tests/Test-NotifyMalwareInternal.ps1
|
function Test-NotifyMalwareInternal { [CmdletBinding()] [OutputType([CISAuditResult])] param ( # Aligned # Parameters can be added if needed ) begin { <# # Conditions for 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled # # Validate test for a pass: # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. # - Specific conditions to check: # - Condition A: Notifications for internal users sending malware are enabled in the Microsoft 365 Security & Compliance Center. # - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications. # # Validate test for a fail: # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. # - Specific conditions to check: # - Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center. # - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `False` or does not include any valid email addresses for notifications. #> # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $recnum = "2.1.3" } process { try { # 2.1.3 Ensure notifications for internal users sending malware is Enabled # Retrieve all 'Custom' malware filter policies and check notification settings $malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' } # Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications. $policiesToReport = @() foreach ($policy in $malwareNotifications) { if ($policy.EnableInternalSenderAdminNotifications -ne $true) { $policiesToReport += "$($policy.Identity): Notifications Disabled" } } # Determine the result based on the presence of custom policies without notifications $result = $policiesToReport.Count -eq 0 # Prepare failure reasons and details based on compliance $failureReasons = if ($result) { "N/A" } else { # Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center. "Some custom policies do not have notifications for internal users sending malware enabled." } $details = if ($result) { "All custom malware policies have notifications enabled." } else { "Misconfigured Policies: $($policiesToReport -join ', ')" } # Create and populate the CISAuditResult object $params = @{ Rec = $recnum Result = $result Status = if ($result) { "Pass" } else { "Fail" } Details = $details FailureReason = $failureReasons } $auditResult = Initialize-CISAuditResult @params } catch { Write-Error "An error occurred during the test: $_" # Retrieve the description from the test definitions $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) # Call Initialize-CISAuditResult with error parameters $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure } } end { # Return the audit result return $auditResult } } |