8.7 KiB
8.7 KiB
| 1 | Index | TestFileName | Rec | RecDescription | ELevel | ProfileLevel | CISControl | CISDescription | IG1 | IG2 | IG3 | Automated | Connection |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2 | 1 | Test-AdministrativeAccountCompliance.ps1 | 1.1.1 | Ensure Administrative accounts are separate and cloud-only | E3 | L1 | 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | TRUE | TRUE | TRUE | FALSE | Microsoft Graph |
| 3 | 2 | Test-GlobalAdminsCount.ps1 | 1.1.3 | Ensure that between two and four global admins are designated | E3 | L1 | 5.1 | Establish and Maintain an Inventory of Accounts | TRUE | TRUE | TRUE | TRUE | Microsoft Graph |
| 4 | 3 | Test-ManagedApprovedPublicGroups.ps1 | 1.2.1 | Ensure that only organizationally managed/approved public groups exist | E3 | L2 | 3.3 | Configure Data Access Control Lists | TRUE | TRUE | TRUE | TRUE | Microsoft Graph |
| 5 | 4 | Test-BlockSharedMailboxSignIn.ps1 | 1.2.2 | Ensure sign-in to shared mailboxes is blocked | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | AzureAD | EXO |
| 6 | 5 | Test-PasswordNeverExpirePolicy.ps1 | 1.3.1 | Ensure the 'Password expiration policy' is set to 'Set passwords to never expire' | E3 | L1 | 5.2 | Use Unique Passwords | TRUE | TRUE | TRUE | TRUE | Microsoft Graph |
| 7 | 6 | Test-ExternalSharingCalendars.ps1 | 1.3.3 | Ensure 'External sharing' of calendars is not available | E3 | L2 | 4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | FALSE | TRUE | TRUE | TRUE | EXO |
| 8 | 7 | Test-CustomerLockbox.ps1 | 1.3.6 | Ensure the customer lockbox feature is enabled | E5 | L2 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | EXO |
| 9 | 8 | Test-SafeLinksOfficeApps.ps1 | 2.1.1 | Ensure Safe Links for Office Applications is Enabled | E5 | L2 | 10.1 | Deploy and Maintain Anti-Malware Software | TRUE | TRUE | TRUE | TRUE | EXO |
| 10 | 9 | Test-CommonAttachmentFilter.ps1 | 2.1.2 | Ensure the Common Attachment Types Filter is enabled | E3 | L1 | 9.6 | Block Unnecessary File Types | FALSE | TRUE | TRUE | TRUE | EXO |
| 11 | 10 | Test-NotifyMalwareInternal.ps1 | 2.1.3 | Ensure notifications for internal users sending malware is Enabled | E3 | L1 | 17.5 | Assign Key Roles and Responsibilities | FALSE | TRUE | TRUE | TRUE | EXO |
| 12 | 11 | Test-SafeAttachmentsPolicy.ps1 | 2.1.4 | Ensure Safe Attachments policy is enabled | E5 | L2 | 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | FALSE | FALSE | TRUE | TRUE | EXO |
| 13 | 12 | Test-SafeAttachmentsTeams.ps1 | 2.1.5 | Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | E5 | L2 | 9.7,10.1 | Deploy and Maintain Email Server Anti-Malware Protections, Deploy and Maintain Anti-Malware Software | TRUE | TRUE | TRUE | TRUE | EXO |
| 14 | 13 | Test-SpamPolicyAdminNotify.ps1 | 2.1.6 | Ensure Exchange Online Spam Policies are set to notify administrators | E3 | L1 | 17.5 | Assign Key Roles and Responsibilities | FALSE | TRUE | TRUE | TRUE | EXO |
| 15 | 14 | Test-AntiPhishingPolicy.ps1 | 2.1.7 | Ensure that an anti-phishing policy has been created | E5 | L1 | 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | FALSE | FALSE | TRUE | TRUE | EXO |
| 16 | 15 | Test-EnableDKIM.ps1 | 2.1.9 | Ensure that DKIM is enabled for all Exchange Online Domains | E3 | L1 | 9.5 | Implement DMARC | FALSE | TRUE | TRUE | TRUE | EXO |
| 17 | 16 | Test-AuditLogSearch.ps1 | 3.1.1 | Ensure Microsoft 365 audit log search is Enabled | E3 | L1 | 8.2 | Collect Audit Logs | TRUE | TRUE | TRUE | TRUE | EXO |
| 18 | 17 | Test-RestrictTenantCreation.ps1 | 5.1.2.3 | Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Graph |
| 19 | 18 | Test-PasswordHashSync.ps1 | 5.1.8.1 | Ensure password hash sync is enabled for hybrid deployments | E3 | L1 | 6.7 | Centralize Access Control | FALSE | TRUE | TRUE | TRUE | Microsoft Graph |
| 20 | 19 | Test-AuditDisabledFalse.ps1 | 6.1.1 | Ensure 'AuditDisabled' organizationally is set to 'False' | E3 | L1 | 8.2 | Collect Audit Logs | TRUE | TRUE | TRUE | TRUE | Microsoft Graph |
| 21 | 20 | Test-MailboxAuditingE3.ps1 | 6.1.2 | Ensure mailbox auditing for Office E3 users is Enabled | E3 | L1 | 8.2 | Collect audit logs. | TRUE | TRUE | TRUE | TRUE | AzureAD | EXO | Microsoft Graph |
| 22 | 21 | Test-MailboxAuditingE5.ps1 | 6.1.3 | Ensure mailbox auditing for Office E5 users is Enabled | E5 | L1 | 8.2 | Collect audit logs. | TRUE | TRUE | TRUE | TRUE | AzureAD | EXO | Microsoft Graph |
| 23 | 22 | Test-BlockMailForwarding.ps1 | 6.2.1 | Ensure all forms of mail forwarding are blocked and/or disabled | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | EXO |
| 24 | 23 | Test-NoWhitelistDomains.ps1 | 6.2.2 | Ensure mail transport rules do not whitelist specific domains | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | EXO |
| 25 | 24 | Test-IdentifyExternalEmail.ps1 | 6.2.3 | Ensure email from external senders is identified | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | EXO |
| 26 | 25 | Test-RestrictOutlookAddins.ps1 | 6.3.1 | Ensure users installing Outlook add-ins is not allowed | E3 | L2 | 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | FALSE | TRUE | TRUE | TRUE | EXO |
| 27 | 26 | Test-ModernAuthExchangeOnline.ps1 | 6.5.1 | Ensure modern authentication for Exchange Online is enabled (Automated) | E3 | L1 | 3.1 | Encrypt Sensitive Data in Transit | FALSE | TRUE | TRUE | TRUE | EXO |
| 28 | 27 | Test-MailTipsEnabled.ps1 | 6.5.2 | Ensure MailTips are enabled for end users | E3 | L2 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | EXO |
| 29 | 28 | Test-RestrictStorageProvidersOutlook.ps1 | 6.5.3 | Ensure additional storage providers are restricted in Outlook on the web | E3 | L2 | 3.3 | Configure Data Access Control Lists | TRUE | TRUE | TRUE | TRUE | EXO |
| 30 | 29 | Test-ModernAuthSharePoint.ps1 | 7.2.1 | Modern Authentication for SharePoint Applications | E3 | L1 | 3.1 | Encrypt Sensitive Data in Transit | FALSE | TRUE | TRUE | TRUE | SPO |
| 31 | 30 | Test-SharePointAADB2B.ps1 | 7.2.2 | Ensure reauthentication with verification code is restricted | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | SPO |
| 32 | 31 | Test-RestrictExternalSharing.ps1 | 7.2.3 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | E3 | L1 | 0 | Explicitly Not Mapped | TRUE | TRUE | TRUE | TRUE | SPO |
| 33 | 32 | Test-OneDriveContentRestrictions.ps1 | 7.2.4 | Ensure external content sharing is restricted | E3 | L2 | 3.3 | Configure Data Access Control Lists | TRUE | TRUE | TRUE | TRUE | SPO |
| 34 | 33 | Test-SharePointGuestsItemSharing.ps1 | 7.2.5 | Ensure OneDrive content sharing is restricted | E3 | L2 | 3.3 | Configure Data Access Control Lists | TRUE | TRUE | TRUE | TRUE | SPO |
| 35 | 34 | Test-SharePointExternalSharingDomains.ps1 | 7.2.6 | Ensure that SharePoint guest users cannot share items they don't own | E3 | L2 | 3.3 | Configure Data Access Control Lists | TRUE | TRUE | TRUE | TRUE | SPO |
| 36 | 35 | Test-LinkSharingRestrictions.ps1 | 7.2.7 | Ensure SharePoint external sharing is managed through domain whitelist/blacklists | E3 | L1 | 3.3 | Configure Data Access Control Lists | TRUE | TRUE | TRUE | TRUE | SPO |
| 37 | 36 | Test-GuestAccessExpiration.ps1 | 7.2.9 | Ensure link sharing is restricted in SharePoint and OneDrive | E3 | L1 | 3.3 | Configure Data Access Control Lists | FALSE | FALSE | FALSE | TRUE | SPO |
| 38 | 37 | Test-ReauthWithCode.ps1 | 7.2.10 | Ensure guest access to a site or OneDrive will expire automatically | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | SPO |
| 39 | 38 | Test-DisallowInfectedFilesDownload.ps1 | 7.3.1 | Ensure Office 365 SharePoint infected files are disallowed for download | E5 | L2 | 10.1 | Deploy and Maintain Anti-Malware Software | TRUE | TRUE | TRUE | TRUE | SPO |
| 40 | 39 | Test-OneDriveSyncRestrictions.ps1 | 7.3.2 | Ensure OneDrive sync is restricted for unmanaged devices | E3 | L2 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | SPO |
| 41 | 40 | Test-RestrictCustomScripts.ps1 | 7.3.4 | Ensure custom script execution is restricted on site collections | E3 | L1 | 2.7 | Allowlist Authorized Scripts | FALSE | FALSE | TRUE | TRUE | SPO |
| 42 | 41 | Test-TeamsExternalFileSharing.ps1 | 8.1.1 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | E3 | L2 | 3.3 | Configure Data Access Control Lists | TRUE | TRUE | TRUE | TRUE | Microsoft Teams |
| 43 | 42 | Test-BlockChannelEmails.ps1 | 8.1.2 | Ensure users can't send emails to a channel email address | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 44 | 43 | Test-TeamsExternalAccess.ps1 | 8.2.1 | Ensure 'external access' is restricted in the Teams admin center | E3 | L2 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 45 | 44 | Test-NoAnonymousMeetingJoin.ps1 | 8.5.1 | Ensure anonymous users can't join a meeting | E3 | L2 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 46 | 45 | Test-NoAnonymousMeetingStart.ps1 | 8.5.2 | Ensure anonymous users and dial-in callers can't start a meeting | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 47 | 46 | Test-OrgOnlyBypassLobby.ps1 | 8.5.3 | Ensure only people in my org can bypass the lobby | E3 | L1 | 6.8 | Define and Maintain Role-Based Access Control | FALSE | FALSE | TRUE | TRUE | Microsoft Teams |
| 48 | 47 | Test-DialInBypassLobby.ps1 | 8.5.4 | Ensure users dialing in can't bypass the lobby | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 49 | 48 | Test-MeetingChatNoAnonymous.ps1 | 8.5.5 | Ensure meeting chat does not allow anonymous users | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 50 | 49 | Test-OrganizersPresent.ps1 | 8.5.6 | Ensure only organizers and co-organizers can present | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 51 | 50 | Test-ExternalNoControl.ps1 | 8.5.7 | Ensure external participants can't give or request control | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams |
| 52 | 51 | Test-ReportSecurityInTeams.ps1 | 8.6.1 | Ensure users can report security concerns in Teams | E3 | L1 | 0 | Explicitly Not Mapped | FALSE | FALSE | FALSE | TRUE | Microsoft Teams | EXO |