Advanced Threat Protection via PowerShell

Posted on Posted in Advanced Threat Protection, ATP, EOP, exchange online, Exchange Online Protection, IAmMEC, Office 365, Safe Attachments, Safe Links

I discussed the newly released Advanced Threat Protection product in Office 365 on my blog, and in this article I want to outline the cmdlets that can be used to set this product up from Remote PowerShell to Office 365.

To connect to Office 365 via PowerShell take a search on your favourite search engine – there are lots and lots of articles on doing this. Once you have a connection to Exchange Online and you have purchased the Exchange Online Advanced Threat Protection product, you can use PowerShell to do your administration and report gathering.

The cmdlets you can use are for Safe Links are:

Disable-SafeLinksRule
Enable-SafeLinksRule
Get-SafeLinksPolicy
Get-SafeLinksRule
New-SafeLinksPolicy
New-SafeLinksRule
Remove-SafeLinksPolicy
Remove-SafeLinksRule
Set-SafeLinksPolicy
Set-SafeLinksRule

And the cmdlets you can use for Safe Attachments are:

Disable-SafeAttachmentRule
Enable-SafeAttachmentRule
Get-SafeAttachmentPolicy
Get-SafeAttachmentRule
New-SafeAttachmentPolicy
New-SafeAttachmentRule
Remove-SafeAttachmentPolicy
Remove-SafeAttachmentRule
Set-SafeAttachmentPolicy
Set-SafeAttachmentRule

And for reporting, you can run Get-AdvancedThreatProtectionTrafficReport to report on the number of attachments blocked and the type of notification sent when looking at Safe Attachments. Get-UrlTrace does the same report for Safe Links.

The cmdlet *-SafeLinksPolicy and *-SafeAttachmentPolicy controls the policy. Every rule needs to be associated with a policy and so a policy needs creating first:

New-SafeLinksPolicy “Protect C7 Solutions Users”

Will create a Safe Link policy with the default settings. This includes no URL tracking, no click through and is not enabled. A better start might be

New-SafeLinksPolicy “Protect C7 Solutions Users” -TrackClicks $true -IsEnabled $true -AllowClickThrough $false

Once a policy is created, a rule can be added to that policy. The *-SafeLinksRule and *-SafeAttachmentRule cmdlets control this in the shell. You can only have one rule per policy. An example cmdlet to create a rule would be:

New-SafeLinksRule “Protect C7 Solutions Users” -SafeLinksPolicy “Protect C7 Solutions Users” -RecipientDomainIs “c7solutions.com” -Enabled $true

Note that the –SafeLinksPolicy value matches that of the name of the previously created policy when making the rule.

To create a Safe Attachment policy and rule that protect all users by blocking malicious attachments and sending a report to an external mailbox you could use:

New-SafeAttachmentPolicy “Protect C7 Solutions Users” -Enable $true -Redirect $true -RedirectAddress brian@contoso.com –Action Block

New-SafeAttachmentRule “Protect C7 Solutions Users” -RecipientDomainIs “c7solutions.com” -SafeAttachmentPolicy “Protect C7 Solutions Users” -Enabled $true

The other cmdlets are self explanatory with regard to Enable- and Disable- and Set- and Remove-. The advantage of using PowerShell to administer Safe Links and Safe Attachments is you can set up a policy in a lab and then copy it to a production environment or enable the same policy on many different tenants if you are a Microsoft Partner with customers interested in this advanced protection of their mailbox.

3 thoughts on “Advanced Threat Protection via PowerShell

  1. Must you create a rule if you create the policy? It looks as though the policy is giving a good protection as-is.

    1. Creating a policy creates one rule inside the policy. The structure of the item in the shell is a policy containing a rule. Do this in the GUI and you do not see this distinction, but you need a policy and a rule and need to make both if going via a script. There was a point, and might still exist, where if the rule and policy did not have the same name it would not work either.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.