-
Notifications
You must be signed in to change notification settings - Fork 87
/
Test-MtCisaDiagnosticSettings.ps1
121 lines (100 loc) · 3.63 KB
/
Test-MtCisaDiagnosticSettings.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<#
.SYNOPSIS
Checks for configuration of Entra diagnostic settings
.DESCRIPTION
Security logs SHALL be sent to the agency's security operations center for monitoring.
.EXAMPLE
Test-MtCisaDiagnosticSettings
Returns true if diagnostic settings for the appropriate logs are configured
.LINK
https://maester.dev/docs/commands/Test-MtCisaDiagnosticSettings
#>
function Test-MtCisaDiagnosticSettings {
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'Diagnostic Settings is a specific term')]
[CmdletBinding()]
[OutputType([bool])]
param()
if(!(Test-MtConnection Azure)){
Add-MtTestResultDetail -SkippedBecause NotConnectedAzure
return $null
}
$EntraIDPlan = Get-MtLicenseInformation -Product EntraID
if($EntraIDPlan -eq "Free"){
Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
return $null
}
$cisaLogs = @(
"AuditLogs",
"SignInLogs",
"RiskyUsers",
"UserRiskEvents",
"NonInteractiveUserSignInLogs",
"ServicePrincipalSignInLogs",
"ADFSSignInLogs",
"RiskyServicePrincipals",
"ServicePrincipalRiskEvents",
"EnrichedOffice365AuditLogs",
"MicrosoftGraphActivityLogs",
"ManagedIdentitySignInLogs"
)
$logs = Invoke-AzRestMethod -Method GET -Path "/providers/microsoft.aadiam/diagnosticSettingsCategories?api-version=2017-04-01-preview"
$logs = ($logs.Content|ConvertFrom-Json).value
$logs = ($logs | Where-Object { `
$_.properties.categoryType -eq "Logs"
}).name
$configs = @()
$settings = Invoke-AzRestMethod -Method GET -Path "/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"
$settings = ($settings.Content|ConvertFrom-Json).value
$settings | ForEach-Object { `
$config = [PSCustomObject]@{
name = $_.name
}
$_.properties.logs | ForEach-Object { `
$config | Add-Member -MemberType NoteProperty -Name $_.category -Value $_.enabled
}
$configs += $config
}
$actual = @{}
foreach($log in $logs){
if($configs.$log){
$actual.$log = $true
} else {
$actual.$log = $false
}
}
$unsetLogs = $actual.Keys | Where-Object { `
$actual["$_"] -eq $false
} | Sort-Object
$array = $actual.Keys | ForEach-Object { `
[pscustomobject]@{
Log = "$_"
Enabled = $($actual[$_])
}
}
$testResult = ($unsetLogs | Where-Object { `
$_ -in $cisaLogs
} | Measure-Object).Count -eq 0
$link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General"
$resultFail = "❌ Fail"
$resultPass = "✅ Pass"
$resultOptional = "❔ Optional"
if ($testResult) {
$testResultMarkdown = "Well done. Your tenant has [diagnostic settings]($link) configured for all logs."
} else {
$testResultMarkdown = "Your tenant does not have [diagnostic settings]($link) configured for all logs:`n`n%TestResult%"
}
$result = "| Log Name | Result |`n"
$result += "| --- | --- |`n"
foreach ($item in ($array | Sort-Object Log)) {
$itemResult = $resultFail
if($item.Enabled){
$itemResult = $resultPass
}elseif($item.Log -notin $cisaLogs){
$itemResult = $resultOptional
}
$result += "| $($item.Log) | $($itemResult) |`n"
}
$testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result
Add-MtTestResultDetail -Result $testResultMarkdown
return $testResult
}