Enhanced Defender license warnings for policy groups 2 and 4 (#929)

* add defender utils function * DefenderConfig.rego add check for Defender license * Defender.rego fix * Defender.rego unused argument * unit test fix for policy 2.x * Update DefenderConfig_02_test.rego * remove enpty lines * unit test update * Update DefenderConfig_04_test.rego * Update DefenderConfig_02_test.rego * Update Defender.rego * Update Defender.rego * unit test 2 update * unit test 4 update * Update Defender.rego * Update DefenderConfig_02_test.rego * Update DefenderConfig_04_test.rego * Update DefenderConfig.rego * Update DefenderConfig.rego * Update Defender.rego * Update DefenderConfig.rego * Update DefenderConfig.rego * Update DefenderConfig.rego * Update Defender.rego * Update Defender.rego * Update Defender.rego * Update DefenderConfig_02_test.rego * Update Defender.rego * Update DefenderConfig_02_test.rego * change language * update unit test language * Update unit test 4 language * Update Defender.rego * unit test 2 update * unit test 4 * Update DefenderConfig_04_test.rego * revert 4.1 4.3 4.4 * rever 4.1 4.3 4.4 * change wording * unit test 2 wording change * unit 4 wording change * update 4.2 * update unit test * Update DefenderConfig_04_test.rego * Update DefenderConfig_04_test.rego * Update DefenderConfig_04_test.rego * Update DefenderConfig.rego * Update DefenderConfig.rego * test case wording fix * Update Defender.rego * policy 4.x changes * provider add additional error checks * update dlp license warning * Update DefenderConfig.rego * fix lint issue * add Utils DLP license true case * * Refactor license warning message * Add DLP license warning details for Teams and Devices * Update unit tests to handle message changes * Correct results filename in warning message * Extend result file name construction logic * Fix or ignore long line length style warnings * * Improve test name for Defender for O365 license tests * Add tests that show fail when license not present in G3 * * Add tests for DLP license error * Remove invalid test test_Locations_Incorrect_V9 * Add DLPLicenseWarning when DLP license not present * Remove unused import reference * Replace unused arg with wildcard * Fix spacing to be consistent with other uses in conditionals Co-authored-by: David Bui <105074908+buidav@users.noreply.github.com> * Rename dlp_license key to defender_dlp_license --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> Co-authored-by: David Bui <105074908+buidav@users.noreply.github.com>
cisagov · May 31, 2024 · dbb8209 · dbb8209
1 parent 9a18f18
commit dbb8209
Show file tree

Hide file tree

Showing 7 changed files with 2,380 additions and 3,127 deletions.
diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportDefenderProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportDefenderProvider.psm1
@@ -100,19 +100,36 @@ function Export-DefenderProvider {
         $Tracker.AddUnSuccessfulCommand("Get-ProtectionAlert")
     }
     if ($IPPSConnected) {
-        $DLPCompliancePolicy = ConvertTo-Json @($Tracker.TryCommand("Get-DlpCompliancePolicy"))
-        $ProtectionAlert = ConvertTo-Json @($Tracker.TryCommand("Get-ProtectionAlert"))
-        $DLPComplianceRules = @($Tracker.TryCommand("Get-DlpComplianceRule"))
+        if (Get-Command Get-DlpCompliancePolicy -ErrorAction SilentlyContinue) {
+            $DLPCompliancePolicy = ConvertTo-Json @($Tracker.TryCommand("Get-DlpCompliancePolicy"))
+            $ProtectionAlert = ConvertTo-Json @($Tracker.TryCommand("Get-ProtectionAlert"))
+            $DLPComplianceRules = @($Tracker.TryCommand("Get-DlpComplianceRule"))
+            $DLPLicense = ConvertTo-Json $true
 
         # Powershell is inconsistent with how it saves lists to json.
         # This loop ensures that the format of ContentContainsSensitiveInformation
         # will *always* be a list.
 
-        foreach($Rule in $DLPComplianceRules) {
-            if ($Rule.Count -gt 0) {
-                $Rule.ContentContainsSensitiveInformation = @($Rule.ContentContainsSensitiveInformation)
+            foreach($Rule in $DLPComplianceRules) {
+                if ($Rule.Count -gt 0) {
+                    $Rule.ContentContainsSensitiveInformation = @($Rule.ContentContainsSensitiveInformation)
+                }
             }
         }
+        else {
+            Write-Warning "Defender for DLP license not available in tenant. Omitting the following commands: Get-DlpCompliancePolicy, Get-DlpComplianceRule, and Get-ProtectionAlert."
+            $DLPCompliancePolicy = ConvertTo-Json @()
+            $DLPComplianceRules = ConvertTo-Json @()
+            $ProtectionAlert = ConvertTo-Json @()
+            $DLPComplianceRules = ConvertTo-Json @()
+            $Tracker.AddUnSuccessfulCommand("Get-DlpCompliancePolicy")
+            $Tracker.AddUnSuccessfulCommand("Get-DlpComplianceRule")
+            $Tracker.AddUnSuccessfulCommand("Get-ProtectionAlert")
+            $Tracker.AddSuccessfulCommand("Get-DlpCompliancePolicy")
+            $Tracker.AddSuccessfulCommand("Get-DlpComplianceRule")
+            $Tracker.AddSuccessfulCommand("Get-ProtectionAlert")
+            $DLPLicense = ConvertTo-Json $false
+        }
 
         # We need to specify the depth because the data contains some
         # nested tables.
@@ -139,6 +156,7 @@ function Export-DefenderProvider {
     "admin_audit_log_config": $AdminAuditLogConfig,
     "atp_policy_for_o365": $ATPPolicy,
     "defender_license": $DefenderLicense,
+    "defender_dlp_license": $DLPLicense,
     "defender_successful_commands": $SuccessfulCommands,
     "defender_unsuccessful_commands": $UnSuccessfulCommands,
 "@