SystemAdmins.M365Assessment

1.0.12

private/review/defender/collaboration/Invoke-ReviewDefenderMalwareInternalUserNotification.ps1

                                function Invoke-ReviewDefenderMalwareInternalUserNotification

{

    <#

    .SYNOPSIS

        Review notifications for internal users sending malware is enabled.

    .DESCRIPTION

        Returns review object.

    .EXAMPLE

        Invoke-ReviewDefenderMalwareInternalUserNotification;

    #>

    [cmdletbinding()]

    param

    (

    )

    BEGIN

    {

        # Write progress.

        Write-Progress -Activity $MyInvocation.MyCommand -Status 'Running' -CurrentOperation $MyInvocation.MyCommand.Name -PercentComplete -1 -SecondsRemaining -1;

        # Write to log.

        Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Policy' -Message 'Getting anti-malware policies' -Level Verbose;

        # Get malware filter policies.

        $malwarePolicies = Get-MalwareFilterPolicy;

        # Object array to store policies.

        $policies = New-Object System.Collections.ArrayList;

    }

    PROCESS

    {

        # Foreach malware filter policy.

        foreach ($malwarePolicy in $malwarePolicies)

        {

            # Boolean if malware policy is correctly configured.

            $valid = $true;

            # If malware policy have internal user notifications disabled.

            if ($malwarePolicy.EnableInternalSenderAdminNotifications -eq $false)

            {

                # Set the boolean to false.

                $valid = $false;

            }

            # If malware policy have no administrator email address.

            if ($null -eq $malwarePolicy.InternalSenderAdminAddress)

            {

                # Set the boolean to false.

                $valid = $false;

            }

            # If invalid.

            if ($false -eq $valid)

            {

                # Write to log.

                Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Policy' -Message ("Anti-malware policy '{0}' does not have 'Internal User Notifications' enabled" -f $malwarePolicy.Name) -Level Verbose;

            }

            # Add to object array.

            $policies += [PSCustomObject]@{

                Guid                                   = $malwarePolicy.Guid;

                Id                                     = $malwarePolicy.Id;

                Name                                   = $malwarePolicy.Name;

                Valid                                  = $valid;

                EnableInternalSenderAdminNotifications = $malwarePolicy.EnableInternalSenderAdminNotifications;

                InternalSenderAdminAddress             = $malwarePolicy.InternalSenderAdminAddress;

            };

        }

    }

    END

    {

        # Bool for review flag.

        [bool]$reviewFlag = $false;

        # If review flag should be set.

        if ($policies | Where-Object { $_.Valid -eq $false })

        {

            # Should be reviewed.

            $reviewFlag = $true;

        }

        # Create new review object to return.

        [Review]$review = [Review]::new();

        # Add to object.

        $review.Id = '01f7327e-f8cf-4542-b12a-41b40d03415d';

        $review.Category = 'Microsoft 365 Defender';

        $review.Subcategory = 'Email and collaboration';

        $review.Title = 'Ensure notifications for internal users sending malware is Enabled';

        $review.Data = $policies;

        $review.Review = $reviewFlag;

        # Print result.

        $review.PrintResult();

        # Return object.

        return $review;

    }

}