core/api/m365/exchangeonline/helpers/Get-MalwareFilterInfo.ps1
|
# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specIfic language governing permissions and # limitations under the License. Function Get-MalwareFilterInfo{ <# .SYNOPSIS .DESCRIPTION .INPUTS .OUTPUTS .EXAMPLE .NOTES Author : Juan Garrido Twitter : @tr1ana File Name : Get-MalwareFilterInfo Version : 1.0 .LINK https://github.com/silverhack/monkey365 #> [CmdletBinding()] Param() Begin{ #Get instance $Environment = $O365Object.Environment #Get Exchange Online Auth token $ExoAuth = $O365Object.auth_tokens.ExchangeOnline #InitParams $p = @{ Authentication = $ExoAuth; Environment = $Environment; ResponseFormat = 'clixml'; Command = $null; Method = "POST"; InformationAction = $O365Object.InformationAction; Verbose = $O365Object.verbose; Debug = $O365Object.debug; } $msg = @{ MessageData = "Getting Anti-Malware Configuration"; callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'info'; InformationAction = $O365Object.InformationAction; Tags = @('O365ATPInfo'); } Write-Information @msg $MalwareFilterStatus = $null $malwareFilterCollection = $null If($null -ne $ExoAuth){ $MalwareFilterStatus = [System.Collections.Generic.List[System.Object]]::new() $malwareFilterCollection = [ordered]@{} try{ #Get Malware Filter Policy $p.Command = 'Get-MalwareFilterPolicy'; $malwareFilterCollection.MalwareFilterPolicy = Get-PSExoAdminApiObject @p #Get Malware Filter Rules $msg = @{ MessageData = "Getting Anti-Malware Filter Rules"; callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'info'; InformationAction = $O365Object.InformationAction Tags = @('O365ATPInfo'); } Write-Information @msg $p.Command = 'Get-MalwareFilterRule'; $malwareFilterCollection.MalwareFilterRule = Get-PSExoAdminApiObject @p #Get EOP protection rules $msg = @{ MessageData = "Getting EOP Protection Policy Rules"; callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'info'; InformationAction = $O365Object.InformationAction Tags = @('O365ATPInfo'); } Write-Information @msg $p.Command = 'Get-EOPProtectionPolicyRule'; $malwareFilterCollection.EOPProtectionPolicyRule = Get-PSExoAdminApiObject @p } catch{ $msg = @{ MessageData = ($_); callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'verbose'; InformationAction = $O365Object.InformationAction; Verbose = $O365Object.verbose; Tags = @('ExoMalwareFilterError'); } Write-Verbose @msg } } Else{ $msg = @{ MessageData = ($message.NoPsSessionWasFound -f "MalwareFilter"); callStack = (Get-PSCallStack | Select-Object -First 1); logLevel = 'warning'; InformationAction = $O365Object.InformationAction; Tags = @('ExoMalwareFilterInfo'); } Write-Warning @msg } } Process{ If($null -ne $malwareFilterCollection -and $malwareFilterCollection.MalwareFilterPolicy){ ForEach($malPolicy in @($malwareFilterCollection.MalwareFilterPolicy)){ $enabled = $true; $policyName = $malPolicy.Name If($null -ne $malwareFilterCollection.MalwareFilterRule){ $associated_rule = $malwareFilterCollection.MalwareFilterRule | Where-Object {$_.MalwareFilterPolicy -eq $policyName} -ErrorAction Ignore } Else{ $associated_rule = $null } If($null -ne $associated_rule){ If($associated_rule.State -eq "Enabled"){ $enabled = $true; } Else{ $enabled = $false; } } ElseIf ($policyName -match "Built-In") { $enabled = $true; } ElseIf ($policyName -match "Default") { $enabled = $true; } Else{ If($null -ne $malwareFilterCollection.EOPProtectionPolicyRule){ $eop_associated_rule = $malwareFilterCollection.EOPProtectionPolicyRule | Where-Object {$_.MalwareFilterPolicy -eq $policyName} -ErrorAction Ignore If($null -ne $eop_associated_rule){ $associated_rule = $eop_associated_rule; #Get State $state = $eop_associated_rule.State #Check state If($state -eq "Enabled"){ $enabled = $true; } ElseIf($state -eq "Disabled") { $enabled = $false; } Else { $enabled = $false; } } Else{ $enabled = $false; } } Else{ $enabled = $false; } } $policyName = $malPolicy.Name; #Compare filetypes $p = @{ ReferenceObject = $O365Object.l2Extensions; DIfferenceObject = $malPolicy.FileTypes; } $filetypeResult = Compare-Object @p $missingExtensions = [System.Collections.Generic.List[System.String]]::new() $_extensions = $filetypeResult.Where({$_.SideIndicator -eq "<="}) | Select-Object -ExpandProperty InputObject ForEach($extension in @($_extensions)){ [void]$missingExtensions.Add($extension); } #Construct PsObject $malPsObject = New-Object -TypeName PsObject -Property @{ policyName = $policyName; isEnabled = $enabled; policy = $malPolicy; isDefault = $malPolicy.IsDefault; policyId = $malPolicy.Guid.Guid; missingExtensions = $missingExtensions; rule = $associated_rule; ruleId = If($associated_rule){$associated_rule.Guid.Guid}; } #Add to array [void]$MalwareFilterStatus.Add($malPsObject) } } } End{ $MalwareFilterStatus } } |