Merge pull request #132 from maester365/merill-cisa

Updated CISA help doc and split risk into two

powershell/Maester.psd1

@@ -90,7 +90,9 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
                'Test-MtCaMfaForGuest', 'Test-MtCaMfaForRiskySignIn',
                'Test-MtCaRequirePasswordChangeForHighUserRisk',
                'Test-MtCaSecureSecurityInfoRegistration',
-               'Test-MtCaWIFBlockLegacyAuthentication', 'Test-MtCisaLegacyAuth',
+               'Test-MtCaWIFBlockLegacyAuthentication', 'Test-MtCisaBlockLegacyAuth',
+               'Test-MtCisaBlockHighRiskUser', 'Test-MtCisaBlockHighRiskSignIn',
+               'Test-MtCisaNotifyHighRisk',
                'Test-MtConditionalAccessWhatIf', 'Test-MtEidscaAF01',
                'Test-MtEidscaAF02', 'Test-MtEidscaAF03', 'Test-MtEidscaAF04',
                'Test-MtEidscaAF05', 'Test-MtEidscaAF06', 'Test-MtEidscaAG01',

powershell/public/CISA/Entra/Test-MtCisaNotifyHighRisk.md

@@ -4,9 +4,9 @@ Rationale: Notification enables the admin to monitor the event and remediate the
 
 #### Remediation action:
 
-Follow the guide below to create a conditional access policy that blocks legacy authentication.
+Follow the guide below to configure Entra ID Protection to send a regularly monitored security mailbox email notification when user accounts are determined to be high risk.
 
-- [Configure Entra Identity Protection Notifications - Microsoft Learn](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-notifications#configure-users-at-risk-detected-alerts)
+- [Configure Entra Identity Protection Notifications - Microsoft Learn](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-configure-notifications#configure-users-at-risk-detected-alerts)
 
 #### Related links
 

powershell/public/CISA/Entra/Test-MtCisaNotifyHighRisk.ps1

@@ -30,7 +30,7 @@ Function Test-MtCisaNotifyHighRisk {
     $testResult = $notficationRecipients.Count -ge 1
 
     if ($testResult) {
-        $testResultMarkdown = "Your tenant has one or more recipients for notifications of risky user logins:`n`n%TestResult%"
+        $testResultMarkdown = "Well done. Your tenant has one or more recipients for notifications of risky user logins:`n`n%TestResult%"
     } else {
         $testResultMarkdown = "Your tenant does not have any recipients for notifications of risky user logins."
     }

powershell/public/Get-MtConditionalAccessPolicy.ps1

@@ -13,6 +13,8 @@ Function Get-MtConditionalAccessPolicy {
   param()
 
   Write-Verbose -Message "Getting conditional access policies."
-  return Invoke-MtGraphRequest -RelativeUri 'identity/conditionalAccess/policies' -ApiVersion beta
+
+  # Note Graph v1.0 appears to return updates faster than beta
+  return Invoke-MtGraphRequest -RelativeUri 'identity/conditionalAccess/policies' -ApiVersion v1.0
 
 }

powershell/public/cisa/entra/Test-MtCisaBlockHighRiskSignIn.md

@@ -0,0 +1,20 @@
+Sign-ins detected as high risk SHALL be blocked.
+
+Rationale: Blocking high-risk sign ins may prevent compromised sign-ins from accessing the tenant. This prevents compromised sign-ins from accessing the tenant.
+
+#### Remediation action:
+
+Create a Conditional Access policy blocking sign-ins determined high risk by the Identity Protection service. Configure the following policy settings in the new Conditional Access policy as per the values below:
+
+* Users > Include > **All users**
+* Target resources > Cloud apps > **All cloud apps**
+* Conditions > Sign-in risk > **High**
+* Access controls > Grant > **Block Access**
+
+#### Related links
+
+* [CISA Risk Based Policies - MS.AAD.2.3](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad23v1)
+* [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L138)
+
+<!--- Results --->
+%TestResult%

powershell/public/cisa/entra/Test-MtCisaBlockHighRiskSignIn.ps1

@@ -0,0 +1,39 @@
+<#
+.SYNOPSIS
+    Checks if Sign-In Risk Based Policies - MS.AAD.2.3 is set to 'blocked'
+
+.DESCRIPTION
+
+    Sign-ins detected as high risk SHALL be blocked.
+
+.EXAMPLE
+    Test-MtCisaBlockHighRiskSignIn
+
+    Returns true if at least one policy is set to block high risk sign-ins.
+#>
+
+Function Test-MtCisaBlockHighRiskSignIn {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    $result = Get-MtConditionalAccessPolicy
+
+    $blockPolicies = $result | Where-Object {`
+        $_.state -eq "enabled" -and `
+        $_.grantControls.builtInControls -contains "block" -and `
+        $_.conditions.applications.includeApplications -contains "all" -and `
+        $_.conditions.signInRiskLevels -contains "high" -and `
+        $_.conditions.users.includeUsers -contains "All" }
+
+    $testResult = $blockPolicies.Count -ge 1
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has one or more policies that block high risk sign-ins:`n`n%TestResult%"
+    } else {
+        $testResultMarkdown = "Your tenant does not have any conditional access policies that block high risk sign-ins."
+    }
+    Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType ConditionalAccess -GraphObjects $blockPolicies
+
+    return $testResult
+}

powershell/public/cisa/entra/Test-MtCisaBlockHighRiskUser.md

@@ -0,0 +1,20 @@
+Users detected as high risk SHALL be blocked.
+
+Rationale: Blocking high-risk users may prevent compromised accounts from accessing the tenant. This prevents compromised accounts from accessing the tenant.
+
+#### Remediation action:
+
+Create a conditional access policy blocking users categorized as high risk by the Identity Protection service. Configure the following policy settings in the new conditional access policy as per the values below:
+
+* Users > Include > **All users**
+* Target resources > Cloud apps > **All cloud apps**
+* Conditions > User risk > **High**
+* Access controls > Grant > **Block Access**
+
+#### Related links
+
+* [CISA Risk Based Policies - MS.AAD.2.1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad21v1)
+* [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L85)
+
+<!--- Results --->
+%TestResult%

powershell/public/cisa/entra/Test-MtCisaBlockHighRiskUser.ps1

@@ -0,0 +1,39 @@
+<#
+.SYNOPSIS
+    Checks if User Risk Based Policies - MS.AAD.2.1 is set to 'blocked'
+
+.DESCRIPTION
+
+    Users detected as high risk SHALL be blocked.
+
+.EXAMPLE
+    Test-MtCisaBlockHighRiskUser
+
+    Returns true if at least one policy is set to block high risk users.
+#>
+
+Function Test-MtCisaBlockHighRiskUser {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    $result = Get-MtConditionalAccessPolicy
+
+    $blockPolicies = $result | Where-Object {`
+        $_.state -eq "enabled" -and `
+        $_.grantControls.builtInControls -contains "block" -and `
+        $_.conditions.applications.includeApplications -contains "all" -and `
+        $_.conditions.userRiskLevels -contains "high" -and `
+        $_.conditions.users.includeUsers -contains "All" }
+
+    $testResult = $blockPolicies.Count -ge 1
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has one or more policies that block high risk users :`n`n%TestResult%"
+    } else {
+        $testResultMarkdown = "Your tenant does not have any conditional access policies that block high risk users."
+    }
+    Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType ConditionalAccess -GraphObjects $blockPolicies
+
+    return $testResult
+}

powershell/public/CISA/Entra/Test-MtCisaLegacyAuth.ps1 → powershell/public/cisa/entra/Test-MtCisaBlockLegacyAuth.ps1

@@ -6,17 +6,13 @@
 
     Legacy authentication SHALL be blocked.
 
-    Queries /identity/conditionalAccess/policies
-    and returns the result of
-     (graph/identity/conditionalAccess/policies?$filter=(state eq 'enabled') and (grantControls/builtInControls/any(c:c eq 'block')) and (conditions/clientAppTypes/any(c:c eq 'exchangeActiveSync')) and (conditions/clientAppTypes/any(c:c eq 'other')) and (conditions/users/includeUsers/any(c:c eq 'All'))&$count=true).'@odata.count' -ge 1
-
 .EXAMPLE
-    Test-MtCisaLegacyAuth
+    Test-MtCisaBlockLegacyAuth
 
-    Returns the result of (graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=(state eq 'enabled') and (grantControls/builtInControls/any(c:c eq 'block')) and (conditions/clientAppTypes/any(c:c eq 'exchangeActiveSync')) and (conditions/clientAppTypes/any(c:c eq 'other')) and (conditions/users/includeUsers/any(c:c eq 'All'))&$count=true).'@odata.count' -ge 1
+    Returns true if a CA policy exists that blocks legacy authentication.
 #>
 
-Function Test-MtCisaLegacyAuth {
+Function Test-MtCisaBlockLegacyAuth {
     [CmdletBinding()]
     [OutputType([bool])]
     param()

tests/CISA/Entra/Test-MtCisaBlockHighRiskSignIns.Tests.ps1

@@ -0,0 +1,9 @@
+BeforeDiscovery {
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+}
+
+Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.2.3", "CISA", "Security", "All" -Skip:( $EntraIDPlan -ne "P2" ){
+    It "MS.AAD.2.3: Sign-ins detected as high risk SHALL be blocked." {
+        Test-MtCisaBlockHighRiskSignIn | Should -Be $true -Because "an enabled policy for all users blocking high risk sign-ins shall exist."
+    }
+}

tests/CISA/Entra/Test-MtCisaBlockHighRiskUsers.Tests.ps1

@@ -0,0 +1,9 @@
+BeforeDiscovery {
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+}
+
+Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.2.1", "CISA", "Security", "All" -Skip:( $EntraIDPlan -ne "P2" ){
+    It "MS.AAD.2.1: Users detected as high risk SHALL be blocked." {
+        Test-MtCisaBlockHighRiskUser | Should -Be $true -Because "an enabled policy for all users blocking high risk users shall exist."
+    }
+}

tests/CISA/Entra/Test-MtCisaBlockLegacyAuth.Tests.ps1

@@ -0,0 +1,9 @@
+BeforeDiscovery {
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+}
+
+Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.1.1", "CISA", "Security", "All", "MS.AAD" -Skip:( $EntraIDPlan -eq "Free" ) {
+    It "MS.AAD.1.1: Legacy authentication SHALL be blocked." {
+        Test-MtCisaBlockLegacyAuth | Should -Be $true -Because "an enabled policy for all users blocking legacy auth access shall exist."
+    }
+}

tests/CISA/Entra/Test-MtCisaNotifyHighRiskUsers.Tests.ps1

@@ -0,0 +1,9 @@
+BeforeDiscovery {
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+}
+
+Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.2.2", "CISA", "Security", "All" -Skip:( $EntraIDPlan -ne "P2" ) {
+    It "MS.AAD.2.2: A notification SHOULD be sent to the administrator when high-risk users are detected." {
+        Test-MtCisaNotifyHighRisk | Should -Be $true -Because "an enabled is a recipient of risky user login notifications."
+    }
+}