87 lines
		
	
	
		
			3.7 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
			
		
		
	
	
			87 lines
		
	
	
		
			3.7 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
| function Test-NotifyMalwareInternal {
 | |
|     [CmdletBinding()]
 | |
|     [OutputType([CISAuditResult])]
 | |
|     param (
 | |
|         # Aligned
 | |
|         # Parameters can be added if needed
 | |
|     )
 | |
| 
 | |
|     begin {
 | |
|         <#
 | |
|         # Conditions for 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
 | |
|         #
 | |
|         # Validate test for a pass:
 | |
|         # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|         # - Specific conditions to check:
 | |
|         #   - Condition A: Notifications for internal users sending malware are enabled in the Microsoft 365 Security & Compliance Center.
 | |
|         #   - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
 | |
|         #
 | |
|         # Validate test for a fail:
 | |
|         # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|         # - Specific conditions to check:
 | |
|         #   - Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
 | |
|         #   - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `False` or does not include any valid email addresses for notifications.
 | |
|         #>
 | |
| 
 | |
|         # Dot source the class script if necessary
 | |
|         #. .\source\Classes\CISAuditResult.ps1
 | |
|         # Initialization code, if needed
 | |
|         $recnum = "2.1.3"
 | |
|     }
 | |
| 
 | |
|     process {
 | |
|         try {
 | |
|             # 2.1.3 Ensure notifications for internal users sending malware is Enabled
 | |
| 
 | |
|             # Retrieve all 'Custom' malware filter policies and check notification settings
 | |
|             $malwareNotifications = Get-CISExoOutput -Rec $recnum
 | |
| 
 | |
|             # Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
 | |
|             $policiesToReport = @()
 | |
|             foreach ($policy in $malwareNotifications) {
 | |
|                 if ($policy.EnableInternalSenderAdminNotifications -ne $true) {
 | |
|                     $policiesToReport += "$($policy.Identity): Notifications Disabled"
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             # Determine the result based on the presence of custom policies without notifications
 | |
|             $result = $policiesToReport.Count -eq 0
 | |
| 
 | |
|             # Prepare failure reasons and details based on compliance
 | |
|             $failureReasons = if ($result) {
 | |
|                 "N/A"
 | |
|             }
 | |
|             else {
 | |
|                 # Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
 | |
|                 "Some custom policies do not have notifications for internal users sending malware enabled."
 | |
|             }
 | |
| 
 | |
|             $details = if ($result) {
 | |
|                 "All custom malware policies have notifications enabled."
 | |
|             }
 | |
|             else {
 | |
|                 "Misconfigured Policies: $($policiesToReport -join ', ')"
 | |
|             }
 | |
| 
 | |
|             # Create and populate the CISAuditResult object
 | |
|             $params = @{
 | |
|                 Rec           = $recnum
 | |
|                 Result        = $result
 | |
|                 Status        = if ($result) { "Pass" } else { "Fail" }
 | |
|                 Details       = $details
 | |
|                 FailureReason = $failureReasons
 | |
|             }
 | |
|             $auditResult = Initialize-CISAuditResult @params
 | |
|         }
 | |
|         catch {
 | |
|             $LastError = $_
 | |
|             $auditResult = Get-TestError -LastError $LastError -recnum $recnum
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     end {
 | |
|         # Return the audit result
 | |
|         return $auditResult
 | |
|     }
 | |
| }
 |