core/api/m365/ExchangeOnline/helpers/Get-MalwareFilterInfo.ps1
|
# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Get-MalwareFilterInfo{ <# .SYNOPSIS .DESCRIPTION .INPUTS .OUTPUTS .EXAMPLE .NOTES Author : Juan Garrido Twitter : @tr1ana File Name : Get-MalwareFilterInfo Version : 1.0 .LINK https://github.com/silverhack/monkey365 #> [CmdletBinding()] Param() Begin{ #Get instance $Environment = $O365Object.Environment #Get Exchange Online Auth token $ExoAuth = $O365Object.auth_tokens.ExchangeOnline #InitParams $p = @{ Authentication = $ExoAuth; Environment = $Environment; ResponseFormat = 'clixml'; Command = $null; Method = "POST"; InformationAction = $O365Object.InformationAction; Verbose = $O365Object.verbose; Debug = $O365Object.debug; } $msg = @{ MessageData = "Getting Anti-Malware Configuration"; callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'info'; InformationAction = $O365Object.InformationAction; Tags = @('O365ATPInfo'); } Write-Information @msg $MalwareFilterStatus = $null $malwareFilterCollection = $null if($null -ne $ExoAuth){ $MalwareFilterStatus = New-Object System.Collections.Generic.List[System.Object] $malwareFilterCollection = [ordered]@{} try{ #Get Malware Filter Policy $p.Command = 'Get-MalwareFilterPolicy'; $malwareFilterCollection.MalwareFilterPolicy = Get-PSExoAdminApiObject @p #Get Malware Filter Rules $msg = @{ MessageData = "Getting Anti-Malware Filter Rules"; callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'info'; InformationAction = $O365Object.InformationAction Tags = @('O365ATPInfo'); } Write-Information @msg $p.Command = 'Get-MalwareFilterRule'; $malwareFilterCollection.MalwareFilterRule = Get-PSExoAdminApiObject @p #Get EOP protection rules $msg = @{ MessageData = "Getting EOP Protection Policy Rules"; callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'info'; InformationAction = $O365Object.InformationAction Tags = @('O365ATPInfo'); } Write-Information @msg $p.Command = 'Get-EOPProtectionPolicyRule'; $malwareFilterCollection.EOPProtectionPolicyRule = Get-PSExoAdminApiObject @p } catch{ $msg = @{ MessageData = ($_); callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'verbose'; InformationAction = $O365Object.InformationAction; Verbose = $O365Object.verbose; Tags = @('ExoMalwareFilterError'); } Write-Verbose @msg } } else{ $msg = @{ MessageData = ($message.NoPsSessionWasFound -f "MalwareFilter"); callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'warning'; InformationAction = $O365Object.InformationAction; Tags = @('ExoMalwareFilterInfo'); } Write-Warning @msg } } Process{ if($null -ne $malwareFilterCollection -and $malwareFilterCollection.MalwareFilterPolicy){ foreach($malPolicy in @($malwareFilterCollection.MalwareFilterPolicy)){ $enabled = $true; $policyName = $malPolicy.Name if($null -ne $malwareFilterCollection.MalwareFilterRule){ $associated_rule = $malwareFilterCollection.MalwareFilterRule | Where-Object {$_.MalwareFilterPolicy -eq $policyName} -ErrorAction Ignore } else{ $associated_rule = $null } if($null -ne $associated_rule){ if($associated_rule.State -eq "Enabled"){ $enabled = $true; } else{ $enabled = $false; } } elseif ($policyName -match "Built-In") { $enabled = $true; } elseif ($policyName -match "Default") { $enabled = $true; } else{ if($null -ne $malwareFilterCollection.EOPProtectionPolicyRule){ $eop_associated_rule = $malwareFilterCollection.EOPProtectionPolicyRule | Where-Object {$_.MalwareFilterPolicy -eq $policyName} -ErrorAction Ignore if($null -ne $eop_associated_rule){ $associated_rule = $eop_associated_rule; #Get State $state = $eop_associated_rule.State #Check state if($state -eq "Enabled"){ $enabled = $true; } elseif($state -eq "Disabled") { $enabled = $false; } else { $enabled = $false; } } else{ $enabled = $false; } } else{ $enabled = $false; } } $policyName = $malPolicy.Name; $malPsObject = New-Object -TypeName PsObject -Property @{ policyName = $policyName; isEnabled = $enabled; Policy = $malPolicy; Rule = $associated_rule; } #Add to array [void]$MalwareFilterStatus.Add($malPsObject) } } } End{ $MalwareFilterStatus } } |