tests/Test-SafeAttachmentsPolicy.ps1

function Test-SafeAttachmentsPolicy {
    [CmdletBinding()]
    [OutputType([CISAuditResult])]
    param ()

    begin {
        $recnum = "2.1.4"

        <#
        Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled
 
        Validate test for a pass:
        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
        - Specific conditions to check:
          - Condition A: The Safe Attachments policy is enabled in the Microsoft 365 Defender portal.
          - Condition B: The policy covers all recipients within the organization.
          - Condition C: The policy action is set to "Dynamic Delivery" or "Quarantine".
          - Condition D: The policy is not disabled.
 
        Validate test for a fail:
        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
        - Specific conditions to check:
          - Condition A: The Safe Attachments policy is not enabled in the Microsoft 365 Defender portal.
          - Condition B: The policy does not cover all recipients within the organization.
          - Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine".
          - Condition D: The policy is disabled.
        #>

    }

    process {
        if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
            try {
                # Retrieve all Safe Attachment policies where Enable is set to True
                $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
                # Check if any Safe Attachments policy is enabled (Condition A)
                $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0

                # Initialize details and failure reasons
                $details = @()
                $failureReasons = @()

                foreach ($policy in $safeAttachmentPolicies) {
                    # Initialize policy detail and failed status
                    $failed = $false

                    # Check if the policy action is set to "Dynamic Delivery" or "Quarantine" (Condition C)
                    if ($policy.Action -notin @("DynamicDelivery", "Quarantine")) {
                        $failureReasons += "Policy '$($policy.Name)' action is not set to 'Dynamic Delivery' or 'Quarantine'."
                        $failed = $true
                    }

                    # Check if the policy is not disabled (Condition D)
                    if (-not $policy.Enable) {
                        $failureReasons += "Policy '$($policy.Name)' is disabled."
                        $failed = $true
                    }

                    # Add policy details to the details array
                    $details += [PSCustomObject]@{
                        Policy  = $policy.Name
                        Enabled = $policy.Enable
                        Action  = $policy.Action
                        Failed  = $failed
                    }
                }

                # The result is a pass if there are no failure reasons
                $result = $failureReasons.Count -eq 0

                # Format details for output manually
                $detailsString = "Policy|Enabled|Action|Failed`n" + ($details |
                    ForEach-Object {"$($_.Policy)|$($_.Enabled)|$($_.Action)|$($_.Failed)`n"}
                )
                $failureReasonsString = ($failureReasons | ForEach-Object { $_ }) -join ' '

                # Create and populate the CISAuditResult object
                $params = @{
                    Rec           = $recnum
                    Result        = $result
                    Status        = if ($result) { "Pass" } else { "Fail" }
                    Details       = $detailsString
                    FailureReason = if ($result) { "N/A" } else { $failureReasonsString }
                }
                $auditResult = Initialize-CISAuditResult @params
            }
            catch {
                Write-Error "An error occurred during the test: $_"

                # Retrieve the description from the test definitions
                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }

                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })

                # Call Initialize-CISAuditResult with error parameters
                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
            }
        }
        else {
            $params = @{
                Rec           = $recnum
                Result        = $false
                Status        = "Fail"
                Details       = "No Safe Attachments policies found."
                FailureReason = "The audit needs Safe Attachment features available or required EXO commands will not be available otherwise."
            }
            $auditResult = Initialize-CISAuditResult @params
        }
    }

    end {
        # Return the audit result
        return $auditResult
    }
}