Microsoft 365: Defender - Safe Documents Enabled

Metric Name: Microsoft 365: Defender - Safe Documents Enabled

Category: Security

Description: This metric checks whether the Safe Documents feature is enabled in Microsoft 365 Defender. Safe Documents uses Microsoft Defender to scan documents that are opened in Protected View, ensuring that they are safe before users interact with them.

Purpose: The purpose of this metric is to verify that Safe Documents is enabled, providing additional protection by automatically scanning documents for malicious content, especially in enterprise environments where document handling is frequent.

How it works:

• This metric uses a query (SecureScores.controlScores[?controlName=='mdo_safedocuments'].on) to check the status of the Safe Documents control in the Secure Score of Microsoft 365.

• The result will indicate whether the Safe Documents feature is enabled ("true") or disabled, ensuring that documents are being automatically scanned for threats before they are opened fully.

Beneficiaries:

• Security Teams: Gain insight into whether Safe Documents is enabled, ensuring that files opened in Protected View are automatically checked for malware.

• IT Administrators: Can use this metric to enforce policies ensuring that Safe Documents is enabled across the organization.

• End Users: Benefit from an additional layer of security, reducing the risk of downloading and opening malicious documents.

Additional Notes:

• Customization: The query can be adapted to track other document security features or integrate with broader document protection policies within Microsoft 365. For example, extending the query to monitor Safe Attachments alongside Safe Documents would provide a more complete view of document handling security.

• Why this is valuable: Enabling Safe Documents reduces the risk of malicious document downloads and interactions, especially in environments that deal with high volumes of externally sourced files.