chore(m365): enhance metadata for purview service (#9092)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2026-03-21 18:58:04 +00:00 · 2026-03-09 20:42:33 +01:00
parent 20efe001ff
commit e3e2408717
5 changed files with 22 additions and 16 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -33,6 +33,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Alibaba Cloud services metadata to new format [(#10289)](https://github.com/prowler-cloud/prowler/pull/10289)
 - Update M365 Admin Center service metadata to new format [(#9680)](https://github.com/prowler-cloud/prowler/pull/9680)
 - Update M365 Defender service metadata to new format [(#9681)](https://github.com/prowler-cloud/prowler/pull/9681)
+- Update M365 Purview service metadata to new format [(#9092)](https://github.com/prowler-cloud/prowler/pull/9092)

 ---

--- a/prowler/providers/m365/services/defenderidentity/defenderidentity_health_issues_no_open/defenderidentity_health_issues_no_open.metadata.json
+++ b/prowler/providers/m365/services/defenderidentity/defenderidentity_health_issues_no_open/defenderidentity_health_issues_no_open.metadata.json
@@ -7,9 +7,9 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "Defender for Identity Health Issue",
+  "ResourceType": "NotDefined",
  "ResourceGroup": "security",
-  "Description": "Microsoft Defender for Identity (MDI) monitors your hybrid identity infrastructure and detects advanced threats targeting Active Directory. This check verifies that MDI sensors are deployed and that there are no unresolved health issues that may affect the ability to detect identity-based attacks.",
+  "Description": "**Microsoft Defender for Identity (MDI)** monitors your hybrid identity infrastructure and detects advanced threats targeting Active Directory. This check verifies that MDI sensors are deployed and that there are no unresolved health issues that may affect the ability to detect identity-based attacks.",
  "Risk": "Without deployed MDI sensors or with unresolved health issues, organizations face critical gaps in threat detection. Misconfigured or missing sensors fail to monitor domain controllers, allowing identity-based attacks like Pass-the-Hash, Golden Ticket, or lateral movement to go undetected. Attackers commonly exploit these blind spots to compromise hybrid environments while evading detection.",
  "RelatedUrl": "",
  "AdditionalURLs": [
--- a/prowler/providers/m365/services/defenderxdr/defenderxdr_critical_asset_management_pending_approvals/defenderxdr_critical_asset_management_pending_approvals.metadata.json
+++ b/prowler/providers/m365/services/defenderxdr/defenderxdr_critical_asset_management_pending_approvals/defenderxdr_critical_asset_management_pending_approvals.metadata.json
@@ -1,16 +1,16 @@
 {
  "Provider": "m365",
  "CheckID": "defenderxdr_critical_asset_management_pending_approvals",
-  "CheckTitle": "Ensure all Critical Asset Management classifications are reviewed and approved in Microsoft Defender XDR",
+  "CheckTitle": "Critical asset management classifications are reviewed and approved",
  "CheckType": [],
  "ServiceName": "defenderxdr",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "Defender XDR Critical Asset Management",
+  "ResourceType": "NotDefined",
  "ResourceGroup": "security",
-  "Description": "Assets with a lower classification confidence score in Microsoft Defender XDR must be approved by a security administrator.\n\nAsset classifications that have not yet been reviewed and approved may result in incomplete **critical asset** visibility.",
-  "Risk": "Stale pending approvals lead to limited visibility in Microsoft Defender XDR. **Critical assets** that are not properly identified and classified may not receive appropriate security monitoring and protections, creating gaps in the organization's security posture.",
+  "Description": "**Microsoft Defender XDR critical asset management classifications** with a lower classification confidence score must be approved by a security administrator.\n\nAsset classifications that have not yet been reviewed and approved may result in incomplete **critical asset** visibility.",
+  "Risk": "Stale pending approvals lead to limited visibility in **Microsoft Defender XDR**. **Critical assets** that are not properly identified and classified may not receive appropriate security monitoring and protections, creating gaps in the organization's security posture.",
  "RelatedUrl": "",
  "AdditionalURLs": [
    "https://learn.microsoft.com/en-us/security-exposure-management/classify-critical-assets",
--- a/prowler/providers/m365/services/defenderxdr/defenderxdr_endpoint_privileged_user_exposed_credentials/defenderxdr_endpoint_privileged_user_exposed_credentials.metadata.json
+++ b/prowler/providers/m365/services/defenderxdr/defenderxdr_endpoint_privileged_user_exposed_credentials/defenderxdr_endpoint_privileged_user_exposed_credentials.metadata.json
@@ -7,9 +7,9 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "critical",
-  "ResourceType": "Exposure Management",
+  "ResourceType": "NotDefined",
  "ResourceGroup": "security",
-  "Description": "Privileged users may have authentication artifacts (CLI secrets, cookies, tokens) exposed on endpoints with high risk scores. Microsoft Defender XDR's Security Exposure Management detects when credentials from users with Entra ID privileged roles are present on vulnerable devices.",
+  "Description": "Microsoft Defender XDR's **Security Exposure Management** detects when credentials from users with Entra ID privileged roles are present on vulnerable devices. Privileged users may have authentication artifacts (CLI secrets, cookies, tokens) exposed on endpoints with high risk scores.",
  "Risk": "Exposed credentials on vulnerable endpoints enable account takeover through stolen tokens or cookies, Conditional Access bypass via primary refresh tokens, lateral movement to sensitive resources, and persistence until tokens are explicitly revoked.",
  "RelatedUrl": "",
  "AdditionalURLs": [
--- a/prowler/providers/m365/services/purview/purview_audit_log_search_enabled/purview_audit_log_search_enabled.metadata.json
+++ b/prowler/providers/m365/services/purview/purview_audit_log_search_enabled/purview_audit_log_search_enabled.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "m365",
  "CheckID": "purview_audit_log_search_enabled",
-  "CheckTitle": "Ensure Purview audit log search is enabled",
+  "CheckTitle": "Purview audit log search is enabled",
  "CheckType": [],
  "ServiceName": "purview",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "critical",
-  "ResourceType": "Purview Settings",
+  "ResourceType": "NotDefined",
  "ResourceGroup": "governance",
-  "Description": "Ensure Purview audit log search is enabled.",
-  "Risk": "Disabling Microsoft 365 audit log search can hinder the ability to track and monitor user and admin activities, making it harder to detect suspicious behavior, security incidents, or compliance violations. This can result in undetected breaches and inability to respond to incidents effectively.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal",
+  "Description": "Microsoft Purview tenant setting for **audit log search** is assessed to confirm unified audit log ingestion (`UnifiedAuditLogIngestionEnabled`), which records user and admin activities and makes them searchable.",
+  "Risk": "Without **audit log ingestion/search**, activity trails are missing or delayed, reducing visibility and accountability.\n- Data exfiltration and privilege abuse go undetected (confidentiality/integrity)\n- Incident response and forensics fail due to absent evidence, increasing dwell time",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal",
+    "https://learn.microsoft.com/en-us/purview/audit-log-enable-disable"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true",
      "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Purview https://compliance.microsoft.com. 2. Select Audit to open the audit search. 3. Click Start recording user and admin activity next to the information warning at the top. 4. Click Yes on the dialog box to confirm.",
+      "Other": "1. Go to https://compliance.microsoft.com and sign in with an admin account\n2. Open Solutions > Audit\n3. Click Start recording user and admin activity\n4. Click Yes to confirm",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure that Microsoft 365 audit log search is enabled to maintain a comprehensive record of user and admin activities. This will help improve security monitoring, support compliance needs, and provide critical insights for responding to incidents.",
-      "Url": "https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal"
+      "Text": "Enable and keep **audit log search** on (`UnifiedAuditLogIngestionEnabled=true`). Apply **least privilege** to audit roles, set retention aligned to sensitivity, forward logs to a SIEM for **defense in depth**, and routinely review and alert on audit events. *Avoid disabling auditing even when using third-party tools.*",
+      "Url": "https://hub.prowler.com/check/purview_audit_log_search_enabled"
    }
  },
  "Categories": [
+    "logging",
    "e3"
  ],
  "DependsOn": [],