ROOTM365

1.0.1

SHELL/3.1.1.ps1

                                $CheckId = "3.1.1"

$Title = "Ensure Microsoft 365 audit log search is Enabled"

$Level = "L1"

$BenchmarkType = "Automated"

$AuditCommands = @(

    'Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled'

)

try {

    $Config = @(Get-AdminAuditLogConfig)

    if (@($Config).Count -eq 0) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                ConfigCount = 0

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Get-AdminAuditLogConfig returned no result."

            Timestamp = Get-Date

        }

        return

    }

    $Primary = $Config | Select-Object -First 1

    $RawValue = $null

    if ($null -ne $Primary.PSObject.Properties['UnifiedAuditLogIngestionEnabled']) {

        $RawValue = $Primary.UnifiedAuditLogIngestionEnabled

    }

    if ($null -eq $RawValue) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                ConfigCount = @($Config).Count

                RawConfig = @($Config)

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "UnifiedAuditLogIngestionEnabled property was not found in Get-AdminAuditLogConfig output."

            Timestamp = Get-Date

        }

        return

    }

    $Enabled = [bool]$RawValue

    $Pass = $Enabled -eq $true

    $PSSessions = @(Get-PSSession -ErrorAction SilentlyContinue | Select-Object Name,ComputerName,ConfigurationName,State)

    $HasComplianceSessionHint = @($PSSessions | Where-Object {

        ("$($_.Name) $($_.ComputerName) $($_.ConfigurationName)").ToLowerInvariant() -match "compliance|protection"

    }).Count -gt 0

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = if ($Pass) { "PASS" } else { "FAIL" }

        Pass = $Pass

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            UnifiedAuditLogIngestionEnabled = $Enabled

            RawUnifiedAuditLogIngestionEnabled = $RawValue

            ConfigCount = @($Config).Count

            SessionCount = @($PSSessions).Count

            HasComplianceSessionHint = $HasComplianceSessionHint

            SessionSnapshot = @($PSSessions)

            AuditNote = "CIS v6.0.1 notes this value can appear False in mixed Security & Compliance + Exchange sessions depending on module/session order."

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = if ($Pass) { $null } else { "UnifiedAuditLogIngestionEnabled is False." }

        Timestamp = Get-Date

    }

}

catch {

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = "ERROR"

        Pass = $null

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = $_.Exception.Message

        Timestamp = Get-Date

    }

}