Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SCDLPCompliance fix for sensitivity labels #1358

Merged
merged 5 commits into from
Aug 4, 2021
Merged

SCDLPCompliance fix for sensitivity labels #1358

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e446e31
Added logic for Sensitivite Labels
desmay Aug 1, 2021
14872c6
schema fix
desmay Aug 1, 2021
f4347d7
Fixes
desmay Aug 1, 2021
9d44cfc
Merge branch 'Dev' of https://github.com/microsoft/Microsoft365DSC in…
desmay Aug 1, 2021
b760db9
update change log
desmay Aug 2, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Added logic for Sensitivite Labels
  • Loading branch information
@desmay
desmay committed Aug 1, 2021
commit e446e31a79eab00c9b1e9aa8c5c0e329815358c7
212 changes: 164 additions & 48 deletions Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -957,44 +957,68 @@ function ConvertTo-SCDLPSensitiveInformationStringGroup
$StringContent += "MSFT_SCDLPContainsSensitiveInformationGroup`r`n {`r`n"
$StringContent += " operator = '$($group.operator.Replace("'", "''"))'`r`n"
$StringContent += " name = '$($group.name.Replace("'", "''"))'`r`n"
$StringContent += " SensitiveInformation = @("
foreach ($sit in $group.sensitivetypes)
if ($null -ne $group.sensitivetypes)
{
$StringContent += " MSFT_SCDLPSensitiveInformation`r`n {`r`n"
$StringContent += " name = '$($sit.name.Replace("'", "''"))'`r`n"
if ($null -ne $sit.id)
$StringContent += " SensitiveInformation = @("
foreach ($sit in $group.sensitivetypes)
{
$StringContent += " id = '$($sit.id)'`r`n"
$StringContent += " MSFT_SCDLPSensitiveInformation`r`n {`r`n"
$StringContent += " name = '$($sit.name.Replace("'", "''"))'`r`n"
if ($null -ne $sit.id)
{
$StringContent += " id = '$($sit.id)'`r`n"
}

if ($null -ne $sit.maxconfidence)
{
$StringContent += " maxconfidence = '$($sit.maxconfidence)'`r`n"
}

if ($null -ne $sit.minconfidence)
{
$StringContent += " minconfidence = '$($sit.minconfidence)'`r`n"
}

if ($null -ne $sit.classifiertype)
{
$StringContent += " classifiertype = '$($sit.classifiertype)'`r`n"
}

if ($null -ne $sit.mincount)
{
$StringContent += " mincount = '$($sit.mincount)'`r`n"
}

if ($null -ne $sit.maxcount)
{
$StringContent += " maxcount = '$($sit.maxcount)'`r`n"
}

$StringContent += " }`r`n"
}

if ($null -ne $sit.maxconfidence)
{
$StringContent += " maxconfidence = '$($sit.maxconfidence)'`r`n"
}

if ($null -ne $sit.minconfidence)
{
$StringContent += " minconfidence = '$($sit.minconfidence)'`r`n"
}

if ($null -ne $sit.classifiertype)
{
$StringContent += " classifiertype = '$($sit.classifiertype)'`r`n"
}

if ($null -ne $sit.mincount)
{
$StringContent += " mincount = '$($sit.mincount)'`r`n"
}

if ($null -ne $sit.maxcount)
$StringContent += " )}`r`n"
}
if ($null -ne $group.labels)
{
$StringContent += " labels = @("
foreach ($label in $group.labels)
{
$StringContent += " maxcount = '$($sit.maxcount)'`r`n"
$StringContent += " MSFT_SCDLPLabel`r`n {`r`n"
$StringContent += " name = '$($label.name.Replace("'", "''"))'`r`n"
if ($null -ne $label.id)
{
$StringContent += " id = '$($label.id)'`r`n"
}

if ($null -ne $label.type)
{
$StringContent += " type = '$($sit.type)'`r`n"
}

$StringContent += " }`r`n"
}

$StringContent += " }`r`n"
$StringContent += " )}`r`n"
}
$StringContent += " )}`r`n"
}
$StringContent += " )}`r`n"
$result += $StringContent
Expand Down Expand Up @@ -1180,15 +1204,41 @@ function Get-SCDLPSensitiveInformationGroups
}
$sits += $sit
}
$myGroup.Add("sensitivetypes", $sits)
if ($sits.Length -gt 0)
{
$myGroup.Add("sensitivetypes", $sits)
}
$labels = @()
foreach ($item in $group.labels)
{
$label = @{
name = $item.name
}

if ($null -ne $item.id)
{
$label.Add("id", $item.id)
}

if ($null -ne $item.type)
{
$label.Add("type", $item.type)
}
$slabels += $label
}
if ($labels.Length -gt 0)
{
$myGroup.Add("labels", $labels)
}
$groups += $myGroup
}
$result.Add("groups", $groups)
$returnValue += $result
return $returnValue
}

function Test-ContainsSensitiveInformation {
function Test-ContainsSensitiveInformation
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
Expand Down Expand Up @@ -1239,7 +1289,60 @@ function Test-ContainsSensitiveInformation {
}
}

function Test-ContainsSensitiveInformationGroups {
function Test-ContainsSensitiveInformationLabels
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.Object[]]
$targetValues,

[Parameter()]
[System.Object[]]
$sourceValues
)

foreach ($sit in $targetValues)
{
Write-Verbose -Message "Trying to find existing Sensitive Information labels matching name {$($sit.name)}"
$matchingExistingRule = $sourceValues | Where-Object -FilterScript { $_.name -eq $sit.name }

if ($null -ne $matchingExistingRule)
{
Write-Verbose -Message "Sensitive Information label {$($sit.name)} was found"
$propertiesTocheck = @("id", "type")

foreach ($property in $propertiesToCheck)
{
Write-Verbose -Message "Checking property {$property} for Sensitive Information label {$($sit.name)}"
if ($sit.$property -ne $matchingExistingRule.$property)
{
Write-Verbose -Message "Property {$property} is set to {$($matchingExistingRule.$property)} and is expected to be {$($sit.$property)}."
$EventMessage = "DLP Compliance Rule {$Name} was not in the desired state.`r`n" + `
"Sensitive Information Action {$($sit.name)} has invalid value for property {$property}. " + `
"Current value is {$($matchingExistingRule.$property)} and is expected to be {$($sit.$property)}."
Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
-EventID 1 -Source $($MyInvocation.MyCommand.Source)
return $false
}
}
}
else
{
Write-Verbose -Message "Sensitive Information label {$($sit.name)} was not found"
$EventMessage = "DLP Compliance Rule {$Name} was not in the desired state.`r`n" + `
"An action on {$($sit.name)} Sensitive Information label is missing."
Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
-EventID 1 -Source $($MyInvocation.MyCommand.Source)
return $false
}
}
}

function Test-ContainsSensitiveInformationGroups
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
Expand All @@ -1256,10 +1359,10 @@ function Test-ContainsSensitiveInformationGroups {
if ($targetValues.operator -ne $sourceValues.operator)
{
$EventMessage = "DLP Compliance Rule {$Name} was not in the desired state.`r`n" + `
"DLP Compliance Rule {$Name} has invalid value for property operator. " + `
"Current value is {$($targetValues.$operator)} and is expected to be {$($sourceValues.$operator)}."
Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
-EventID 1 -Source $($MyInvocation.MyCommand.Source)
"DLP Compliance Rule {$Name} has invalid value for property operator. " + `
"Current value is {$($targetValues.$operator)} and is expected to be {$($sourceValues.$operator)}."
Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
-EventID 1 -Source $($MyInvocation.MyCommand.Source)
return $false
}

Expand All @@ -1273,11 +1376,11 @@ function Test-ContainsSensitiveInformationGroups {
if ($group.operator -ne $matchingExistingGroup.operator)
{
$EventMessage = "DLP Compliance Rule {$Name} was not in the desired state.`r`n" + `
"Group {$($group.name)} has invalid value for property operator. " + `
"Current value is {$($matchingExistingRule.$operator)} and is expected to be {$($group.$operator)}."
Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
-EventID 1 -Source $($MyInvocation.MyCommand.Source)
return $false
"Group {$($group.name)} has invalid value for property operator. " + `
"Current value is {$($matchingExistingRule.$operator)} and is expected to be {$($group.$operator)}."
Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
-EventID 1 -Source $($MyInvocation.MyCommand.Source)
return $false
}
}
else
Expand All @@ -1290,11 +1393,24 @@ function Test-ContainsSensitiveInformationGroups {
return $false
}

$desiredState = Test-ContainsSensitiveInformation -targetValues $group.sensitivetypes `
-sourceValues $matchingExistingGroup.sensitivetypes
if ($desiredState -eq $false)
if ($null -ne $group.sensitivetypes)
{
return $false
$desiredState = Test-ContainsSensitiveInformation -targetValues $group.sensitivetypes `
-sourceValues $matchingExistingGroup.sensitivetypes
if ($desiredState -eq $false)
{
return $false
}
}

if ($null -ne $group.labels)
{
$desiredState = Test-ContainsSensitiveInformationLabels -targetValues $group.labels `
-sourceValues $matchingExistingGroup.labels
if ($desiredState -eq $false)
{
return $false
}
}
}
}
Expand Down
8 changes: 8 additions & 0 deletions ...Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ Class MSFT_SCDLPSensitiveInformation
[Write, Description("Maximum Count value for the Sensitive Information")] String maxcount;
};
[ClassVersion("1.0.0")]
Class MSFT_SCDLPLabel
{
[Required, Description("Name of the Sensitive Label")] String name;
[Write, Description("Id of the Sensitive Information label")] String id;
[Write, Description("Type of the Sensitive Information label")] String type;
};
[ClassVersion("1.0.0")]
Class MSFT_SCDLPContainsSensitiveInformationGroup
{
[Required, Description("Sensitive Information Content Types"),EmbeddedInstance("MSFT_SCDLPSensitiveInformation")] String SensitiveInformation[];
Expand All @@ -20,6 +27,7 @@ Class MSFT_SCDLPContainsSensitiveInformationGroup
Class MSFT_SCDLPContainsSensitiveInformation
{
[Write, Description("Sensitive Information Content Types"),EmbeddedInstance("MSFT_SCDLPSensitiveInformation")] String SensitiveInformation[];
[Write, Description("Sensitive Information Labels"),EmbeddedInstance("MSFT_SCDLPLabel")] String Labels[];
[Write, Description("Groups of sensitive information types."),EmbeddedInstance("MSFT_SCDLPContainsSensitiveInformationGroup")] String Groups[];
[Write, Description("Operator"),ValueMap{"And","Or"}, Values{"And","Or"}] String Operator;
};
Expand Down