Public/generated/Get-KritTcmSCInsiderRiskPolicy.ps1
|
<# ·· × × × ··· SirJ's Deaddrop ··· × × × ··· — If you found this, you were meant to — ---------------- A Seriously Kritical™ Production ---------------- [] → (¯`·.¸¸.·´¯) .·´ `·. [] → `·.______________.·´ | +------------------+ | | | Kritical™ | | | | [] [] | | | | | | | | [] [] [] | | | +------------------+ | (._.·´¯`·.¸_) Your last call. And your first move. ★ ☆ ★ +61 1300 274 655 sales at kritical dot net ----------------------------------------------------------------- .COPYRIGHT (c) 2026 Kritical Pty Ltd. All rights reserved. .AUTHOR Joshua Finley <joshua.finley@kritical.net> .COMPANY Kritical Pty Ltd | ABN 39 687 048 086 Level 4 / 60 Moorabool St Geelong VIC 3220 1300 274 655 | sales@kritical.net | https://kritical.net/ .NOTES HARD RULE 13 canonical Kritical branding — do not overlay other agent banners. Auto-generated by Generate-KritTcmFromM365DscSchema.ps1 (.1507o30+). Upstream reference: Microsoft365DSC by Microsoft (MIT). This shim provides literal search-replace equivalence — see Krit.TCM/generated/index.md. #> function Get-KritTcmSCInsiderRiskPolicy { <# .SYNOPSIS Krit.TCM shim for M365DSC resource SCInsiderRiskPolicy. .DESCRIPTION Auto-generated from M365DSC .schema.mof by scripts/m365-setup/Generate-KritTcmFromM365DscSchema.ps1 (.1507o30). Search-replace safe: callers that today invoke Get-M365DSCSCInsiderRiskPolicy -Credential $cred -TenantId $tid can rename to Get-KritTcmSCInsiderRiskPolicy -Credential $cred -TenantId $tid with ZERO other edits. Parameter shape matches the M365DSC .schema.mof exactly. Per operator direction, -PreferM365DscBehavior defaults to true. Actual Graph dispatch is delegated to Invoke-KritTcmM365DscSchemaBridge. Bridge maps resource → Graph endpoint per per-resource wave; where mapping is not yet shipped, bridge returns an object with Verdict='UNMAPPED'. .NOTES Workload: Purview Original mof: C:\Users\joshl\OneDrive - Kritical Pty Ltd\Github\KRTPax8ToShopifyConnector\.kritm365-mine\Microsoft365DSC\Modules\Microsoft365DSC\DSCResources\MSFT_SCInsiderRiskPolicy\MSFT_SCInsiderRiskPolicy.schema.mof Param count: 198 Generator wave: .1507o30 #> [CmdletBinding()] param( # Name of the insider risk policy. [Parameter(Mandatory)] [string]$Name, # Name of the scenario supported by the policy. [Parameter(Mandatory)] [string]$InsiderRiskScenario, # When turned on, data is aggregated at tenant level and is shown as insights in Analytics reports. [bool]$IRASettingsEnabled, # When turned on, if an email containing only a signature as attachment is sent to someone outside your org, your policies will attempt to ignore the activity when assigning risk scores, thereby helping reduce inessential alerts. [bool]$EmailSignatureExclusionSettingsEnabled, # When turned on, data is aggregated at user level and is shown as insights in user activity summary of Data Loss Prevention, Communication Compliance and Microsoft Defender along with Advanced Hunting tables. Data sharing needs to be turned on along with this. [bool]$UserAnalyticsSettingsEnabled, # For users who perform activities matching your insider risk policies, decide whether to show their actual names or use pseudonymized versions to mask their identities. [bool]$Anonymization, # When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender. [bool]$DLPUserRiskSync, # When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender. [bool]$OptInIRMDataExport, # Insider risk management alert information is exportable to security information and event management (SIEM) services by using Office 365 Management Activity APIs. Turn this on to use these APIs to export insider risk alert details to other applications your organization might use to manage or aggregate insider risk data. [bool]$RaiseAuditAlert, # Enable inline alert customization for all alert reviewers. [bool]$InlineAlertPolicyCustomization, # Minimum number of daily events to boost score for unusual activity. [string]$FileVolCutoffLimits, # Alert volume. [string]$AlertVolume, # Risk score boosters indicator. [bool]$AnomalyDetections, # Policy indicators > Entering risky prompt in other AI apps [bool]$AIAppRiskyPrompt, # Policy indicators > Entering prompt attacks in AI apps [bool]$CCPromptShields, # Policy indicators > Receiving AI app responses containing protected materials [bool]$CCProtectedMaterialDetection, # Policy indicators > Sending messages that contain specific sesitive info types [bool]$CCSensitiveInformationType, # Policy indicators > Detect messages matched by specific Communication Compliance policies [bool]$CCSupervisionRuleMatch, # Policy indicators > Potentially risky sign-in activity [bool]$CompromisedSignInAlerts, # Policy indicators > User account potentially compromised [bool]$CompromisedUserAlerts, # Policy indicators > Entering risky prompt in enterprise AI apps [bool]$ConnectedAIAppRiskyPrompt, # Policy indicators > Receiving sensitive response from enterprise AI apps [bool]$ConnectedAIAppSensitiveResponse, # Policy indicators > Entering risky prompt in Copilot [bool]$CopilotRiskyPrompt, # Policy indicators > Receiving sensitive response from Copilot [bool]$CopilotSensitiveResponse, # Policy indicators > Enabling external sharing of Microsoft Fabric data [bool]$FabricExternalDataSharingSwitchEnabled, # Policy indicators > Generating alerts from selected DLP policies [bool]$HighSeverityDlpRuleMatch, # Policy indicators > Deleting Microsoft Fabric lakehouses [bool]$LakehouseArtifactDeleted, # Policy indicators > Sharing lakehouse data with people outside the organization [bool]$LakehouseExternalDataShareCreated, # Policy indicators > Deleted lakehouse files or tables [bool]$LakehouseFileOrBlobDeleted, # Policy indicators > Downgrading sensitivity labels of lakehouses [bool]$LakehouseSensitivityLabelDowngraded, # Policy indicators > Removing sensitivity labels of lakehouses [bool]$LakehouseSensitivityLabelRemoved, # Policy indicators > Files downloaded from the web [bool]$NetworkDownloadFile, # Policy indicators > Sensitive text downloaded from the web [bool]$NetworkDownloadText, # Policy indicators > Files uploaded to the web [bool]$NetworkUploadFile, # Policy indicators > Sensitive text uploaded to the web [bool]$NetworkUploadText, # Official documentation to come. [bool]$CopyToPersonalCloud, # Device indicator. [bool]$CopyToUSB, # Cumulative exfiltration detection indicator. [bool]$CumulativeExfiltrationDetector, # Official documentation to come. [bool]$EmailExternal, # Health record access indicator. [bool]$EmployeeAccessedEmployeePatientData, # Health record access indicator. [bool]$EmployeeAccessedFamilyData, # Health record access indicator. [bool]$EmployeeAccessedHighVolumePatientData, # Health record access indicator. [bool]$EmployeeAccessedNeighbourData, # Health record access indicator. [bool]$EmployeeAccessedRestrictedData, # Risky browsing indicator. [bool]$EpoBrowseToChildAbuseSites, # Risky browsing indicator. [bool]$EpoBrowseToCriminalActivitySites, # Risky browsing indicator. [bool]$EpoBrowseToCultSites, # Risky browsing indicator. [bool]$EpoBrowseToGamblingSites, # Risky browsing indicator. [bool]$EpoBrowseToHackingSites, # Risky browsing indicator. [bool]$EpoBrowseToHateIntoleranceSites, # Risky browsing indicator. [bool]$EpoBrowseToIllegalSoftwareSites, # Risky browsing indicator. [bool]$EpoBrowseToKeyloggerSites, # Risky browsing indicator. [bool]$EpoBrowseToLlmSites, # Risky browsing indicator. [bool]$EpoBrowseToMalwareSites, # Risky browsing indicator. [bool]$EpoBrowseToPhishingSites, # Risky browsing indicator. [bool]$EpoBrowseToPornographySites, # Risky browsing indicator. [bool]$EpoBrowseToUnallowedDomain, # Risky browsing indicator. [bool]$EpoBrowseToViolenceSites, # Device indicator. [bool]$EpoCopyToClipboardFromSensitiveFile, # Device indicator. [bool]$EpoCopyToNetworkShare, # Device indicator. [bool]$EpoFileArchived, # Device indicator. [bool]$EpoFileCopiedToRemoteDesktopSession, # Device indicator. [bool]$EpoFileDeleted, # Device indicator. [bool]$EpoFileDownloadedFromBlacklistedDomain, # Device indicator. [bool]$EpoFileDownloadedFromEnterpriseDomain, # Device indicator. [bool]$EpoFileRenamed, # Device indicator. [bool]$EpoFileStagedToCentralLocation, # Device indicator. [bool]$EpoHiddenFileCreated, # Device indicator. [bool]$EpoRemovableMediaMount, # Device indicator. [bool]$EpoSensitiveFileRead, # Microsoft Defender for Cloud Apps indicator. [bool]$Mcas3rdPartyAppDownload, # Microsoft Defender for Cloud Apps indicator. [bool]$Mcas3rdPartyAppFileDelete, # Microsoft Defender for Cloud Apps indicator. [bool]$Mcas3rdPartyAppFileSharing, # Microsoft Defender for Cloud Apps indicator. [bool]$McasActivityFromInfrequentCountry, # Microsoft Defender for Cloud Apps indicator. [bool]$McasImpossibleTravel, # Microsoft Defender for Cloud Apps indicator. [bool]$McasMultipleFailedLogins, # Microsoft Defender for Cloud Apps indicator. [bool]$McasMultipleStorageDeletion, # Microsoft Defender for Cloud Apps indicator. [bool]$McasMultipleVMCreation, # Microsoft Defender for Cloud Apps indicator. [bool]$McasMultipleVMDeletion, # Microsoft Defender for Cloud Apps indicator. [bool]$McasSuspiciousAdminActivities, # Microsoft Defender for Cloud Apps indicator. [bool]$McasSuspiciousCloudCreation, # Microsoft Defender for Cloud Apps indicator. [bool]$McasSuspiciousCloudTrailLoggingChange, # Microsoft Defender for Cloud Apps indicator. [bool]$McasTerminatedEmployeeActivity, # Office Indicator. [bool]$OdbDownload, # Office Indicator. [bool]$OdbSyncDownload, # Cumulative exfiltration detection indicator. [bool]$PeerCumulativeExfiltrationDetector, # Physical access indicator. [bool]$PhysicalAccess, # Risk score boosters indicator. [bool]$PotentialHighImpactUser, # Official documentation to come. [bool]$Print, # Risk score boosters indicator. [bool]$PriorityUserGroupMember, # Microsoft Defender for Endpoint indicator. [bool]$SecurityAlertDefenseEvasion, # Microsoft Defender for Endpoint indicator. [bool]$SecurityAlertUnwantedSoftware, # Office Indicator. [bool]$SpoAccessRequest, # Office Indicator. [bool]$SpoApprovedAccess, # Office Indicator. [bool]$SpoDownload, # Office Indicator. [bool]$SpoDownloadV2, # Office Indicator. [bool]$SpoFileAccessed, # Office Indicator. [bool]$SpoFileDeleted, # Office Indicator. [bool]$SpoFileDeletedFromFirstStageRecycleBin, # Office Indicator. [bool]$SpoFileDeletedFromSecondStageRecycleBin, # Office Indicator. [bool]$SpoFileLabelDowngraded, # Office Indicator. [bool]$SpoFileLabelRemoved, # Office Indicator. [bool]$SpoFileSharing, # Office Indicator. [bool]$SpoFolderDeleted, # Office Indicator. [bool]$SpoFolderDeletedFromFirstStageRecycleBin, # Office Indicator. [bool]$SpoFolderDeletedFromSecondStageRecycleBin, # Office Indicator. [bool]$SpoFolderSharing, # Office Indicator. [bool]$SpoSiteExternalUserAdded, # Office Indicator. [bool]$SpoSiteInternalUserAdded, # Office Indicator. [bool]$SpoSiteLabelRemoved, # Office Indicator. [bool]$SpoSiteSharing, # Office Indicator. [bool]$SpoSyncDownload, # Office Indicator. [bool]$TeamsChannelFileSharedExternal, # Office Indicator. [bool]$TeamsChannelMemberAddedExternal, # Office Indicator. [bool]$TeamsChatFileSharedExternal, # Office Indicator. [bool]$TeamsFileDownload, # Office Indicator. [bool]$TeamsFolderSharedExternal, # Office Indicator. [bool]$TeamsMemberAddedExternal, # Office Indicator. [bool]$TeamsSensitiveMessage, # Risk score boosters indicator. [bool]$UserHistory, # AWS indicator. [bool]$AWSS3BlockPublicAccessDisabled, # AWS indicator. [bool]$AWSS3BucketDeleted, # AWS indicator. [bool]$AWSS3PublicAccessEnabled, # AWS indicator. [bool]$AWSS3ServerLoggingDisabled, # Azure indicator. [bool]$AzureElevateAccessToAllSubscriptions, # Azure indicator. [bool]$AzureResourceThreatProtectionSettingsUpdated, # Azure indicator. [bool]$AzureSQLServerAuditingSettingsUpdated, # Azure indicator. [bool]$AzureSQLServerFirewallRuleDeleted, # Azure indicator. [bool]$AzureSQLServerFirewallRuleUpdated, # Azure indicator. [bool]$AzureStorageAccountOrContainerDeleted, # Box indicator. [bool]$BoxContentAccess, # Box indicator. [bool]$BoxContentDelete, # Box indicator. [bool]$BoxContentDownload, # Box indicator. [bool]$BoxContentExternallyShared, # Detect messages matching specific trainable classifiers. [bool]$CCFinancialRegulatoryRiskyTextSent, # Detect messages matching specific trainable classifiers. [bool]$CCInappropriateContentSent, # Detect messages matching specific trainable classifiers. [bool]$CCInappropriateImagesSent, # Dropbox indicator. [bool]$DropboxContentAccess, # Dropbox indicator. [bool]$DropboxContentDelete, # Dropbox indicator. [bool]$DropboxContentDownload, # Dropbox indicator. [bool]$DropboxContentExternallyShared, # Google Drive indicator. [bool]$GoogleDriveContentAccess, # Google Drive indicator. [bool]$GoogleDriveContentDelete, # Google Drive indicator. [bool]$GoogleDriveContentExternallyShared, # Power BI indicator. [bool]$PowerBIDashboardsDeleted, # Power BI indicator. [bool]$PowerBIReportsDeleted, # Power BI indicator. [bool]$PowerBIReportsDownloaded, # Power BI indicator. [bool]$PowerBIReportsExported, # Power BI indicator. [bool]$PowerBIReportsViewed, # Power BI indicator. [bool]$PowerBISemanticModelsDeleted, # Power BI indicator. [bool]$PowerBISensitivityLabelDowngradedForArtifacts, # Power BI indicator. [bool]$PowerBISensitivityLabelRemovedFromArtifacts, # Determines how far back a policy should go to detect user activity and is triggered when a user performs the first activity matching a policy. [string]$HistoricTimeSpan, # Determines how long policies will actively detect activity for users and is triggered when a user performs the first activity matching a policy. [string]$InScopeTimeSpan, # Integrate Microsoft Teams capabilities with insider risk case management to enhance collaboration with stakeholders. [bool]$EnableTeam, # Send a monthly email summarizing new analytics scan insights. [bool]$AnalyticsNewInsightEnabled, # Send an email when analytics is turned off for your organization. [bool]$AnalyticsTurnedOffEnabled, # Send a daily email when new high severity alerts are generated. [bool]$HighSeverityAlertsEnabled, # Send a weekly email summarizing policies that have unresolved warnings. [bool]$PoliciesHealthEnabled, # Send a notification email when the first alert is generated for a new policy. [bool]$NotificationDetailsEnabled, # Official documentation to come. [bool]$ClipDeletionEnabled, # Official documentation to come. [bool]$SessionRecordingEnabled, # Official documentation to come. [string]$RecordingTimeframePreEventInSec, # Official documentation to come. [string]$RecordingTimeframePostEventInSec, # Official documentation to come. [string]$BandwidthCapInMb, # Official documentation to come. [string]$OfflineRecordingStorageLimitInMb, # Determines if Adaptive Protection is enabled for Purview. [bool]$AdaptiveProtectionEnabled, # Official documentation to come. [int]$AdaptiveProtectionHighProfileSourceType, # Official documentation to come. [int]$AdaptiveProtectionHighProfileConfirmedIssueSeverity, # Official documentation to come. [int]$AdaptiveProtectionHighProfileGeneratedIssueSeverity, # Official documentation to come. [int]$AdaptiveProtectionHighProfileInsightSeverity, # Official documentation to come. [int]$AdaptiveProtectionHighProfileInsightCount, # Official documentation to come. [bool]$AdaptiveProtectionHighProfileConfirmedIssue, # Official documentation to come. [int]$AdaptiveProtectionMediumProfileSourceType, # Official documentation to come. [int]$AdaptiveProtectionMediumProfileConfirmedIssueSeverity, # Official documentation to come. [int]$AdaptiveProtectionMediumProfileGeneratedIssueSeverity, # Official documentation to come. [int]$AdaptiveProtectionMediumProfileInsightSeverity, # Official documentation to come. [int]$AdaptiveProtectionMediumProfileInsightCount, # Official documentation to come. [bool]$AdaptiveProtectionMediumProfileConfirmedIssue, # Official documentation to come. [int]$AdaptiveProtectionLowProfileSourceType, # Official documentation to come. [int]$AdaptiveProtectionLowProfileConfirmedIssueSeverity, # Official documentation to come. [int]$AdaptiveProtectionLowProfileGeneratedIssueSeverity, # Official documentation to come. [int]$AdaptiveProtectionLowProfileInsightSeverity, # Official documentation to come. [int]$AdaptiveProtectionLowProfileInsightCount, # Official documentation to come. [bool]$AdaptiveProtectionLowProfileConfirmedIssue, # Official documentation to come. [bool]$RetainSeverityAfterTriage, # Official documentation to come. [int]$LookbackTimeSpan, # Official documentation to come. [int]$ProfileInScopeTimeSpan, # Official documentation to come. [int]$GPUUtilizationLimit, # Official documentation to come. [int]$CPUUtilizationLimit, # Present ensures the instance exists, absent ensures it is removed. [ValidateSet('Absent','Present')] [string]$Ensure, # Credentials of the workload's Admin [string]$Credential, # Id of the Azure Active Directory application to authenticate with. [string]$ApplicationId, # Id of the Azure Active Directory tenant used for authentication. [string]$TenantId, # Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. [string]$CertificateThumbprint, # Username can be made up to anything but password will be used for CertificatePassword [string]$CertificatePassword, # Path to certificate used in service principal usually a PFX file. [string]$CertificatePath, # Managed ID being used for authentication. [bool]$ManagedIdentity ) Invoke-KritTcmM365DscSchemaBridge -ResourceName 'SCInsiderRiskPolicy' -Workload 'Purview' -Verb 'Get' -CallerParams $PSBoundParameters } |