search

spaelling / azure-security-review

GNU General Public License v3.0
5 stars 2 forks source link

There should be no active PIM alerts #24

Open spaelling opened 6 days ago

spaelling commented 5 days ago 
Describe "PIM" -Tag "APENTO", "PIM", "Security", "All", "APENTO.03" {
    It "APENTO.03: There should be no active PIM alerts" {
        $GovernanceRoleManagementAlerts = Get-MgBetaIdentityGovernanceRoleManagementAlert -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole' and isActive eq true" -ExpandProperty "alertDefinition,alertConfiguration,alertIncidents"
        # metadata for the test results       
        $Description = @"
Found $($GovernanceRoleManagementAlerts.Count) active PIM alerts.

$(
    foreach ($alert in $GovernanceRoleManagementAlerts) {
        $adIncidentCount = $alert.IncidentCount
        $adDisplayName = $GovernanceRoleManagementAlerts[0].AlertDefinition.DisplayName
        $adDescription = $GovernanceRoleManagementAlerts[0].AlertDefinition.Description
        $adHowToPrevent = $GovernanceRoleManagementAlerts[0].AlertDefinition.HowToPrevent
        $adMitigationSteps = $GovernanceRoleManagementAlerts[0].AlertDefinition.MitigationSteps
        $adSecurityImpact = $GovernanceRoleManagementAlerts[0].AlertDefinition.SecurityImpact
        $adSeverityLevel = $GovernanceRoleManagementAlerts[0].AlertDefinition.SeverityLevel

        @"
**$adDisplayName - Severity: $adSeverityLevel**

Number of incidents: $adIncidentCount

$adDescription

**Security Impact**

$adSecurityImpact

**Mitigation Steps**

$adMitigationSteps

**How to prevent**

$adHowToPrevent

"@

    } ## end foreach
)
"@
        $Result = @"
"@
        $MtTestResultDetailParams = @{
            Description = $Description
            # Result = $Result
        }
        Add-MtTestResultDetail @MtTestResultDetailParams
        $GovernanceRoleManagementAlerts.Count -gt 0 | Should -Be 'false'
    }
}