Maester

1.3.114-preview

public/cis/Test-MtCisInternalMalwareNotification.ps1

                                <#

.SYNOPSIS

    Checks if notifications for internal users sending malware are enabled

.DESCRIPTION

    Notifications for internal users sending malware should be enabled, and an administrator email set

    CIS Microsoft 365 Foundations Benchmark v5.0.0

.EXAMPLE

    Test-MtCisInternalMalwareNotification

    Returns true safe malware notifications are enabled, and an administrator email address is set

.LINK

    https://maester.dev/docs/commands/Test-MtCisInternalMalwareNotification

#>

function Test-MtCisInternalMalwareNotification {

    [CmdletBinding()]

    [OutputType([bool])]

    param()

    if (!(Test-MtConnection ExchangeOnline)) {

        Add-MtTestResultDetail -SkippedBecause NotConnectedExchange

        return $null

    } elseif (!(Test-MtConnection SecurityCompliance)) {

        Add-MtTestResultDetail -SkippedBecause NotConnectedSecurityCompliance

        return $null

    }

    try {

        Write-Verbose 'Getting Malware Filter Policy...'

        $policies = Get-MtExo -Request MalwareFilterPolicy

        # We grab the default policy as that is what CIS checks

        $policy = $policies | Where-Object { $_.IsDefault -eq $true }

        Write-Verbose 'Executing checks'

        $enableInternalSenderAdminNotification = $policy | Where-Object {

            $_.enableInternalSenderAdminNotifications -match 'True'

        }

        $internalSenderAdminAddress = $policy | Where-Object {

            $null -ne $_.InternalSenderAdminAddress

        }

        $testResult = (($enableInternalSenderAdminNotification | Measure-Object).Count -ge 1) -and (($internalSenderAdminAddress | Measure-Object).Count -ge 1)

        $portalLink = 'https://security.microsoft.com/antimalwarev2'

        if ($testResult) {

            $testResultMarkdown = "Well done. Your tenants default anti malware policy has recommended internal malware notifications configured ($portalLink).`n`n%TestResult%"

        } else {

            $testResultMarkdown = "Your tenants default anti malware policy does not have the recommended internal malware notifications configured ($portalLink).`n`n%TestResult%"

        }

        $resultMd = "| Policy | Result |`n"

        $resultMd += "| --- | --- |`n"

        if ($enableInternalSenderAdminNotification) {

            $enableInternalSenderAdminNotificationResult = '✅ Pass'

        } else {

            $enableInternalSenderAdminNotificationResult = '❌ Fail'

        }

        if ($internalSenderAdminAddress) {

            $internalSenderAdminAddressResult = '✅ Pass'

        } else {

            $internalSenderAdminAddressResult = '❌ Fail'

        }

        $resultMd += "| EnableInternalSenderAdminNotification | $enableInternalSenderAdminNotificationResult |`n"

        $resultMd += "| InternalSenderAdminAddress | $internalSenderAdminAddressResult |`n"

        $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $resultMd

        Add-MtTestResultDetail -Result $testResultMarkdown

        return $testResult

    } catch {

        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_

        return $null

    }

}