Security & Compliance
Gap Analysis
CISA Baseline
Safeguarding your organization’s data, infrastructure, and users.
Gap Analysis
Microsoft 365 Defender
Microsoft 365 (M365) Defender is a cloud-based enterprise defense suite that coordinates prevention, detection, investigation, and response. This set of tools and features are used to detect many types of attacks.
This baseline focuses on the features of Defender for Office 365, but some settings are actually configured in the Microsoft Purview compliance portal. However, for simplicity, both the M365 Defender and Microsoft Purview compliance portal items are contained in this baseline.
Generally, use of Microsoft Defender is not required by the baselines of the core M365 products (Exchange Online, Teams, etc.). Should an agency elect to use Defender as their tool of choice, agencies should apply these baseline settings. Please note that some of the controls in the core baselines require the use of a dedicated security tool that provides comparable protection as Defender. In addition to applying these controls, agencies should consider using a cloud access security broker to secure their environments as they adopt zero trust principles.
The Cybersecurity and Infrastructure Security Agency (CISA), provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
Assumptions
CISA has identified a set of user accounts that are considered sensitive accounts. See Key Terminology for a detailed description of sensitive accounts.
The License Requirements sections of this document assume the organization is using an M365 E3 license level at a minimum. Therefore, only licenses not included in E3 are listed.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
The following are key terms and descriptions used in this document.
Sensitive Accounts: This term denotes a set of user accounts that have access to sensitive and high-value information. As a result, these accounts may be at a higher risk of being targeted.
Security Solutions
1. Preset Security Profiles
Microsoft Defender defines three preset security profiles: built-in protection, standard, and strict. These preset policies are informed by Microsoft’s observations, and are designed to strike the balance between usability and security. They allow administrators to enable the full feature set of Defender by simply adding users to the policies rather than manually configuring each setting.
Within the standard and strict preset policies, users can be enrolled in Exchange Online Protection (EOP) and Defender for Office 365 protection. Additionally, preset policies support configuration of impersonation protection.
Policies
MS.DEFENDER.1.1v1 – The standard and strict preset security policies SHALL be enabled.
- Rationale: Defender includes a large number of features and settings to protect users against threats. Using the preset security policies, administrators can help ensure all new and existing users automatically have secure defaults applied.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.1.2v1 – All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.
- Rationale: Important user protections are provided by EOP, including anti-spam, anti-malware, and anti-phishing protections. By using the preset policies, administrators can help ensure all new and existing users have secure defaults applied automatically.
- Last modified: June 2023
- Note:
- The standard and strict preset security policies must be enabled as directed by MS.DEFENDER.1.1v1 for protections to be applied.
- Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming, as closely as possible to the settings used by the preset policies. See the Resources section for more details on configuring policies.
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.1.3v1 – All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.
- Rationale: Important user protections are provided by Defender for Office 365 protection, including safe attachments and safe links. By using the preset policies, administrators can help ensure all new and existing users have secure defaults applied automatically.
- Last modified: June 2023
- Note:
- The standard and strict preset security policies must be enabled as directed by MS.DEFENDER.1.1v1 for protections to be applied.
- Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming as closely as possible to the settings used by the preset policies. See the Resources section for more details on configuring policies.
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.1.4v1 – Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.
- Rationale: Unauthorized access to a sensitive account may result in greater harm than a standard user account. Adding sensitive accounts to the strict preset security policy, with its increased protections, better mitigates their elevated risk to email threats.
- Last modified: June 2023
- Note: The strict preset security policy must be enabled to protect sensitive accounts.
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.1.5v1 – Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.
- Rationale: Unauthorized access to a sensitive account may result in greater harm than to a standard user account. Adding sensitive accounts to the strict preset security policy, with its increased protections, better mitigates their elevated risk.
- Last modified: June 2023
- Note: The strict preset security policy must be enabled to protect sensitive accounts.
- MITRE ATT&CK TTP Mapping:
Resources
- Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users | Microsoft Learn
- Recommended settings for EOP and Microsoft Defender for Office 365 security | Microsoft Learn
- Configure anti-phishing policies in EOP | Microsoft Learn
- Configure anti-malware policies in EOP | Microsoft Learn
- Configure anti-spam policies in EOP | Microsoft Learn
- Configure anti-phishing policies in Defender for Office 365 | Microsoft Learn
- Set up Safe Attachments policies in Microsoft Defender for Office 365 | Microsoft Learn
- Set up Safe Links policies in Microsoft Defender for Office 365 | Microsoft Learn
License Requirements
- Defender for Office 365 capabilities require Defender for Office 365 Plan 1 or 2. These are included with E5 and G5 and are available as add-ons for E3 and G3. However, third-party solutions can be used to meet this requirement. If a third-party solution is used, then a Defender for Office 365 Plan 1 or 2, E5, and G5 license is not required for the respective policies.
Security Solutions
2. Impersonation Protection
Impersonation protection checks incoming emails to see if the sender address is similar to the users or domains on an agency-defined list. If the sender address is significantly similar, as to indicate an impersonation attempt, the email is quarantined.
Policies
MS.DEFENDER.2.1v1 – User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies.
- Rationale: User impersonation, especially of users with access to sensitive or high-value information and resources, has the potential to result in serious harm. Impersonation protection mitigates this risk. By configuring impersonation protection in both preset policies, administrators can help protect email recipients from impersonated emails, regardless of whether they are added to the standard or strict policy.
- Last modified: June 2023
- Note: The standard and strict preset security policies must be enabled to protect accounts.
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.2.2v1 – Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.
- Rationale: Configuring domain impersonation protection for all agency domains reduces the risk of a user being deceived by a look-alike domain. By configuring impersonation protection in both preset policies, administrators can help protect email recipients from impersonated emails, regardless of whether they are added to the standard or strict policy.
- Last modified: June 2023
- Note: The standard and strict preset security policies must be enabled to protect agency domains.
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.2.3v1 – Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.
- Rationale: Configuring domain impersonation protection for domains owned by important partners reduces the risk of a user being deceived by a look-alike domain. By configuring impersonation protection in both preset policies, administrators can help protect email recipients from impersonated emails, regardless of whether they are added to the standard or strict policy.
- Last modified: June 2023
- Note: The standard and strict preset security policies must be enabled to protect partner domains.
- MITRE ATT&CK TTP Mapping:
Resources
- Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365 | Microsoft Learn
- Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users | Microsoft Learn
License Requirements
- Impersonation protection and advanced phishing thresholds require Defender for Office 365 Plan 1 or 2. These are included with E5 and G5 and are available as add-ons for E3 and G3. As of April 25, 2023, anti-phishing for user and domain impersonation and spoof intelligence are not yet available in M365 Government Community Cloud (GCC High) and Department of Defense (DoD) environments. See Platform features | Microsoft Learn for current offerings.
Security Solutions
3. Safe Attachments
The Safe Attachments feature will scan messages for attachments with malicious content. All messages with attachments not already flagged by anti-malware protections in EOP are downloaded to a Microsoft virtual environment for further analysis. Safe Attachments then uses machine learning and other analysis techniques to detect malicious intent. While Safe Attachments for Exchange Online is automatically configured in the preset policies, separate action is needed to enable it for other products.
Policies
MS.DEFENDER.3.1v1 – Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.
- Rationale: Clicking malicious links makes users vulnerable to attacks, and this danger is not limited to links in emails. Other Microsoft products, such as Microsoft Teams, can be used to present users with malicious links. As such, it is important to protect users on these other Microsoft products as well.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Resources
Safe Attachments in Microsoft Defender for Office 365 | Microsoft Learn
Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams | Microsoft Learn
License Requirements
- Safe attachments require Defender for Office 365 Plan 1 or 2. These are included with E5 and G5 and are available as add-ons for E3 and G3.
Security Solutions
4. Data Loss Prevention
There are several approaches to securing sensitive information, such as warning users, encryption, or blocking attempts to share. Agency policies for sensitive information, such as personally identifiable information (PII), should dictate how that information is handled and inform associated data loss prevention (DLP) policies. Defender can detect sensitive information and associates a default confidence level with this detection based on the sensitive information type matched. Confidence levels are used to reduce false positives in detecting access to sensitive information. Agencies may choose to use the default confidence levels or adjust the levels in custom DLP policies to fit their environment and needs.
Policies
MS.DEFENDER.4.1v2 – A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).
- Rationale: Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
- Last modified: November 2024
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.4.2v1 – The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.
- Rationale: Unauthorized disclosures may happen through M365 services or endpoint devices. DLP policies should cover all affected locations to be effective.
- Last modified: June 2023
- Note: The custom policy referenced here is the same policy configured in MS.DEFENDER.4.1v2.
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.4.3v1 – The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.
- Rationale: Access to sensitive information should be prohibited unless explicitly allowed. Specific exemptions can be made based on agency policies and valid business justifications.
- Last modified: June 2023
- Note: The custom policy referenced here is the same policy configured in MS.DEFENDER.4.1v2.
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.4.4v1 – Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.
- Rationale: Some users may not be aware of agency policies on proper use of sensitive information. Enabling notifications provides positive feedback to users when accessing sensitive information.
- Last modified: June 2023
- Note: The custom policy referenced here is the same policy configured in MS.DEFENDER.4.1v2.
- MITRE ATT&CK TTP Mapping:
- None
MS.DEFENDER.4.5v1 – A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.
- Rationale: Some apps may inappropriately share accessed files or not conform to agency policies for access to sensitive information. Defining a list of those apps makes it possible to use DLP policies to restrict those apps’ access to sensitive information on endpoints using Defender.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.4.6v1 – The custom policy SHOULD include an action to block access to sensitive information by restricted apps and unwanted Bluetooth applications.
- Rationale: Some apps may inappropriately share accessed files or not conform to agency policies for access to sensitive information. Defining a DLP policy with an action to block access from restricted apps and unwanted Bluetooth applications prevents unauthorized disclosure by those programs.
- Last modified: June 2023
- Note:
- The custom policy referenced here is the same policy configured in MS.DEFENDER.4.1v2.
- This action can only be included if at least one device is onboarded to the agency tenant. Otherwise, the option to block restricted apps will not be available.
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
DLP for Teams requires an E5 or G5 license. See Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams | Microsoft Learn for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.
DLP for Endpoint requires an E5 or G5 license. See Get started with Endpoint data loss prevention – Microsoft Purview (compliance) | Microsoft Learn for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.
Security Solutions
5. Alerts
There are several pre-built alert policies available pertaining to various apps in the M365 suite. These alerts give administrators better real-time insight into possible security incidents. Guidance on specific alerts to configure can be found in the linked section of the CISA M365 Secure Configuration Baseline for Exchange Online.
Policies
MS.DEFENDER.5.1v1 – At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled.
- Rationale: Potentially malicious or service-impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to the list of events linked above draws attention to them to minimize any impact to users and the agency.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.5.2v1 – The alerts SHOULD be sent to a monitored address or incorporated into a Security Information and Event Management (SIEM).
- Rationale: Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or SIEM system helps ensure events are acted upon in a timely manner to limit overall impact.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
- N/A
Security Solutions
6. Audit Logging
User activity from M365 services is captured in the organization’s unified audit log. These logs are essential for conducting incident response and threat detection activity.
By default, Microsoft retains the audit logs for 180 days. Activity by users with E5 licenses is logged for one year.
However, in accordance with Office of Management and Budget (OMB) Memorandum 21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, M365 audit logs are to be retained for at least 12 months in active storage and an additional 18 months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.
OMB M-21-13 requires Advanced Audit Features be configured in M365. Advanced Audit, now Microsoft Purview Audit (Premium), adds additional event types to the Unified Audit Log.
Policies
MS.DEFENDER.6.1v1 – Unified Audit logging SHALL be enabled.
- Rationale: Responding to incidents without detailed information about activities that took place slows response actions. Enabling Unified Audit logging helps ensure agencies have visibility into user actions. Furthermore, enabling the Unified Audit log is required for government agencies by OMB M-21-31.
- Last modified: March 2025
- MITRE ATT&CK TTP Mapping:
MS.DEFENDER.6.3v1 – Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.
- Rationale: Audit logs may no longer be available when needed if they are not retained for a sufficient time. Increased log retention time gives an agency the necessary visibility to investigate incidents that occurred some time ago.
- Last modified: June 2023
- Note: Purview Audit (Premium) provides a default audit log retention policy, retaining Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Entra ID audit records for one year. Additional record types require custom audit retention policies. Agencies may also consider alternate storage locations and services to meet audit log retention needs.
- MITRE ATT&CK TTP Mapping:
Resources
Search the audit log in the compliance center | Microsoft Learn
Expanding cloud logging to give customers deeper security visibility | Microsoft Security Blog
Export, configure, and view audit log records | Microsoft Learn
License Requirements
Microsoft Purview Audit (Premium) logging capabilities, including the creation of a custom audit log retention policy, requires E5/G5 licenses or E3/G3 licenses with add-on compliance licenses.
Additionally, maintaining logs in the M365 environment for longer than one year requires an add-on license. For more information, see Manage audit log retention policies | Microsoft Learn. However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.
Our Expertise
Why Choose
Crimson Line?
01.
Crimson Line
Innovation
We stay ahead of the curve by embracing AI-driven tools like Copilot.
02.
Crimson Line
Expertise
Our experienced team architects and manages cloud-native solutions.
03.
Crimson Line
Cost-Effective
Enjoy the benefits of PaaS with minimal risk.
04.
Crimson Line
Flexibility
We tailor solutions to meet your unique needs.
Get Started
Create a Customized
Security Strategy
At Crimson Line, security is not just a product—it’s our commitment to your peace of mind.