An error occurred:

Check: MSDE-00-000450

Microsoft Defender for Endpoint STIG: MSDE-00-000450 (in version v1 r0.1)

Title

Microsoft Defender Endpoint (MDE) must be connected to a central log server. (Cat I impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745

Check Content

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Sentinel. 2. Under "Workspaces", verify a Sentinel Workspace has been assigned. If a Sentinel Workspace has not been assigned, this is a finding. If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.

Fix Text

1. In the MDE portal select Settings >> Microsoft Sentinel. 2. Under Workspaces connect a Sentinel Workspace.

Additional Identifiers

Rule ID: SV-272889r1085707_rule

Vulnerability ID: V-272889

Group Title: SRG-APP-000515

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000139

Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.
CCI-000174

Compile audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail.
CCI-001348

Store audit records on an organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited.
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.
CCI-001876

Provide an audit reduction capability that supports on-demand reporting requirements.
CCI-003821

Implement the capability to centrally review and analyze audit records from multiple components within the system.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4(1)

Transfer to Alternate Storage
AU-5

Response to Audit Processing Failures
AU-7

Audit Reduction and Report Generation
AU-9(2)

Audit Backup On Separate Physical Systems / Components
AU-12(1)

System-wide / Time-correlated Audit Trail