Checks/check-ORCA106.ps1
<#
ORCA-106 Checks if the Content Filter Policy quarantine retention period is configured to 30 days. #> using module "..\ORCA.psm1" class ORCA106 : ORCACheck { <# CONSTRUCTOR with Check Header Data #> ORCA106() { $this.Control="ORCA-106" $this.Area="Content Filter Policies" $this.Name="Quarantine retention period" $this.PassText="Quarantine retention period is 30 days" $this.FailRecommendation="Configure the Quarantine retention period to 30 days" $this.Importance="You can view, release, download, delete and report false positive quarantined email messages or files captured by Advance Threat Protection (ATP) for SharePoint Online, OneDrive for Business, and Microsoft Teams in Office 365. Keep messages in the quarantine for 30 days to allow enough time for further investigation. This is the default value and also the maximum." $this.ExpandResults=$True $this.ItemName="Content Filter Policy" $this.DataType="Quarantine Retention Period" $this.Links= @{ "Manage quarantined messages and files as an administrator in Office 365"="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files" "Recommended settings for EOP and Office 365 ATP security"="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp#anti-spam-anti-malware-and-anti-phishing-protection-in-eop" } } <# RESULTS #> GetResults($Config) { ForEach($Policy in $Config["HostedContentFilterPolicy"]) { # Check objects $ConfigObject = [ORCACheckConfig]::new() $ConfigObject.ConfigItem=$($Policy.Name) $ConfigObject.ConfigData=$($Policy.QuarantineRetentionPeriod) If($Policy.QuarantineRetentionPeriod -eq 30) { $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass") } Else { $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail") } # Add config to check $this.AddConfig($ConfigObject) } } } |