← Back to Microsoft Defender for Endpoint Security Technical Implementation Guide

V-272889

CAT I (High)

Microsoft Defender for Endpoint (MDE) must be connected to a central log server.

Rule ID

SV-272889r1119412_rule

STIG

Microsoft Defender for Endpoint Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001851 CCI-000174 CCI-000139 CCI-001348 CCI-001876 CCI-001851 CCI-003821

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745

Check Content

Access the MDE portal as a user with at least an MDE Administrator or equivalent role:

1. In the navigation pane, select Settings >> Microsoft Sentinel.
2. Under "Workspaces", verify a Sentinel Workspace has been assigned. 

If a Sentinel Workspace has not been assigned, this is a finding.

If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.

Fix Text

Access the MDE portal as a user with at least an MDE Administrator or equivalent role:

1. In the MDE portal select Settings >> Microsoft Sentinel.
2. Under Workspaces connect a Sentinel Workspace.