94 lines
4.3 KiB
PowerShell
94 lines
4.3 KiB
PowerShell
function Test-NotifyMalwareInternal {
|
|
[CmdletBinding()]
|
|
[OutputType([CISAuditResult])]
|
|
param (
|
|
# Aligned
|
|
# Parameters can be added if needed
|
|
)
|
|
begin {
|
|
<#
|
|
# Conditions for 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
|
|
#
|
|
# Validate test for a pass:
|
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
|
# - Specific conditions to check:
|
|
# - Condition A: Notifications for internal users sending malware are enabled in the Microsoft 365 Security & Compliance Center.
|
|
# - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
|
|
#
|
|
# Validate test for a fail:
|
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
|
# - Specific conditions to check:
|
|
# - Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
|
|
# - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `False` or does not include any valid email addresses for notifications.
|
|
#>
|
|
# Dot source the class script if necessary
|
|
#. .\source\Classes\CISAuditResult.ps1
|
|
# Initialization code, if needed
|
|
$recnum = "2.1.3"
|
|
Write-Verbose "Running Test-NotifyMalwareInternal for $recnum..."
|
|
}
|
|
process {
|
|
try {
|
|
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
|
|
|
|
# Retrieve all 'Custom' malware filter policies and check notification settings
|
|
# $malwareNotifications Mock Object
|
|
<#
|
|
$malwareNotifications = @(
|
|
[PSCustomObject]@{
|
|
Identity = "Default"
|
|
EnableInternalSenderAdminNotifications = $true
|
|
RecommendedPolicyType = "Custom"
|
|
},
|
|
[PSCustomObject]@{
|
|
Identity = "Anti-malware-Policy"
|
|
EnableInternalSenderAdminNotifications = $true
|
|
RecommendedPolicyType = "Custom"
|
|
}
|
|
)
|
|
#>
|
|
$malwareNotifications = Get-CISExoOutput -Rec $recnum
|
|
# Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
|
|
$policiesToReport = @()
|
|
foreach ($policy in $malwareNotifications) {
|
|
if ($policy.EnableInternalSenderAdminNotifications -ne $true) {
|
|
$policiesToReport += "$($policy.Identity): Notifications Disabled"
|
|
}
|
|
}
|
|
# Determine the result based on the presence of custom policies without notifications
|
|
$result = $policiesToReport.Count -eq 0
|
|
# Prepare failure reasons and details based on compliance
|
|
$failureReasons = if ($result) {
|
|
"N/A"
|
|
}
|
|
else {
|
|
# Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
|
|
"Some custom policies do not have notifications for internal users sending malware enabled."
|
|
}
|
|
$details = if ($result) {
|
|
"All custom malware policies have notifications enabled."
|
|
}
|
|
else {
|
|
"Misconfigured Policies: $($policiesToReport -join '`n')"
|
|
}
|
|
# Create and populate the CISAuditResult object
|
|
$params = @{
|
|
Rec = $recnum
|
|
Result = $result
|
|
Status = if ($result) { "Pass" } else { "Fail" }
|
|
Details = $details
|
|
FailureReason = $failureReasons
|
|
}
|
|
$auditResult = Initialize-CISAuditResult @params
|
|
}
|
|
catch {
|
|
$LastError = $_
|
|
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
|
}
|
|
}
|
|
end {
|
|
# Return the audit result
|
|
return $auditResult
|
|
}
|
|
}
|