Skip to content

Security Suite Group 7#2240

Open
atuomit wants to merge 19 commits into
mainfrom
2108-implement-security-suite-group-7
Open

Security Suite Group 7#2240
atuomit wants to merge 19 commits into
mainfrom
2108-implement-security-suite-group-7

Conversation

@atuomit

@atuomit atuomit commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

🗣 Description

Implemented Security Suite Group 7

💭 Motivation and context

Closes #2108

🧪 Testing

Test Preset Policies

Go to Microsoft Defender admin page
Under Email & Collaboration > Policies & Rules > Threat Policies > Safe Links
Ensure that all custom policies are disabled except for Built-in protection, which cannot be disabled)
Under Email & Collaboration > Policies & Rules > Threat Policies > Preset Security Policies
Turn both the standard and strict policies off - expect WARNING for 7.1 and PASS for 7.2 and 7.3

Enable the standard preset policy
Click "Manage protection settings" and modify the settings so that Exchange Online Protection is applied to "None" (Defender for Office 365 protection needs to be applied to all recipients or specific recipients, otherwise the policy will automatically turn off) - expect WARNING for 7.1 and PASS for 7.2 and 7.3

Click "Manage protection settings" and modify the settings so that Exchange Online Protection is applied to "Specific recipients" and specify a user, group or domain. - expect WARNING for 7.1 and PASS for 7.2 and 7.3

Click "Manage protection settings" and modify the settings so that Exchange Online Protection is applied to "All recipients" - expect PASS for 7.1, 7.2 and 7.3

Repeat steps for strict preset policy

Test Custom Policy

Ensure standard and strict preset policies are disabled the following testing.

Go to Microsoft Defender admin page
Under Email & Collaboration > Policies & Rules > Threat Policies > Safe Links
Either modify an existing custom policy or create a new one.
Ensure custom policy has a priority of 0 (or has the lowest priority out of all the policies that are enabled).
Click "Edit users and domains" and ensure that all fields are empty.

Modify the policy cumulatively:

  • Under Email, only "On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default." is enabled - expect WARNING for 7.1, 7.2 and 7.3
  • Under Teams, additionally enable "On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten." - expect WARNING for 7.1, 7.2 and 7.3
  • Under Office 365 Apps, additionally enable "On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten." - expect WARNING for 7.1, 7.2 and 7.3
  • Under Email, additionally enable "Apply Safe Links to email messages sent within the organization" - expect PASS for 7.1 and WARNING for 7.2 and 7.3
  • Under Email, additionally enable "Apply real-time URL scanning for suspicious links and links that point to files" - expect PASS for 7.1 and WARNING for 7.2 and 7.3
  • Under Email, additionally enable "Wait for URL scanning to complete before delivering the message" - expect PASS for 7.1 and 7.1 and WARNING for 7.3
  • Additionally enable "Track user clicks" - expect PASS for 7.1, 7.2 and 7.3

Add another custom policy that is not compliant (all of the settings above is disabled) and modify it so that the second custom policy has a lower priority number than the first custom policy - expect WARNING for 7.1, 7.2 and 7.3

Switch the first custom policy priority back to 0, click "Edit users and domains" and specify a user, group or domain - expect WARNING for 7.1, 7.2 and 7.3

Repeat on all tenants in interactive and non-interactive modes.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • All future TODOs are captured in issues, which are referenced in code comments.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant repo and/or project documentation updated to reflect these changes.
  • Unit tests added/updated to cover PowerShell and Rego changes.
  • Functional tests added/updated to cover PowerShell and Rego changes.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • PR/feature branch passes functional tests for relevant products, if applicable.

  • Feature branch has been rebased against changes from parent branch, as needed.

    Use Update branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch.

  • Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Close issues resolved by this PR if the closing keywords did not activate.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

@atuomit atuomit added this to the Qwilfish milestone Jun 23, 2026
@atuomit atuomit self-assigned this Jun 23, 2026
@atuomit atuomit added the enhancement This issue or pull request will add new or improve existing functionality label Jun 23, 2026
@atuomit atuomit linked an issue Jun 23, 2026 that may be closed by this pull request
1 task
@FollyBeachGurl

Copy link
Copy Markdown
Collaborator

@JosephRWalter I added you as a reviewer. Thank you

@RM-MITRE RM-MITRE left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing for SP7

GCC - PASSED

  1. When disabling both policies, we receive the expected warning for 7.1-7.3. With service principals, a strange warning was thrown, but functional outside of that (*).
  2. (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
  3. (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
  4. (Custom)
    For the "Under Email" tests, the warning is received as expected. Although if "URL Scanning" is enabled under it with the other settings (just this setting group), it passes 7.2 prematurely. Unsure if this is intended (*).
    For the "Under Teams" tests, the warning is received as expected.
    For the "Under Office 365" tests, the warning is received as expected.
    For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
    For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
    For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3.
    For the "Track user clicks" tests, the 7.1-7.3 pass is received for all.
    For the priority and user modification tests, all warnings received as expected.

GCCHIGH - PASSED

  1. When disabling both policies, we receive the expected warning for 7.1-7.3.
  2. (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
  3. (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
  4. (Custom)
    For the "Under Email" tests, the warning is received as expected.
    For the "Under Teams" tests, the warning is received as expected.
    For the "Under Office 365" tests, the warning is received as expected.
    For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
    For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
    For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3.
    For the "Track user clicks" tests, the 7.1-7.3 pass is received for all.
    For the priority and user modification tests, all warnings received as expected.

E5 - PASSED w/ Caveats

  1. When disabling both policies, we receive the expected warning for 7.1-7.3.
  2. (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
  3. (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
  4. (Custom)
    For the "Under Email" tests, the warning is received as expected.
    For the "Under Teams" tests, the warning is received as expected.
    For the "Under Office 365" tests, the warning is received as expected.
    For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
    FAILED - For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected after the initial failings.
    (*This test and the next two initially failed until I waited a bit. It returned all passes, even though clicks was disabled. Something funky was happening here behind the scenes tied to the "security" popup, where it also reenabled standard/strict. Noticed it triggering after "real time URL".)
    - PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
    FAILED - For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3 after the initial failings.
    - PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
    FAILED - For the "Track user clicks" tests, the 7.1-7.3 pass is received for all after the initial failings.
    - PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
    For the priority and user modification tests, all warnings received as expected.

G3 - PASSED w/ Caveats

  1. When disabling both policies, we receive the expected warning for 7.1-7.3.
  2. NOTABLE - (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
    (*Turning on "all" for standard enables strict as well for some reason, randomly even, which when disabled causes it to sometimes fail. Same goes for when testing strict alone, it enables standard (although not as much).)
  3. (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
  4. (Custom)
    For the "Under Email" tests, the warning is received as expected.
    For the "Under Teams" tests, the warning is received as expected.
    For the "Under Office 365" tests, the warning is received as expected.
    For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
    For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
    (*The security popup led to testing issues again at this stage.)
    FAILED - For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3 after the initial failings.
    - PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
    FAILED - For the "Track user clicks" tests, the 7.1-7.3 pass is received for all after the initial failings.
    - PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
    FAILED - For the priority and user modification tests, all warnings received as expected after the initial failings.
    (*This was absolutely not working at all on G3 at first. It kept resetting the presets.)
    - PASSED when running another day after troubleshooting the GUI, so this is not a code issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement This issue or pull request will add new or improve existing functionality

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement checks for MS.SECURITYSUITE policy group 7

3 participants