Clarify License Requirements in assumptions.md

[adhilto]

🗣 Description

Clarify License Requirements in assumptions.md. Note the option of using a config file to document use of third-party tools.

💭 Motivation and context

More clarity was needed.

🧪 Testing

N/A

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• PR targets the correct parent branch (e.g., main or release-name) for merge.
• Changes are limited to a single goal - eschew scope creep!
• Changes are sized such that they do not touch excessive number of files.
• All future TODOs are captured in issues, which are referenced in code comments.
• These code changes follow the ScubaGear content style guide.
• Related issues these changes resolve are linked preferably via closing keywords.
• All relevant type-of-change labels added.
• All relevant project fields are set.
• All relevant repo and/or project documentation updated to reflect these changes.
• Unit tests added/updated to cover PowerShell and Rego changes.
• Functional tests added/updated to cover PowerShell and Rego changes.
• All relevant functional tests passed.
• All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

• PR passed smoke test check.

• Feature branch has been rebased against changes from parent branch, as needed

  Use Rebase branch button below or use this reference to rebase from the command line.

• Resolved all merge conflicts on branch

• Notified merge coordinator that PR is ready for merge via comment mention

• Demonstrate changes to the team for questions and comments.
  (Note: Only required for issues of size Medium or larger)

✅ Post-merge checklist

• Feature branch deleted after merge to clean up repository.
• Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

[mitchelbaker-cisa]

MS.DEFENDER.6.3v1 (audit log duration/OMB 21-31 memo) lists the Microsoft Purview Audit (Premium) license requirement. Is it worth listing here if agencies are already mandated to have advanced logging capability?

[gdasher]

They shouldn't be mandated to have Purview Audit (Premium) in practice anymore because of the changes in the log types included in Purview (standard), which is observed in the note for MS.DEFENDER.6.2v1

As for retention, they may choose to retain it in Microsoft using purview or use a third party solution (Splunk, etc) in their SOC. Both would meet the policy, as is explained in the note for that policy.

[adhilto]

If we don't count Purview Audit (Premium), "almost all cases...can be met using a third-party service" becomes "all cases." That was the one exception. I'll take out the "almost."

[gdasher]

What about MS.AAD.2.{1-3}v1 required AAD P2 as well? Agree there are not many.

[adhilto]

You're right, I wasn't tracking that one.

[mitchelbaker-cisa]

For tracking purposes in MS.AAD.4.1v1 -- we say an Azure subscription may be required for forwarding logs to a SIEM, although which SIEM an agency uses falls under the 3rd-party service category.