Check: MSDE-00-001000
Microsoft Defender for Endpoint STIG:
MSDE-00-001000
(in version v1 r1)
Title
Microsoft Defender for Endpoint (MDE) must enable Live Response. (Cat II impact)
Discussion
Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting allows users with appropriate RBAC permissions to investigate devices they are authorized to access, using a remote shell connection.
Check Content
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Live Response" is set to "On". If the slide bar for "Live Response" is not set to "On", this is a finding.
Fix Text
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Live Response" to "On".
Additional Identifiers
Rule ID: SV-275989r1119719_rule
Vulnerability ID: V-275989
Group Title: SRG-APP-000279
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001243 |
Configure malicious code protection mechanisms to block malicious code; quarantine malicious code; and/or take organization-defined action(s) in response to malicious code detection. |
Controls
| Number | Title |
|---|---|
| SI-3 |
Malicious Code Protection |