fix(data): reconcile 24 stale CIS M365 v6.0 recommendation IDs to v6.0.1 (closes #352)#396
Merged
Conversation
Fourteenth and FINAL domain audit under v3.4.0 umbrella (#326). Resolves spike #335. docs/audits/purview.md catalogs 27 unique patterns across 5 sub-domains (DLP policy coverage, sensitivity labels / MIP, retention, eDiscovery + Insider Risk, anti-patterns). Maps against 16 existing M365-scope Purview-related checks across PURVIEW-*, COMPLIANCE-*, plus cross-domain Power BI sensitivity labels. Surfaces: - 14 gap CheckIDs covering DLP template currency, custom sensitive info types, Endpoint DLP location coverage, DLP rule action progression, sensitivity label encryption + defaults + auto-labeling gap, retention legal hold + records management, eDiscovery RBAC + Premium feature, Insider Risk Management policies + analyst assignments, audit log retention period, encryption offline-access duration - 4 cross-spike CheckID consolidations: - Site-protection labels ↔ #337 (SPO/OneDrive) - Teams sensitivity labels ↔ #340 (Teams) - Copilot grounding labels ↔ #336 (Power Platform) - PBI sensitivity labels (already covered, with #336 dedup) - 3 narrative-refresh chore: candidates Threat-pattern map covers data theft by departing employee, outbound DLP via email, sensitive label content cached on personal device, Teams chat data loss without retention, MIP without auto-labeling, eDiscovery role over-permissioning, Insider Risk alerts going nowhere, audit log retention insufficient for IR, endpoint DLP gap, custom org data not protected by templates. Detection appendix documents 8 cmdlet patterns + 8 edge cases across Security & Compliance PowerShell + Exchange Online connector. Like #332 (MDO) and #336 (Power Platform), Purview lives almost entirely outside Microsoft Graph. Specific edge cases: - Multiple PowerShell modules required (S&C + ExchangeOnline + ComplianceCenter) - Policy Mode enum (Enable, TestWithNotifications, etc.) - Sensitivity labels are 3 distinct artifacts (label store + label policies + auto-labeling policies) — reconciliation required - Retention labels vs retention policies (don't conflate) - Endpoint DLP requires onboarded devices (#334 cross-domain) - Insider Risk + Premium eDiscovery are E5+ addons (license-gated) - Auto-labeling scope is per-location (Exchange / SPO / OneDrive each) - Records management vs retention labels (immutable-vs-flexible distinction) V3.4.0 AUDIT UMBRELLA COMPLETE: this is the fourteenth and final domain audit. All 14 spikes (#327-#340 inclusive) resolved. Doc includes a completion summary mapping each spike to its merged PR + 4 cross-cutting themes surfaced across the audit work for v3.5 consideration: 1. AZ-namespace boundary issues (5+ Entra controls in AZ namespace) 2. Namespace duplications (DEFENDER/EXO 3 pairs, PBI/POWERBI 11 pairs, plus implicit COMPLIANCE-DLP / proposed PURVIEW-DLP overlap) 3. Canonical data file pattern — 4 proposed: - data/role-tiers.json (#328) - data/microsoft-first-party-appids.json (#361) - data/transport-rule-actions.json (#339) - data/power-platform-connectors.json (#336) 4. Detection-method surface diversity — 5 distinct contracts: - Microsoft Graph - Exchange Online PowerShell - Security & Compliance PowerShell - MDCA REST API (per-tenant URL) - Power Platform admin PowerShell Same template as #327, #328, #329, #330, #331, #332, #333, #334, #336, #337, #338, #339, #340. Closes #335 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…0.1 (closes #352) Surfaced after #347 phase-1 enrichment landed: 24 of 180 CIS-mapped checks referenced v6.0 numbering that CIS reorganized in v6.0.1, so phase-1 fields (sectionNumber, assessmentStatus, cisSafeguardsByVersion, references) didn't populate. Renumbered (11) by title-match against v6.0.1 crosswalk: FORMS-CONFIG-004 3.6.2 -> 1.3.5 EXO-ANTISPAM-001 4.3 -> 2.1.6 EXO-DKIM-001 4.4 -> 2.1.9 EXO-MALWARE-001 4.5 -> 2.1.2 EXO-TRANSPORT-002 5.2 -> 6.2.1 PURVIEW-AUDIT-001 5.3 -> 3.1.1 INTUNE-SECURITY-001 6.1 -> 4.1 INTUNE-ENROLLMENT-001 6.3 -> 4.2 PBI-TENANT-001 8.1 -> 9.1.8 PBI-TENANT-002 8.2 -> 9.1.4 PBI-TENANT-003 8.3 -> 9.1.1 Removed cis-m365-v6 mapping (13) — v6.0.1 no longer covers the surface: FORMS-CONFIG-001/002 (no Forms-respond/collaborate controls) ENTRA-PIM-006/008/010 (PIM activation policy details not itemized) PURVIEW-RETENTION-001 (no retention controls in v6.0.1) COMPLIANCE-ALERTPOLICY-001 (no alert-policy control) DEFENDER-SECURESCORE-001 (no Secure Score control) INTUNE-ENCRYPTION-001 / INTUNE-UPDATE-001 (moved to Intune Benchmark) SPO-SCRIPT-001/002 (no scripting controls) TEAMS-GUEST-001 (no Teams-guest-specific control) New Pester gate prevents regression: every cis-m365-v6.controlId in registry must resolve to a recommendation # in data/cis-m365-crosswalk.json. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Content enrichment populationOverall (1105 checks): rationale 26.3% (291/1105) • impact 26.3% (291/1105) • references 26.3% (291/1105)
Informational only — does not gate the build. The hard release-gate for Critical/High enrichment lives in #281 (v3.2.0). |
Framework mapping count delta
Result: |
Daren9m
added
the
ALLOW_MAPPING_DROP=cis-m365-v6
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #352. After #347 phase-1 enrichment landed, 24 of 180 CIS-mapped checks failed to pick up
sectionNumber/assessmentStatus/cisSafeguardsByVersion/referencesbecause theircisM365ControlIdreferenced v6.0 numbering that CIS reorganized in v6.0.1. This PR reconciles all 24.The reconciliation
EXO-DKIM-0014.4 → 2.1.9cis-m365-v6mappingRenumbered (11)
FORMS-CONFIG-004EXO-ANTISPAM-001EXO-DKIM-001EXO-MALWARE-001EXO-TRANSPORT-002PURVIEW-AUDIT-001INTUNE-SECURITY-001INTUNE-ENROLLMENT-001PBI-TENANT-001PBI-TENANT-002PBI-TENANT-003Removed (13)
cis-m365-v6mapping dropped — v6.0.1 doesn't itemize these surfaces:FORMS-CONFIG-001/002ENTRA-PIM-006/008/010PURVIEW-RETENTION-001COMPLIANCE-ALERTPOLICY-001,DEFENDER-SECURESCORE-001INTUNE-ENCRYPTION-001,INTUNE-UPDATE-001SPO-SCRIPT-001/002TEAMS-GUEST-001These 13 retain their other framework mappings (NIST 800-53, CMMC, SOC 2, etc.); only the CIS M365 v6 mapping is dropped.
Pester gate
Added
#352 every cis-m365-v6.controlId resolves to a recommendation # in data/cis-m365-crosswalk.jsonintests/registry-integrity.Tests.ps1. Loads the crosswalk and asserts every CIS-mapped check'scontrolIdis a known v6.0.1 recommendation #. Prevents regression.Files
data/scf-check-mapping.json— 11cisM365ControlIdupdates + 13 cleared (with emptycisM365Profiles)data/registry.json— surgical edits toframeworks.cis-m365-v6for the 24 affected checks (renumber + enrichment-refresh from crosswalk; or removal). Did NOT do a fullBuild-Registry.pyrebuild because of unrelated SCF.db drift in the local checkout that would mask the real change — the surgical approach matches what a clean rebuild would produce for these 24 records.tests/registry-integrity.Tests.ps1— new Pester gateCHANGELOG.md—[Unreleased]/ Fixed entryVerification
After the change:
sectionNumber,assessmentStatus,cisSafeguardsByVersion,referencespopulatedcis-m365-v6blockcis-m365-v6mapped count unchanged at 167 — wait, was 180. -13 = 167 ✓ (the 11 renumbered stay mapped)Test plan
tests/registry-integrity.Tests.ps1— 44/44 pass locally including the new gatetests/duplicate-keys.Tests.ps1,framework-definitions.Tests.ps1,scf-mapping.Tests.ps1,build-registry-guards.Tests.ps1,mapping-counts.Tests.ps1— 254/254 passcis-m365-v6framework blockOut of scope