Microsoft Defender for Endpoint (MDE) must be connected to a central log server.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-272889 | SRG-APP-000515 | MSDE-00-000450 | SV-272889r1119412_rule | 2025-11-25 | 1 |
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745
ℹ️ Check
Access the MDE portal as a user with at least an MDE Administrator or equivalent role:
1. In the navigation pane, select Settings >> Microsoft Sentinel.
2. Under "Workspaces", verify a Sentinel Workspace has been assigned.
If a Sentinel Workspace has not been assigned, this is a finding.
If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.
✔️ Fix
Access the MDE portal as a user with at least an MDE Administrator or equivalent role:
1. In the MDE portal select Settings >> Microsoft Sentinel.
2. Under Workspaces connect a Sentinel Workspace.