Fixes ORCA242

Zacgoose · Zacgoose · commit 28ba94b43709 · 2026-06-11T01:17:33.000+08:00
diff --git a/Config/CIPPDBCacheTypes.json b/Config/CIPPDBCacheTypes.json
@@ -249,6 +249,11 @@
     "friendlyName": "Exchange Inbound Connectors",
     "description": "Exchange Online inbound connectors (includes enhanced filtering settings)"
   },
+  {
+    "type": "ExoProtectionAlert",
+    "friendlyName": "Exchange Protection Alerts",
+    "description": "Microsoft 365 protection alert policies (Security & Compliance endpoint)"
+  },
   {
     "type": "Mailboxes",
     "friendlyName": "Mailboxes",
diff --git a/Modules/CIPPCore/Public/Invoke-CIPPDBCacheCollection.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPDBCacheCollection.ps1
@@ -88,6 +88,7 @@ function Invoke-CIPPDBCacheCollection {
             'ExoPresetSecurityPolicy'
             'ExoTenantAllowBlockList'
             'ExoInboundConnector'
+            'ExoProtectionAlert'
             'OwaMailboxPolicy'
             'ReportSubmissionPolicy'
             'ExoTransportConfig'
diff --git a/Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheExoProtectionAlert.ps1 b/Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheExoProtectionAlert.ps1
@@ -0,0 +1,36 @@
+function Set-CIPPDBCacheExoProtectionAlert {
+    <#
+    .SYNOPSIS
+        Caches Exchange Online / Purview protection alert policies
+
+    .DESCRIPTION
+        Calls Get-ProtectionAlert via the Security & Compliance PowerShell endpoint
+        (requires the -Compliance switch on New-ExoRequest).
+
+    .PARAMETER TenantFilter
+        The tenant to cache protection alert data for
+
+    .PARAMETER QueueId
+        The queue ID to update with total tasks (optional)
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [string]$QueueId
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching Exchange protection alerts' -sev Debug
+
+        $ProtectionAlerts = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-ProtectionAlert' -Compliance
+        if ($ProtectionAlerts) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ExoProtectionAlert' -Data $ProtectionAlerts -AddCount
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($ProtectionAlerts.Count) protection alerts" -sev Debug
+        }
+        $ProtectionAlerts = $null
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache protection alert data: $($_.Exception.Message)" -sev Error
+    }
+}
diff --git a/Modules/CIPPTests/Public/Tests/ORCA/Identity/Invoke-CippTestORCA242.ps1 b/Modules/CIPPTests/Public/Tests/ORCA/Identity/Invoke-CippTestORCA242.ps1
@@ -6,19 +6,68 @@ function Invoke-CippTestORCA242 {
     param($Tenant)
 
     try {
-        # This test would check for alert policies related to ATP/Defender for Office 365
-        # Since we don't have an alert policy cache, we'll provide informational guidance
-
-        $Status = 'Informational'
-        $Result = [System.Text.StringBuilder]::new("Alert policies for protection features should be enabled and monitored.`n`n")
-        $null = $Result.Append("**Recommended Alert Policies:**`n`n")
-        $null = $Result.Append("- Messages reported by users as malware or phish`n")
-        $null = $Result.Append("- Email sending limit exceeded`n")
-        $null = $Result.Append("- Suspicious email forwarding activity`n")
-        $null = $Result.Append("- Malware campaign detected`n")
-        $null = $Result.Append("- Suspicious connector activity`n")
-        $null = $Result.Append("- Unusual external user file activity`n")
-        $null = $Result.Append("`n**Action Required:** Verify alert policies are configured in Microsoft 365 Security & Compliance Center")
+        $Alerts = Get-CIPPTestData -TenantFilter $Tenant -Type 'ExoProtectionAlert'
+
+        if (-not $Alerts) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ORCA242' -TestType 'Identity' -Status 'Skipped' -ResultMarkdown 'No protection alert data found. This may be due to missing required licenses or data collection not yet completed.' -Risk 'Medium' -Name 'Important protection alerts enabled' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Configuration'
+            return
+        }
+
+        # ORCA-242: alerts that drive Automated Incident Response (AIR).
+        # Alerts not present in the tenant are skipped (Microsoft hasn't deployed them).
+        $ImportantAlerts = @(
+            'A potentially malicious URL click was detected'
+            'Teams message reported by user as security risk'
+            'Email messages containing phish URLs removed after delivery'
+            'Suspicious Email Forwarding Activity'
+            'Malware not zapped because ZAP is disabled'
+            'Phish delivered due to an ETR override'
+            'Email messages containing malicious file removed after delivery'
+            'Email reported by user as malware or phish'
+            'Email messages containing malicious URL removed after delivery'
+            'Email messages containing malware removed after delivery'
+            'A user clicked through to a potentially malicious URL'
+            'Email messages from a campaign removed after delivery'
+            'Email messages removed after delivery'
+            'Suspicious email sending patterns detected'
+        )
+
+        $FailedAlerts = [System.Collections.Generic.List[object]]::new()
+        $PassedAlerts = [System.Collections.Generic.List[object]]::new()
+
+        foreach ($AlertName in $ImportantAlerts) {
+            $Found = $Alerts | Where-Object { $_.Name -eq $AlertName } | Select-Object -First 1
+            if ($null -eq $Found) { continue }
+
+            if ($Found.Disabled -eq $true) {
+                $FailedAlerts.Add($Found) | Out-Null
+            } else {
+                $PassedAlerts.Add($Found) | Out-Null
+            }
+        }
+
+        if ($FailedAlerts.Count -eq 0 -and $PassedAlerts.Count -eq 0) {
+            $Status = 'Skipped'
+            $Result = [System.Text.StringBuilder]::new('None of the AIR-related protection alerts are deployed to this tenant. This may indicate missing Defender for Office 365 licensing.')
+        } elseif ($FailedAlerts.Count -eq 0) {
+            $Status = 'Passed'
+            $Result = [System.Text.StringBuilder]::new("All AIR-related protection alerts deployed to this tenant are enabled.`n`n")
+            $null = $Result.Append("**Enabled Alerts:** $($PassedAlerts.Count)`n`n")
+            $null = $Result.Append("| Alert Name |`n|------------|`n")
+            foreach ($Alert in $PassedAlerts) {
+                $null = $Result.Append("| $($Alert.Name) |`n")
+            }
+        } else {
+            $Status = 'Failed'
+            $Result = [System.Text.StringBuilder]::new("$($FailedAlerts.Count) AIR-related protection alerts are disabled.`n`n")
+            $null = $Result.Append("**Disabled:** $($FailedAlerts.Count) | **Enabled:** $($PassedAlerts.Count)`n`n")
+            $null = $Result.Append("### Disabled Alerts`n`n")
+            $null = $Result.Append("| Alert Name | Disabled |`n|------------|----------|`n")
+            foreach ($Alert in $FailedAlerts) {
+                $null = $Result.Append("| $($Alert.Name) | $($Alert.Disabled) |`n")
+            }
+            $null = $Result.Append("`n**Remediation:** Re-enable these alert policies. Automated Incident Response (AIR) triggers from them and cannot function correctly when they are disabled.")
+        }
 
         Add-CippTestResult -TenantFilter $Tenant -TestId 'ORCA242' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Important protection alerts enabled' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Configuration'
 
