Title

Microsoft Defender Endpoint (MDE) must alert administrators on policy violations defined for endpoints. (Cat II impact)

Discussion

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement. Malicious code includes viruses, worms, Trojan horses, and spyware. This requirement applies to applications providing malicious code protection. Satisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940

Check Content

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. For each defined Notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the authorizing official (AO). - Verify the Recipient Emails are assigned as defined by the AO. 3. Click "Cancel". 4. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 5. For each defined notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the AO. - Verify the Recipient Emails are assigned as defined by the AO. 6. Click "Cancel". If Settings >> Endpoints >> Email notifications (under Permissions) >> Alerts does not display rules as defined by the AO, this is a finding. If Settings >> Endpoints >> Email notifications (under Permissions) >> Vulnerabilities does not display rules as defined by the AO, this is a finding. When selecting each rule individually, if the Notification Settings and Recipient Emails are not as defined by the AO, this is a finding.

Fix Text

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. Click "+Add notification rule". 3. Enter Name, Notification settings, and Recipients as defined by the AO. 4. Click "Save". Repeat as necessary. 5. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 6. Click "+Add notification rule". 7. Enter Name, Notification settings, and Recipients as defined by the AO. 8. Click "Save". Repeat as necessary.

Additional Identifiers

Rule ID: SV-272882r1085690_rule

Vulnerability ID: V-272882

Group Title: SRG-APP-000207

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.