SHELL/3.2.1.ps1
|
$CheckId = "3.2.1" $Title = "Ensure DLP policies are enabled" $Level = "L1" $BenchmarkType = "Automated" $AuditCommands = [pscustomobject]@{ UiAuditReference = @( "Microsoft Purview > Solutions > Data loss prevention > Policies", "Verify organization has DLP policies aligned to protected data types", "Verify relevant DLP policies are On" ) BestEffortPowerShell = "Get-DlpCompliancePolicy | Select-Object Name,Enabled,Mode,Workload" } function Get-PolicyEnabledState { param( [Parameter(Mandatory = $true)] [object]$Policy ) if ($null -ne $Policy.PSObject.Properties['Enabled'] -and $null -ne $Policy.Enabled) { return [bool]$Policy.Enabled } if ($null -ne $Policy.PSObject.Properties['Mode'] -and $null -ne $Policy.Mode) { $ModeText = ([string]$Policy.Mode).Trim().ToLowerInvariant() if ($ModeText -in @('enable', 'enabled', 'enforced', 'testwithnotifications', 'testwithoutnotifications')) { return $true } if ($ModeText -in @('off', 'disabled', 'disable')) { return $false } } return $null } try { if (-not (Get-Command -Name Get-DlpCompliancePolicy -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "MANUAL_REVIEW" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Manual review required: Get-DlpCompliancePolicy cmdlet is unavailable in the current session." Timestamp = Get-Date } return } $Policies = @(Get-DlpCompliancePolicy) if (@($Policies).Count -eq 0) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands PolicyCount = 0 SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "No DLP policies were found." Timestamp = Get-Date } return } $PolicyReport = foreach ($Policy in $Policies) { $IsEnabled = Get-PolicyEnabledState -Policy $Policy [pscustomobject]@{ Name = [string]$Policy.Name Enabled = $IsEnabled RawEnabled = if ($null -ne $Policy.PSObject.Properties['Enabled']) { $Policy.Enabled } else { $null } Mode = if ($null -ne $Policy.PSObject.Properties['Mode']) { [string]$Policy.Mode } else { $null } Workload = if ($null -ne $Policy.PSObject.Properties['Workload']) { [string]$Policy.Workload } else { $null } Priority = if ($null -ne $Policy.PSObject.Properties['Priority']) { $Policy.Priority } else { $null } } } $EnabledPolicies = @($PolicyReport | Where-Object { $_.Enabled -eq $true }) $UnknownPolicies = @($PolicyReport | Where-Object { $null -eq $_.Enabled }) if (@($EnabledPolicies).Count -eq 0) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands PolicyCount = @($PolicyReport).Count EnabledPolicyCount = 0 UnknownEnabledStateCount = @($UnknownPolicies).Count PolicyReport = @($PolicyReport) SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "No enabled DLP policy was identified." Timestamp = Get-Date } return } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "MANUAL_REVIEW" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands PolicyCount = @($PolicyReport).Count EnabledPolicyCount = @($EnabledPolicies).Count UnknownEnabledStateCount = @($UnknownPolicies).Count EnabledPolicies = @($EnabledPolicies) PolicyReport = @($PolicyReport) SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" AuditScriptNote = "Enabled DLP policies were detected. Manual review remains required to confirm policy suitability for the organization's specific protected data types." } Error = "Manual review required: verify enabled DLP policies are applicable to the organization's sensitive data categories." Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |