Checks/check-IRM103.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
using module "..\MCCA.psm1"

class IRM103 : MCCACheck {
    <#
     
 
    #>


    IRM103() {
        $this.Control = "IRM-103"
        $this.ParentArea = "Insider Risk"
        $this.Area = "Insider Risk Management"
        $this.Name = "Create customized or use default insider risk management policies for data leaks"
        $this.PassText = "Your organization has set up IRM policies for data leaks"
        $this.FailRecommendation = "Your organization should set up IRM policies for data leaks"
        $this.Importance = "Microsoft recommends that your organization create an insider risk management policy to detect, investigate, and take action on data leaks. Data leaks can include accidental oversharing of information outside your organization or data theft with malicious intent."
        $this.ExpandResults = $True
        $this.ItemName = "Policy"
        $this.DataType = "User Groups"
        if($this.ExchangeEnvironmentNameForCheck -ieq "O365USGovGCCHigh")
        {
            $this.Links = @{
            
                "Getting started with Insider risk management" = "https://aka.ms/mcca-irm-docs-action"
                "Compliance Center - Insider Risk Management" = "https://aka.ms/mcca-gcch-irm-compliance-center"
                "Insider risk management policies" = "https://aka.ms/mcca-irm-docs-learn-more"
            }
        }elseif ($this.ExchangeEnvironmentNameForCheck -ieq "O365USGovDoD") 
        {
            $this.Links = @{
            
                "Getting started with Insider risk management" = "https://aka.ms/mcca-irm-docs-action"
                "Compliance Center - Insider Risk Management" = "https://aka.ms/mcca-dod-irm-compliance-center"
                "Insider risk management policies" = "https://aka.ms/mcca-irm-docs-learn-more"
            }
        }else
        {
        $this.Links = @{
            
            "Getting started with Insider risk management" = "https://aka.ms/mcca-irm-docs-action"
            "Compliance Center - Insider Risk Management" = "https://aka.ms/mcca-irm-compliance-center"
            "Insider risk management policies" = "https://aka.ms/mcca-irm-docs-learn-more"
        }
        }
    }

    <#
     
        RESULTS
     
    #>


    GetResults($Config) {   
        if ($Config["GetInsiderRiskPolicy"] -eq "Error") {
            $this.Completed = $false
        }
        else {
            $UtilityFiles = Get-ChildItem "$PSScriptRoot\..\Utilities"

            ForEach ($UtilityFile in $UtilityFiles) {
                . $UtilityFile.FullName
            }
            #LeakOfInformation OR DisgruntledEmployeeDataLeak OR HighValueEmployeeDataLeak
            $Template = @("LeakOfInformation","DisgruntledEmployeeDataLeak","HighValueEmployeeDataLeak")
            $LogFile = $this.LogFile

            
            $ConfigObjectList = Get-IRMConfigurationPolicy -Config $Config -Templates $Template -LogFile $LogFile
            Foreach ($ConfigObject in $ConfigObjectList) {
                $this.AddConfig($ConfigObject)
            }
            

            $hasRemediation = $this.Config | Where-Object { $_.RemediationAction -ne '' }
            if ($($hasremediation.count) -gt 0) {
                $this.MCCARemediationInfo = New-Object -TypeName MCCARemediationInfo -Property @{
                    RemediationAvailable = $True
                    RemediationText      = "You need to connect to Exchange Online Center PowerShell to execute the below commands. Please follow steps defined in <a href = 'https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps'> Connect to Exchange Online Center PowerShell</a>."
                }
            }
            $this.Completed = $True
        }
        
    }

}