| V-272889 | high | Microsoft Defender for Endpoint (MDE) must be connected to a central log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745 |
| V-272882 | medium | Microsoft Defender for Endpoint (MDE) must alert administrators on policy violations defined for endpoints. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement.
Malicious code includes viruses, worms, Trojan horses, and spyware.
This requirement applies to applications providing malicious code protection.
Satisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940 |
| V-272886 | medium | Roles for use with Microsoft Defender for Endpoint (MDE) must be configured within Entra ID. | Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access application management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges.
Using role-based access control (RBAC), roles and groups can be created within the security operations team to grant appropriate access to the MDE portal. Based on the roles and groups created, the capability will exist to have fine-grained control over what users with access to the portal can view and do.
Creation of Entra ID roles is a prerequisite to configuring RBAC within the MDE portal itself.
Defender for Endpoint RBAC is designed to support a role-based model and provides granular control over what roles can view, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:
- Control who can take specific action.
- Create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
- Control who can view information on specific device group or groups.
Satisfies: SRG-APP-000211, SRG-APP-000267 |
| V-272887 | medium | Microsoft Defender for Endpoint (MDE) must be configured for a least privilege model by implementing Unified Role-Based Access Control (RBAC). | When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID.
The permission tiers available to assign to custom roles are as follows:
View data:
- Security Operations - View all security operations data in the portal.
- Defender Vulnerability Management - View Defender Vulnerability Management data in the portal.
Active remediation actions:
- Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators.
- Defender Vulnerability Management.
- Exception handling - Create new exceptions and manage active exceptions.
Defender Vulnerability Management - Remediation handling:
- Submit new remediation requests, create tickets, and manage existing remediation activities.
Defender Vulnerability Management - Application handling:
- Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions.
Security baselines:
- Defender Vulnerability Management.
- Manage security baselines assessment profiles.
- Create and manage profiles so users can assess if devices comply to security industry baselines.
Alerts investigation:
- Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files.
Manage portal system settings:
- Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups.
Satisfies: SRG-APP-000211, SRG-APP-000267 |
| V-272888 | medium | Microsoft Defender for Endpoint (MDE) must enable Endpoint Detection and Response (EDR) in block mode. | Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third parties.
Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks.
The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it.
Satisfies: SRG-APP-000246, SRG-APP-000435 |
| V-275979 | medium | Microsoft Defender for Endpoint (MDE) must enable Automatically Resolve Alerts. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting resolves an alert if automated investigation finds no threats or has successfully remediated all malicious artifacts. |
| V-275980 | medium | Microsoft Defender for Endpoint (MDE) must enable Allow or block file. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting ensures Windows Defender Antivirus is turned on and the cloud-based protection feature is enabled to use the allow or block file feature. |
| V-275981 | medium | Microsoft Defender for Endpoint (MDE) must enable Hide potential duplicate device records. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
When turned on, this setting will hide duplications that might occur for the following reasons:
- Devices that were discovered more than once.
- Discovery of onboarded devices.
- Unintentionally discovered onboarded devices.
These duplications will be hidden from multiple experiences in the portal to create a more accurate view of the device inventory. The affected areas in the portal include the Device Inventory, Microsoft Defender Vulnerability Management screens, and Public API for machines data. These devices will still be viewable in global search, advanced hunting, and alert and incidents pages. |
| V-275982 | medium | Microsoft Defender for Endpoint (MDE) must enable Custom network indicators. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting configures devices to allow or block connections to IP addresses, domains, or URLs in custom indicator lists. |
| V-275983 | medium | Microsoft Defender for Endpoint (MDE) must enable Tamper protection. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
Tamper protection prevents malicious apps from turning off security features like virus and threat protection, behavior monitoring, cloud-delivered protection, etc., preventing unwanted changes to security solutions and essential functions. |
| V-275984 | medium | Microsoft Defender for Endpoint (MDE) must enable Show user details. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting enables displaying user details: picture, name, title, department, stored in Azure Active Directory. |
| V-275985 | medium | Microsoft Defender for Endpoint (MDE) must enable Microsoft Defender for Cloud Apps. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting forwards Microsoft Defender for Endpoint signals to Defender for Cloud Apps, giving administrators deeper visibility into both sanctioned cloud apps and shadow IT. It also grants the ability to block unauthorized applications when the custom network indicators setting is turned on. Forwarded data is stored and processed in the same location as Cloud App Security data. |
| V-275986 | medium | Microsoft Defender for Endpoint (MDE) must enable Web content filtering. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting blocks access to websites containing unwanted content and tracks web activity across all domains. To specify the web content categories to be blocked, a web content filtering policy must be created. Network protection must be set to block mode when deploying the Microsoft Defender for Endpoint security baseline. |
| V-275987 | medium | Microsoft Defender for Endpoint (MDE) must enable Device discovery. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting allows onboarded devices to discover unmanaged devices in the network and assess vulnerabilities and risks. |
| V-275988 | medium | Microsoft Defender for Endpoint (MDE) must enable Download quarantined files. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting backs up quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. |
| V-275989 | medium | Microsoft Defender for Endpoint (MDE) must enable Live Response. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting allows users with appropriate RBAC permissions to investigate devices they are authorized to access, using a remote shell connection. |
| V-275990 | medium | Microsoft Defender for Endpoint (MDE) must enable Live Response for Servers. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting allows users with Live Response privileges to connect remotely to servers (Windows Server or Linux devices) they are authorized to access. |
| V-275991 | medium | Microsoft Defender for Endpoint (MDE) must enable Share endpoint alerts with Microsoft Compliance Center. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting forwards endpoint security alerts and their triage status to Microsoft Purview portal, allowing enhanced insider risk management policies with alerts and the ability to remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as Office 365 data. |
| V-275992 | medium | Microsoft Defender for Endpoint (MDE) must enable Microsoft Intune connection. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
Connecting to Microsoft Intune enables sharing of device information and enhanced policy enforcement.
Intune provides additional information about managed devices for secure score. It can use risk information to enforce conditional access and other security policies. |
| V-275993 | medium | Microsoft Defender for Endpoint (MDE) must enable Authenticated telemetry. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
The authenticated telemetry setting prevents spoofing telemetry into the dashboard. |
| V-275994 | medium | Microsoft Defender for Endpoint (MDE) must enable File Content Analysis. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
Content analysis submits suspicious files identified by Automated investigation to the cloud for additional inspection. Only files with the specified extension names will be submitted. |
| V-275995 | medium | Microsoft Defender for Endpoint (MDE) must enable Memory Content Analysis. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting automatically investigates memory content of processes. When enabled, memory content can be uploaded to MDE during an Automated investigation. |
| V-275996 | medium | Microsoft Defender for Endpoint (MDE) Discovery Mode must enable Log4j2 detection. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting detects devices with applications using the vulnerable Log4j2 library through unauthenticated probing. This option will also enable discovery using Server 2019+ onboarded devices. |
| V-275997 | medium | Microsoft Defender for Endpoint (MDE) Discovery Mode must be set to All Devices. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
This setting enables standard discovery for supported devices that have been onboarded. |
| V-275998 | medium | Microsoft Defender for Endpoint (MDE) must enable Full remediation for Device groups. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated.
Full remediation is necessary to automatically investigate and remediate devices without human intervention which lowers SOC fatigue. This is also required for Attack Disruption. |