|
| 1 | +function Invoke-CIPPStandardSharePointMassDeletionAlert { |
| 2 | + <# |
| 3 | + .FUNCTIONALITY |
| 4 | + Internal |
| 5 | + .COMPONENT |
| 6 | + (APIName) SharePointMassDeletionAlert |
| 7 | + .SYNOPSIS |
| 8 | + (Label) SharePoint Mass Deletion Alert |
| 9 | + .DESCRIPTION |
| 10 | + (Helptext) Sets a e-mail address to alert when a User deletes more than 20 SharePoint files within 60 minutes. NB: Requires a Office 365 E5 subscription, Office 365 E3 with Threat Intelligence or Office 365 EquivioAnalytics add-on. |
| 11 | + (DocsDescription) Sets a e-mail address to alert when a User deletes more than 20 SharePoint files within 60 minutes. This is useful for monitoring and ensuring that the correct SharePoint files are deleted. NB: Requires a Office 365 E5 subscription, Office 365 E3 with Threat Intelligence or Office 365 EquivioAnalytics add-on. |
| 12 | + .NOTES |
| 13 | + CAT |
| 14 | + Defender Standards |
| 15 | + TAG |
| 16 | + ADDEDCOMPONENT |
| 17 | + {"type":"number","name":"standards.SharePointMassDeletionAlert.Threshold","label":"Max files to delete within the time frame","defaultValue":20} |
| 18 | + {"type":"number","name":"standards.SharePointMassDeletionAlert.TimeWindow","label":"Time frame in minutes","defaultValue":60} |
| 19 | + {"type":"autoComplete","multiple":true,"creatable":true,"required":true,"name":"standards.SharePointMassDeletionAlert.NotifyUser","label":"E-mail to receive the alert"} |
| 20 | + IMPACT |
| 21 | + Low Impact |
| 22 | + ADDEDDATE |
| 23 | + 2025-04-07 |
| 24 | + POWERSHELLEQUIVALENT |
| 25 | + New-ProtectionAlert and Set-ProtectionAlert |
| 26 | + RECOMMENDEDBY |
| 27 | + UPDATECOMMENTBLOCK |
| 28 | + Run the Tools\Update-StandardsComments.ps1 script to update this comment block |
| 29 | + .LINK |
| 30 | + https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact |
| 31 | + #> |
| 32 | + |
| 33 | + param ($Tenant, $Settings) |
| 34 | + |
| 35 | + $PolicyName = 'CIPP SharePoint mass deletion of files by a user' |
| 36 | + |
| 37 | + $CurrentState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-ProtectionAlert' -Compliance | |
| 38 | + Where-Object { $_.Name -eq $PolicyName } | |
| 39 | + Select-Object -Property * |
| 40 | + |
| 41 | + $EmailsOutsideSettings = $CurrentState.NotifyUser | Where-Object { $_ -notin $Settings.NotifyUser.value } |
| 42 | + $MissingEmailsInSettings = $Settings.NotifyUser.value | Where-Object { $_ -notin $CurrentState.NotifyUser } |
| 43 | + |
| 44 | + $StateIsCorrect = ($EmailsOutsideSettings.Count -eq 0) -and |
| 45 | + ($MissingEmailsInSettings.Count -eq 0) -and |
| 46 | + ($CurrentState.Threshold -eq $Settings.Threshold) -and |
| 47 | + ($CurrentState.TimeWindow -eq $Settings.TimeWindow) |
| 48 | + |
| 49 | + If ($Settings.remediate -eq $true) { |
| 50 | + If ($StateIsCorrect -eq $true) { |
| 51 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint mass deletion of files alert is configured correctly' -sev Info |
| 52 | + } Else { |
| 53 | + $cmdParams = @{ |
| 54 | + 'NotifyUser' = $Settings.NotifyUser.value |
| 55 | + 'Category' = 'DataGovernance' |
| 56 | + 'Operation' = 'FileDeleted' |
| 57 | + 'Severity' = 'High' |
| 58 | + 'AggregationType' = '1' |
| 59 | + 'Threshold' = $Settings.Threshold |
| 60 | + 'TimeWindow' = $Settings.TimeWindow |
| 61 | + } |
| 62 | + |
| 63 | + If ($CurrentState.Name -eq $PolicyName) { |
| 64 | + try { |
| 65 | + $cmdParams['Identity'] = $PolicyName |
| 66 | + New-ExoRequest -TenantId $Tenant -cmdlet 'Set-ProtectionAlert' -Compliance -cmdParams $cmdParams -UseSystemMailbox $true |
| 67 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully configured SharePoint mass deletion of files alert' -sev Info |
| 68 | + } catch { |
| 69 | + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message |
| 70 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to configure SharePoint mass deletion of files alert. Error: $ErrorMessage" -sev Error |
| 71 | + } |
| 72 | + } Else { |
| 73 | + try { |
| 74 | + $cmdParams['name'] = $PolicyName |
| 75 | + $cmdParams['ThreatType'] = 'Activity' |
| 76 | + |
| 77 | + New-ExoRequest -TenantId $Tenant -cmdlet 'New-ProtectionAlert' -Compliance -cmdParams $cmdParams -UseSystemMailbox $true |
| 78 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully created SharePoint mass deletion of files alert' -sev Info |
| 79 | + } catch { |
| 80 | + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message |
| 81 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to create SharePoint mass deletion of files alert. Error: $ErrorMessage" -sev Error |
| 82 | + } |
| 83 | + } |
| 84 | + } |
| 85 | + } |
| 86 | + |
| 87 | + If ($Settings.alert -eq $true) { |
| 88 | + If ($StateIsCorrect -eq $true) { |
| 89 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint mass deletion of files alert is enabled' -sev Info |
| 90 | + } Else { |
| 91 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint mass deletion of files alert is disabled' -sev Info |
| 92 | + } |
| 93 | + } |
| 94 | + |
| 95 | + If ($Settings.report -eq $true) { |
| 96 | + If ($StateIsCorrect -eq $true) { |
| 97 | + $Table = $true |
| 98 | + } Else { |
| 99 | + $Table = [PSCustomObject]@{ |
| 100 | + Threshold = $CurrentState.Threshold |
| 101 | + TimeWindow = $CurrentState.TimeWindow |
| 102 | + NotifyUser = $CurrentState.NotifyUser |
| 103 | + } |
| 104 | + } |
| 105 | + |
| 106 | + Set-CIPPStandardsCompareField -FieldName 'standards.SharePointMassDeletionAlert' -FieldValue $Table -TenantFilter $Tenant |
| 107 | + Add-CIPPBPAField -FieldName 'SharePointMassDeletionAlert' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $Tenant |
| 108 | + } |
| 109 | +} |
0 commit comments