://security.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v3.1.0 - Page 71](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%
diff --git a/powershell/public/cis/Test-MtCisSafeAttachment.ps1 b/powershell/public/cis/Test-MtCisSafeAttachment.ps1
@@ -0,0 +1,97 @@
+<#
+.SYNOPSIS
+Checks if the Safe Attachments policy is enabled
+
+.DESCRIPTION
+The Safe Attachments policy is enabled
+
+.EXAMPLE
+Test-MtCisSafeAttachment
+
+Returns true safe attachments policy is enabled
+
+.LINK
+https://maester.dev/docs/commands/Test-MtCisSafeAttachment
+#>
+function Test-MtCisSafeAttachment {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection ExchangeOnline)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
+        return $null
+    }
+    elseif (!(Test-MtConnection SecurityCompliance)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedSecurityCompliance
+        return $null
+    }
+    elseif ($null -eq (Get-MtLicenseInformation -Product Mdo)) {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedMdo
+        return $null
+    }
+
+    Write-Verbose "Getting Safe Attachment Policy..."
+    $policy = Get-MtExo -Request SafeAttachmentPolicy
+
+    $safeAttachmentCheckList = @()
+
+    #Enable
+    $safeAttachmentCheckList += [pscustomobject] @{
+        "CheckName" = "Enable"
+        "Value"     = "True"
+    }
+
+    #Action
+    $safeAttachmentCheckList += [pscustomobject] @{
+        "CheckName" = "Action"
+        "Value"     = "Block"
+    }
+
+    #QuarantineTag
+    $safeAttachmentCheckList += [pscustomobject] @{
+        "CheckName" = "QuarantineTag"
+        "Value"     = "AdminOnlyAccessPolicy"
+    }
+
+    Write-Verbose "Executing checks"
+    $failedCheckList = @()
+    foreach ($check in $safeAttachmentCheckList) {
+
+        $checkResult = $policy | Where-Object { $_.($check.CheckName) -notmatch $check.Value }
+
+        if ($checkResult) {
+            #If the check fails, add it to the list so we can report on it later
+            $failedCheckList += $check.CheckName
+        }
+
+    }
+
+    $testResult = ($failedCheckList | Measure-Object).Count -eq 0
+
+    $portalLink = "https://security.microsoft.com/safeattachmentv2"
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has the safe attachment policy enabled ($portalLink).`n`n%TestResult%"
+    }
+    else {
+        $testResultMarkdown = "Your tenant does not have the the safe attachment policy enabled ($portalLink).`n`n%TestResult%"
+    }
+
+
+    $resultMd = "| Check Name | Result |`n"
+    $resultMd += "| --- | --- |`n"
+    foreach ($item in $safeAttachmentCheckList) {
+        $itemResult = "❌ Fail"
+        if ($item.CheckName -notin $failedCheckList) {
+            $itemResult = "✅ Pass"
+        }
+        $resultMd += "| $($item.CheckName) | $($itemResult) |`n"
+    }
+
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultMd
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $testResult
+}
diff --git a/tests/cis/Test-MtCisSafeAttachment.Tests.ps1 b/tests/cis/Test-MtCisSafeAttachment.Tests.ps1
@@ -0,0 +1,10 @@
+Describe "CIS" -Tag "CIS 2.1.4", "L2", "CIS E5 Level 5", "CIS E5", "CIS", "Security", "All", "CIS M365 v3.1.0" {
+    It "2.1.4 (L2) Ensure Safe Attachments policy is enabled" {
+
+        $result = Test-MtCisSafeAttachment
+
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "the Safe Attachement policy is enabled."
+        }
+    }
+}
diff --git a/website/docs/tests/cis/readme.md b/website/docs/tests/cis/readme.md
@@ -23,7 +23,7 @@ See the [Installation guide](/docs/installation#optional-modules-and-permissions
 
 | Cmdlet Name | CIS Recommendation ID |
 | - | - |
-| Test-MtCisCloudAdmin | CIS 1.1.1: Ensure Administrative accounts are separate and cloud-only |
+| Test-MtCisCloudAdmin | 1.1.1 (L1) Ensure Administrative accounts are separate and cloud-only |
 | TBD | 1.1.2 (L1) Ensure two emergency access accounts have been defined |
 | Test-MtCisGlobalAdminCount | 1.1.3 (L1) Ensure that between two and four global admins are designated |
 | N/A | 1.1.4 (L1) Ensure Guest Users are reviewed at least biweekly |
@@ -40,5 +40,6 @@ See the [Installation guide](/docs/installation#optional-modules-and-permissions
 | Test-MtCisSafeLink | 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled |
 | Test-MtCisAttachmentFilter | 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled |
 | Test-MtCisInternalMalwareNotification | 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled |
+| Test-MtCisSafeAttachment | 2.1.4 (L2) Ensure Safe Attachments policy is enabled |
 
 TBD in this case refers to CIS "manual" checks. It might be possible to automate these, but skipping for now to focus on automated checks.