tests/Test-NotifyMalwareInternal.ps1

function Test-NotifyMalwareInternal {
    [CmdletBinding()]
    [OutputType([CISAuditResult])]
    param (
        # Aligned
        # Parameters can be added if needed
    )
    begin {
        <#
        # Conditions for 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
        #
        # Validate test for a pass:
        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
        # - Specific conditions to check:
        # - Condition A: Notifications for internal users sending malware are enabled in the Microsoft 365 Security & Compliance Center.
        # - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
        #
        # Validate test for a fail:
        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
        # - Specific conditions to check:
        # - Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
        # - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `False` or does not include any valid email addresses for notifications.
        #>

        # Dot source the class script if necessary
        #. .\source\Classes\CISAuditResult.ps1
        # Initialization code, if needed
        $recnum = "2.1.3"
        Write-Verbose "Running Test-NotifyMalwareInternal for $recnum..."
    }
    process {
        try {
            # 2.1.3 Ensure notifications for internal users sending malware is Enabled

            # Retrieve all 'Custom' malware filter policies and check notification settings
            # $malwareNotifications Mock Object
            <#
                $malwareNotifications = @(
                    [PSCustomObject]@{
                        Identity = "Default"
                        EnableInternalSenderAdminNotifications = $true
                        RecommendedPolicyType = "Custom"
                    },
                    [PSCustomObject]@{
                        Identity = "Anti-malware-Policy"
                        EnableInternalSenderAdminNotifications = $true
                        RecommendedPolicyType = "Custom"
                    }
                )
            #>

            $malwareNotifications = Get-CISExoOutput -Rec $recnum
            # Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
            $policiesToReport = @()
            foreach ($policy in $malwareNotifications) {
                if ($policy.EnableInternalSenderAdminNotifications -ne $true) {
                    $policiesToReport += "$($policy.Identity): Notifications Disabled"
                }
            }
            # Determine the result based on the presence of custom policies without notifications
            $result = $policiesToReport.Count -eq 0
            # Prepare failure reasons and details based on compliance
            $failureReasons = if ($result) {
                "N/A"
            }
            else {
                # Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
                "Some custom policies do not have notifications for internal users sending malware enabled."
            }
            $details = if ($result) {
                "All custom malware policies have notifications enabled."
            }
            else {
                "Misconfigured Policies: $($policiesToReport -join '`n')"
            }
            # Create and populate the CISAuditResult object
            $params = @{
                Rec           = $recnum
                Result        = $result
                Status        = if ($result) { "Pass" } else { "Fail" }
                Details       = $details
                FailureReason = $failureReasons
            }
            $auditResult = Initialize-CISAuditResult @params
        }
        catch {
            $LastError = $_
            $auditResult = Get-TestError -LastError $LastError -recnum $recnum
        }
    }
    end {
        # Return the audit result
        return $auditResult
    }
}