Monkey365 v0.94.5-beta

What's Changed

• Some strongly typed objects were created to store internal data
• A number of collectors for Azure were completely rewritten to add runspace support

The following rules from Microsoft 365 were automated:

SharePoint Online

7.2.1 Ensure modern authentication for SharePoint applications is required
7.2.2 Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
7.2.3 Ensure external content sharing is restricted
7.2.4 Ensure OneDrive content sharing is restricted
7.2.5 Ensure that SharePoint guest users cannot share items they don't own
7.2.6 Ensure SharePoint external sharing is managed through domain whitelist/blacklists
7.2.7 Ensure link sharing is restricted in SharePoint and OneDrive
7.2.8 Ensure external sharing is restricted by security group
7.2.9 Ensure guest access to a site or OneDrive will expire automatically
7.2.10 Ensure reauthentication with verification code is restricted
7.3.1 Ensure Office 365 SharePoint infected files are disallowed for download
7.3.2 Ensure OneDrive sync is restricted for unmanaged devices
7.3.4 Ensure custom script execution is restricted on site collections

Microsoft Teams

8.1.1 Ensure external file sharing in Teams is enabled for only approved cloud storage services
8.1.2 Ensure users can't send emails to a channel email address
8.2.1 Ensure 'external access' is restricted in the Teams admin center
8.4.1 Ensure app permission policies are configured
8.5.1 Ensure anonymous users can't join a meeting
8.5.2 Ensure anonymous users and dial-in callers can't start a meeting
8.5.3 Ensure only people in my org can bypass the lobby
8.5.4 Ensure users dialing in can't bypass the lobby
8.5.5 Ensure meeting chat does not allow anonymous users
8.5.6 Ensure only organizers and co-organizers can present
8.5.7 Ensure external participants can't give or request control

The following rules from Azure were automated:

Azure Key Vault

3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.
3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
3.3.5 Ensure the Key Vault is Recoverable
3.3.6 Enable Role Based Access Control for Azure Key Vault
3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault
3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Storage Accounts

4.1 Ensure that 'Secure transfer required' is set to 'Enabled'
4.2 Ensure that 'Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to 'enabled'
4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts
4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
4.9 Ensure Private Endpoints are used to access Storage Accounts
4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
4.16 Ensure 'Cross Tenant Replication' is not enabled
4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'

Azure SQL Database

5.1.1 Ensure that 'Auditing' is set to 'On' (Automated)
5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) (Automated)
5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
5.1.7 Ensure Public Network Access is Disabled

Azure Database for PostgreSQL

5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
5.2.5 Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
5.2.6 [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
5.2.7 [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
5.2.8 [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'

Monitoring

6.1.4 Ensure that logging for Azure Key Vault is 'Enabled'

Virtual Machines

8.2 Ensure Virtual Machines are utilizing Managed Disks
8.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
8.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
8.5 Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
8.6 Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
8.8 Ensure that Endpoint Protection for all Virtual Machines is installed
8.9 [Legacy] Ensure that VHDs are Encrypted
8.11 Ensure Trusted Launch is enabled on Virtual Machines

App Service

9.1 Ensure 'HTTPS Only' is set to On
9.2 Ensure App Service Authentication is set up for apps in Azure App Service
9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
9.4 Ensure Web App is using the latest version of TLS encryption
9.5 Ensure that Register with Entra ID is enabled on App Service
9.6 Ensure that 'Basic Authentication' is 'Disabled'
9.7 Ensure that 'PHP version' is currently supported (if in use)
9.8 Ensure that 'Python version' is currently supported (if in use)
9.9 Ensure that 'Java version' is currently supported (if in use)
9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use)
9.12 Ensure that 'Remote debugging' is set to 'Off'

Upcoming breaking changes

• Update to latest CIS Benchmarks #122
• Redesign HTML output #114
• Move all rules and rulesets to its own repo #133

Full Changelog: v0.93-beta...v0.94.5-beta

Monkey365 v0.94-beta

What's Changed

• The following rulesets were removed from codebase:
  • CIS for Microsoft 365 1.4
  • CIS for Microsoft 365 1.5
  • CIS for Azure 1.4
  • CIS for Azure 1.5
  • CIS for Azure 2.0
• Improved documentation and examples (https://silverhack.github.io/monkey365/)

What's New

• All CIS recommendations/controls were included:
  • 151 rules were added for Azure
  • 97 rules were added for Entra ID
  • 126 rules were added for Microsoft 365 services
• Support for both Azure and Microsoft 365 CIS benchmark v3.0

Fixes

• Purview Scan Error #130
• Get-MonkeyCompliance is not recognized as a name of a cmdlet, function, script file #128
• CIS benchmark output has missing checks #131

Upcoming breaking changes

• Update to latest CIS Benchmarks #122
• Redesign HTML output #114
• Move all rules and rulesets to its own repo #133

Full Changelog: v0.91.3-beta...v0.94-beta

Monkey365 v0.93-beta

Breaking Changes

• Analysis flag was renamed toCollect #123
• Duplicate functions were removed from core #113
• To follow best practices, internal warnings from PsScriptAnalyzer were fixed #113

New features

• The -ListCollector allows you to list available collectors for both, Azure and Microsoft365. Try it now with the following examples:

Invoke-Monkey365 -ListCollector

If you want to filter for specific services

Invoke-Monkey365 -Instance Azure -Collect Databases,KeyVault,VirtualMachines,StorageAccounts -ListCollector

Azure

• CIS Benchmark for Azure 3.0 is included. #122

Microsoft 365

• CIS Benchmark for Microsoft 3.0 is included. #122

Full Changelog: v0.92-alpha...v0.93-beta

Monkey365 v0.92-alpha

What's Changed

• The JSON output was replaced for the JSON OCSF v1.1.0 #76
• The CLIXML output was updated to OCSF v1.1.0 #76
• The CSV option was updated and now will export pass/fails compliance results into a CSV file #76
• The PRINT option is no longer supported and was removed

JSON example format

{
  "metadata": {
    "eventCode": "aad_sbd_enabled",
    "product": {
      "name": "Monkey365",
      "vendorName": "Monkey365",
      "version": "0.98"
    },
    "version": "1.1.0"
  },
  "severityId": 0,
  "severity": "Unknown",
  "status": "New",
  "statusCode": "pass",
  "statusDetail": null,
  "statusId": 1,
  "unmapped": {
    "provider": "EntraID",
    "pluginId": "aad0024",
    "apiType": "EntraIDPortal",
    "resource": "EntraIDPortal"
  },
  "activityName": "Create",
  "activityId": 1,
  "findingInfo": {
    "createdTime": "2024-08-21T11:47:48Z",
    "description": "Security defaults in Microsoft Entra ID (Azure Active Directory) make it easier to be secure and help protect your organization. Security defaults
 contain preconfigured security settings for common attacks.Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations 
have a basic level of security-enabled at no extra cost. The use of security defaults however will prohibit custom settings which are being set with more advanced set
tings.",
    "productId": "Monkey365",
    "title": "Ensure Security Defaults is disabled on Microsoft Entra ID",
    "id": "Monkey365-aad-sbd-enabled-a4807c0361194a9a9da91e02458bd3ff-zxuQ2OfB3Ag"
  },
  "resources": {
    "cloudPartition": "6",
    "region": null,
    "data": null,
    "group": {
      "name": "General"
    },
    "labels": null,
    "name": null,
    "type": null,
    "id": null
  },
  "categoryName": "Findings",
  "categoryId": 2,
  "className": "Detection",
  "classId": 2004,
  "cloud": {
    "account": {
      "name": "Contoso",
      "type": "AzureADAccount",
      "typeId": "6",
      "id": "a4807c03-6119-4a9a-9da9-1e02458bd3ff"
    },
    "organization": {
      "name": "Contoso",
      "id": "a4807c03-6119-4a9a-9da9-1e02458bd3ff"
    },
    "provider": "Microsoft365",
    "region": "global"
  },
  "time": "2024-08-21T11:47:48Z",
  "remediation": {
    "description": "From Azure Console1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.2. Bro
wse to Microsoft Entra ID  Properties.3. Select Manage security defaults.4. Set the Enable security defaults toggle to No.5. Select Save.",
    "references": [
      "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
      "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
      "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
      "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414"
    ]
  },
  "typeId": 200401,
  "typeName": "Create"
}

Full Changelog: v0.91.3-beta...v0.92-alpha

Monkey365 v0.91.4-beta

What's Changed

• Multiple strongly typed objects were created to store internal data
• Internal module monkeymsalauthassistant was removed as it's not necessary anymore
• Support for Excel was removed

Fixes

• SharePoint Online connecting error was fixed in #107

Upcoming breaking changes

• The JSON output will be replaced for the JSON OCSF v1.1.0
• The CSV RAW output will be standarised and a new format will replace the raw output. More information #76
• The CLIXML and PRINT options will be removed soon

Full Changelog: v0.91.3-beta...v0.91.4-beta

Monkey365 v0.91.3-beta

What's Changed

• Minor update in the ruleset engine. A metadata object with information about collector name, api type, etc.. was added to every single rule
• Internal funcions for SharePoint Online were completely rewritten to add pipeline support
• Monkey365 is now using strongly typed objects to store internal data
• A number of Azure and Microsoft 365 rules were updated

What's New

• New rules for Azure and Microsoft 365 were included
• Support for both Azure and Microsoft 365 CIS benchmark v2.0

Fixes

• Import-Module error was fixed in #87
• Unified AuditLog collector was routed to correct Endpoint in #89
• Fix for duplicate entries in Analysis in #93
• Fix exception when Analysis and IncludeEntraId parameters are not provided in #98

Upcoming breaking changes

• The JSON output will be replaced for the JSON OCSF v1.1.0
• The CSV RAW output will be standarised and a new format will replace the raw output. More information #76
• The Excel and CLIXML options will be removed soon

Full Changelog: v0.91.2-beta...v0.91.3-beta

Monkey365 v0.91.2-beta

Important changes

• Monkeyruleset PowerShell module was completely rewritten to add support for complex queries
• Major update in the plugin engine. Now is possible to exclude plugins from being executed
• Plugins were renamed to Collectors
• Properties within JSON rules and rulesets were renamed and rule logic was completely rewritten. If you have your own set of rules, these should be adapted. Please, check the documentation here
• Microsoft MSAL (Microsoft Authentication library) binaries were updated to latest compatible version
• Internal MSAL PowerShell module was completely rewritten [#77]
• Azure AD was renamed to Microsoft Entra ID (I really hate that xP)
• Now you can compress all output data with the -Compress flag. Please, check the documentation here

What's Changed

• Security & Compliance RPS modules were migrated to REST-based module in #59
• Fix authentication logic when a Non-Valid TenantId is passed in #72 and #70
• Fix authentication logic in Exchange Online under GCCHigh environments in [#75]
• Fix Json attributes in #69
• Updated RBAC roles in #68
• BinaryFormatter was removed in #79
• Fix for multiple 404 errors when querying for Azure Diagnostic Settings in #73
• Fix typo errors
• Improved documentation and examples (https://silverhack.github.io/monkey365/)

Full Changelog: v0.91.1-beta...v0.91.2-beta

Monkey365 v0.91.1-beta

What's Changed

Fix import issue when a folder contains an special name
Fix typo errors

Special thanks

Special thanks to nickchristie who discovered this issue.

Full Changelog: v0.91-beta...v0.91.1-beta

Monkey365 v0.91-beta

What's Changed

• Support for both Azure and Microsoft 365 CIS benchmark v1.5.0
• Migrated from old Azure AD graph api to Microsoft Graph
• Migrated from Security & Compliance RPS to Rest API
• Improved documentation and examples (https://silverhack.github.io/monkey365/)
• Major update in the web request module
• Fix authentication issues with DeviceCode
• Fix authentication issue with SharePoint Online
• Fix typo errors

Full Changelog: v0.85-beta...v0.91-beta

Monkey365 0.85-beta

What's Changed

Migrated from old Azure AD graph api to Microsoft Graph
Migrated from Exchange Online RPS to Rest API
PowerShell background job module was completely rewritten
Improved documentation and examples (https://silverhack.github.io/monkey365/)
Major update in the plugin engine. Now is possible to exclude plugins from being executed
The IncludedAzureActiveDirectory parameter was renamed to IncludeAzureAD
Rename Office365 with Microsoft365
Fix authentication logic
Fix rule logic in monkeyruleset module.
Fix typo errors

Full Changelog: v0.7-beta...v0.85-beta