Microsoft Defender for Endpoint (MDE) must alert administrators on policy violations defined for endpoints.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272882	SRG-APP-000207	MSDE-00-000100	SV-272882r1119408_rule	2025-07-15	1

Description
Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement. Malicious code includes viruses, worms, Trojan horses, and spyware. This requirement applies to applications providing malicious code protection. Satisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940

Description

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement. Malicious code includes viruses, worms, Trojan horses, and spyware. This requirement applies to applications providing malicious code protection. Satisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940

ℹ️ Check
Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. For each defined Notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the authorizing official (AO). - Verify the Recipient Emails are assigned as defined by the AO. 3. Click "Cancel". 4. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 5. For each defined notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the AO. - Verify the Recipient Emails are assigned as defined by the AO. 6. Click "Cancel". If Settings >> Endpoints >> Email notifications (under Permissions) >> Alerts does not display rules as defined by the AO, this is a finding. If Settings >> Endpoints >> Email notifications (under Permissions) >> Vulnerabilities does not display rules as defined by the AO, this is a finding. When selecting each rule individually, if the Notification Settings and Recipient Emails are not as defined by the AO, this is a finding.

ℹ️ Check

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. For each defined Notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the authorizing official (AO). - Verify the Recipient Emails are assigned as defined by the AO. 3. Click "Cancel". 4. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 5. For each defined notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the AO. - Verify the Recipient Emails are assigned as defined by the AO. 6. Click "Cancel". If Settings >> Endpoints >> Email notifications (under Permissions) >> Alerts does not display rules as defined by the AO, this is a finding. If Settings >> Endpoints >> Email notifications (under Permissions) >> Vulnerabilities does not display rules as defined by the AO, this is a finding. When selecting each rule individually, if the Notification Settings and Recipient Emails are not as defined by the AO, this is a finding.

✔️ Fix
Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. Click "+Add notification rule". 3. Enter Name, Notification settings, and Recipients as defined by the AO. 4. Click "Save". Repeat as necessary. 5. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 6. Click "+Add notification rule". 7. Enter Name, Notification settings, and Recipients as defined by the AO. 8. Click "Save". Repeat as necessary.

✔️ Fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. Click "+Add notification rule". 3. Enter Name, Notification settings, and Recipients as defined by the AO. 4. Click "Save". Repeat as necessary. 5. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 6. Click "+Add notification rule". 7. Enter Name, Notification settings, and Recipients as defined by the AO. 8. Click "Save". Repeat as necessary.