Microsoft Defender for Endpoint (MDE) must be connected to a central log server.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-272889	SRG-APP-000515	MSDE-00-000450	SV-272889r1119412_rule	2025-11-25	1

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745

ℹ️ Check
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Sentinel. 2. Under "Workspaces", verify a Sentinel Workspace has been assigned. If a Sentinel Workspace has not been assigned, this is a finding. If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.

ℹ️ Check

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Sentinel. 2. Under "Workspaces", verify a Sentinel Workspace has been assigned. If a Sentinel Workspace has not been assigned, this is a finding. If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.

✔️ Fix
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the MDE portal select Settings >> Microsoft Sentinel. 2. Under Workspaces connect a Sentinel Workspace.