feat(m365): add defenderidentity_health_issues_no_open security check (#10087)

Author: HugoPBrito

docs/user-guide/providers/microsoft365/authentication.mdx

@@ -42,6 +42,8 @@ When using service principal authentication, add these **Application Permissions
 - `AuditLog.Read.All`: Required for Entra service.
 - `Directory.Read.All`: Required for all services.
 - `Policy.Read.All`: Required for all services.
+- `SecurityIdentitiesHealth.Read.All`: Required for `defenderidentity_health_issues_no_open` check.
+- `SecurityIdentitiesSensors.Read.All`: Required for `defenderidentity_health_issues_no_open` check.
 - `SharePointTenantSettings.Read.All`: Required for SharePoint service.
 
 **External API Permissions:**
@@ -106,6 +108,8 @@ Browser and Azure CLI authentication methods limit scanning capabilities to chec
    - `AuditLog.Read.All`: Required for Entra service
    - `Directory.Read.All`: Required for all services
    - `Policy.Read.All`: Required for all services
+   - `SecurityIdentitiesHealth.Read.All`: Required for `defenderidentity_health_issues_no_open` check
+   - `SecurityIdentitiesSensors.Read.All`: Required for `defenderidentity_health_issues_no_open` check
    - `SharePointTenantSettings.Read.All`: Required for SharePoint service
 
    ![Permission Screenshots](/images/providers/directory-permission.png)

prowler/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- `defenderidentity_health_issues_no_open` check for M365 provider [(#10087)](https://github.com/prowler-cloud/prowler/pull/10087)
 - `organization_verified_badge` check for GitHub provider [(#10033)](https://github.com/prowler-cloud/prowler/pull/10033)
 - OpenStack provider `clouds_yaml_content` parameter for API integration [(#10003)](https://github.com/prowler-cloud/prowler/pull/10003)
 - `defender_safe_attachments_policy_enabled` check for M365 provider [(#9833)](https://github.com/prowler-cloud/prowler/pull/9833)

prowler/compliance/m365/iso27001_2022_m365.json

@@ -117,6 +117,7 @@
         "defender_malware_policy_notifications_internal_users_malware_enabled",
         "defender_safelinks_policy_enabled",
         "defender_zap_for_teams_enabled",
+        "defender_identity_health_issues_no_open",
         "entra_admin_users_phishing_resistant_mfa_enabled",
         "entra_identity_protection_sign_in_risk_enabled",
         "entra_identity_protection_user_risk_enabled"
@@ -715,7 +716,8 @@
       "Checks": [
         "defender_malware_policy_common_attachments_filter_enabled",
         "defender_malware_policy_comprehensive_attachments_filter_applied",
-        "defender_malware_policy_notifications_internal_users_malware_enabled"
+        "defender_malware_policy_notifications_internal_users_malware_enabled",
+        "defender_identity_health_issues_no_open"
       ]
     },
     {

prowler/providers/m365/services/defenderidentity/__init__.py

@@ -0,0 +1,6 @@
+from prowler.providers.common.provider import Provider
+from prowler.providers.m365.services.defenderidentity.defenderidentity_service import (
+    DefenderIdentity,
+)
+
+defenderidentity_client = DefenderIdentity(Provider.get_global_provider())

prowler/providers/m365/services/defenderidentity/defenderidentity_client.py

@@ -0,0 +1,37 @@
+{
+  "Provider": "m365",
+  "CheckID": "defenderidentity_health_issues_no_open",
+  "CheckTitle": "Defender for Identity has no unresolved health issues affecting hybrid infrastructure monitoring",
+  "CheckType": [],
+  "ServiceName": "defenderidentity",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "Defender for Identity Health Issue",
+  "ResourceGroup": "security",
+  "Description": "Microsoft Defender for Identity (MDI) monitors your hybrid identity infrastructure and detects advanced threats targeting Active Directory. This check verifies that MDI sensors are deployed and that there are no unresolved health issues that may affect the ability to detect identity-based attacks.",
+  "Risk": "Without deployed MDI sensors or with unresolved health issues, organizations face critical gaps in threat detection. Misconfigured or missing sensors fail to monitor domain controllers, allowing identity-based attacks like Pass-the-Hash, Golden Ticket, or lateral movement to go undetected. Attackers commonly exploit these blind spots to compromise hybrid environments while evading detection.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/defender-for-identity/health-alerts",
+    "https://learn.microsoft.com/en-us/graph/api/security-identitycontainer-list-healthissues"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Navigate to Microsoft Defender XDR portal at https://security.microsoft.com/\n2. Go to Settings > Identities > Health issues\n3. Review each open health issue and its recommendations\n4. Follow the specific remediation steps provided for each issue\n5. Verify the issue is resolved and status changes to closed",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Regularly monitor and resolve Defender for Identity health issues to maintain comprehensive visibility into identity-based threats across your hybrid infrastructure.",
+      "Url": "https://hub.prowler.com/check/defenderidentity_health_issues_no_open"
+    }
+  },
+  "Categories": [
+    "e5"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check requires SecurityIdentitiesHealth.Read.All permission and a hybrid identity environment with Active Directory on-premises connected to Microsoft Defender for Identity. Health issues can be global (domain-related, such as Directory Services account issues or auditing misconfigurations) or sensor-specific. If no hybrid AD environment is configured, this check will pass with no health issues detected, as MDI only monitors on-premises Active Directory infrastructure."
+}

prowler/providers/m365/services/defenderidentity/defenderidentity_health_issues_no_open/__init__.py

@@ -0,0 +1,140 @@
+"""Check for open health issues in Microsoft Defender for Identity.
+
+This module provides a security check that verifies there are no unresolved
+health issues in the Microsoft Defender for Identity deployment.
+"""
+
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportM365, Severity
+from prowler.providers.m365.services.defenderidentity.defenderidentity_client import (
+    defenderidentity_client,
+)
+
+
+class defenderidentity_health_issues_no_open(Check):
+    """Ensure Microsoft Defender for Identity has no unresolved health issues.
+
+    This check evaluates whether there are open health issues in the MDI deployment
+    that require attention to maintain proper hybrid identity protection.
+
+    - PASS: The health issue has been resolved (status is not open).
+    - FAIL: The health issue is open and requires attention.
+    - FAIL: No sensors are deployed (MDI cannot protect the environment).
+    """
+
+    def execute(self) -> List[CheckReportM365]:
+        """Execute the check for open MDI health issues.
+
+        This method iterates through all health issues from Microsoft Defender
+        for Identity and reports on their status. Open issues indicate potential
+        configuration problems or sensor health concerns that need resolution.
+
+        Returns:
+            List[CheckReportM365]: A list of reports containing the result of the check.
+        """
+        findings = []
+
+        # Check sensors first - None means API error, empty list means no sensors
+        sensors_api_failed = defenderidentity_client.sensors is None
+        health_issues_api_failed = defenderidentity_client.health_issues is None
+        has_sensors = (
+            defenderidentity_client.sensors and len(defenderidentity_client.sensors) > 0
+        )
+
+        # If both APIs failed, it's likely a permission issue
+        if sensors_api_failed and health_issues_api_failed:
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource={},
+                resource_name="Defender for Identity",
+                resource_id="defenderIdentity",
+            )
+            report.status = "FAIL"
+            report.status_extended = (
+                "Defender for Identity APIs are not accessible. "
+                "Ensure the Service Principal has SecurityIdentitiesSensors.Read.All and "
+                "SecurityIdentitiesHealth.Read.All permissions granted."
+            )
+            findings.append(report)
+            return findings
+
+        # If only health issues API failed but we have sensors
+        if health_issues_api_failed and has_sensors:
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource={},
+                resource_name="Defender for Identity",
+                resource_id="defenderIdentity",
+            )
+            report.status = "FAIL"
+            report.status_extended = (
+                f"Cannot read health issues from Defender for Identity "
+                f"(found {len(defenderidentity_client.sensors)} sensor(s) deployed). "
+                "Ensure the Service Principal has SecurityIdentitiesHealth.Read.All permission."
+            )
+            findings.append(report)
+            return findings
+
+        # If no sensors are deployed (empty list, not None), MDI cannot monitor
+        if not has_sensors and not sensors_api_failed:
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource={},
+                resource_name="Defender for Identity",
+                resource_id="defenderIdentity",
+            )
+            report.status = "FAIL"
+            report.status_extended = (
+                "No sensors deployed in Defender for Identity. "
+                "Without sensors, MDI cannot monitor health issues in the environment. "
+                "Deploy sensors on domain controllers to enable protection."
+            )
+            findings.append(report)
+            return findings
+
+        # If health_issues is empty list - no issues exist, this is compliant
+        if not defenderidentity_client.health_issues:
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource={},
+                resource_name="Defender for Identity",
+                resource_id="defenderIdentity",
+            )
+            report.status = "PASS"
+            report.status_extended = (
+                "No open health issues found in Defender for Identity."
+            )
+            findings.append(report)
+            return findings
+
+        for health_issue in defenderidentity_client.health_issues:
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=health_issue,
+                resource_name=health_issue.display_name,
+                resource_id=health_issue.id,
+            )
+
+            issue_type = health_issue.health_issue_type or "unknown"
+            severity = health_issue.severity or "unknown"
+            status = (health_issue.status or "").lower()
+
+            if status != "open":
+                report.status = "PASS"
+                report.status_extended = f"Defender for Identity {issue_type} health issue {health_issue.display_name} is resolved."
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"Defender for Identity {issue_type} health issue {health_issue.display_name} is open with {severity} severity."
+
+                # Adjust severity based on issue severity
+                if severity == "high":
+                    report.check_metadata.Severity = Severity.high
+                elif severity == "medium":
+                    report.check_metadata.Severity = Severity.medium
+                elif severity == "low":
+                    report.check_metadata.Severity = Severity.low
+
+            findings.append(report)
+
+        return findings