Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Microsoft Defender for Endpoint Security Technical Implementation Guide

  • Version/Release: V1R0.1
  • Published: 2025-03-18
  • Released: 2025-03-20
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Microsoft Defender Endpoint (MDE) must enable Defender Firewall.
CM-7 - Medium - CCI-000382 - V-272880 - SV-272880r1085684_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
MSDE-00-000001
Vuln IDs
  • V-272880
Rule IDs
  • SV-272880r1085684_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols, such as TLS, which provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/service-oriented architecture (SOA) will require the use of TLS mutual authentication (two-way/bidirectional).
Checks: C-76971r1085682_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Configuration management >> Endpoint security policies. 2. Verify a Policy Type exists for Defender Firewall. If a Policy Type does not exist for Defender Firewall and is not set to "Active=True", this is a finding.

Fix: F-76876r1085683_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Configuration management >> Endpoint security policies. 2. Click "Create new policy". 3. Select the Microsoft Defender Firewall Rules template. 4. Click "Create policy". 5. Assign a name and then click "Next". 6. Under Firewall Rule Name, click "+Add". 7. Configure Firewall policies as defined by the authorizing official (AO). 8. Save the policy.

b
Microsoft Defender Endpoint (MDE) must enable Defender Firewall Rules.
CM-7 - Medium - CCI-000382 - V-272881 - SV-272881r1085687_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
MSDE-00-000050
Vuln IDs
  • V-272881
Rule IDs
  • SV-272881r1085687_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols, such as TLS, which provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/service-oriented architecture (SOA) will require the use of TLS mutual authentication (two-way/bidirectional). Satisfies: SRG-APP-000142, SRG-APP-000383
Checks: C-76972r1085685_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Configuration management >> Endpoint security policies. 2. Verify a Policy Type exists for Defender Firewall Rules. If a Policy Type does not exist for Defender Firewall Rules and is not set to "Active=True", this is a finding.

Fix: F-76877r1085686_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Configuration management >> Endpoint security policies. 2. Click "Create new policy". 3. Select the Microsoft Defender Firewall Rules template. 4. Click "Create policy". 5. Assign a name and then click "Next". 6. Under Firewall Rule Name, click "+Add". 7. Configure Firewall policies as defined by the authorizing official (AO). 8. Save the policy.

b
Microsoft Defender Endpoint (MDE) must alert administrators on policy violations defined for endpoints.
SC-18 - Medium - CCI-001662 - V-272882 - SV-272882r1085690_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001662
Version
MSDE-00-000100
Vuln IDs
  • V-272882
Rule IDs
  • SV-272882r1085690_rule
Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement. Malicious code includes viruses, worms, Trojan horses, and spyware. This requirement applies to applications providing malicious code protection. Satisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940
Checks: C-76973r1085688_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. For each defined Notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the authorizing official (AO). - Verify the Recipient Emails are assigned as defined by the AO. 3. Click "Cancel". 4. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 5. For each defined notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the AO. - Verify the Recipient Emails are assigned as defined by the AO. 6. Click "Cancel". If Settings >> Endpoints >> Email notifications (under Permissions) >> Alerts does not display rules as defined by the AO, this is a finding. If Settings >> Endpoints >> Email notifications (under Permissions) >> Vulnerabilities does not display rules as defined by the AO, this is a finding. When selecting each rule individually, if the Notification Settings and Recipient Emails are not as defined by the AO, this is a finding.

Fix: F-76878r1085689_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. Click "+Add notification rule". 3. Enter Name, Notification settings, and Recipients as defined by the AO. 4. Click "Save". Repeat as necessary. 5. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 6. Click "+Add notification rule". 7. Enter Name, Notification settings, and Recipients as defined by the AO. 8. Click "Save". Repeat as necessary.

b
Microsoft Defender Endpoint (MDE) must alert administrators on policy violations defined for Defender Extended Detection and Response (XDR).
SC-18 - Medium - CCI-001662 - V-272883 - SV-272883r1085730_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001662
Version
MSDE-00-000150
Vuln IDs
  • V-272883
Rule IDs
  • SV-272883r1085730_rule
Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement. Malicious code includes viruses, worms, Trojan horses, and spyware. This requirement applies to applications providing malicious code protection. Satisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940
Checks: C-76974r1085729_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Email notifications (under General) >> Incidents. 2. For each defined notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the authorizing official (AO). - Verify the Recipient Emails are assigned as defined by the AO. 3. Click "Cancel". 4. In the navigation pane, select Settings >> Microsoft Defender XDR >> Email notifications (under General) >> Threat Analytics. 5. For each defined notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the AO. - Verify the Recipient Emails are assigned as defined by the AO. 6. Click "Cancel". If Settings >> Microsoft Defender XDR >> Email notifications (under Permissions) >> Incidents does not display rules as defined by the AO, this is a finding. If Settings >> Microsoft Defender XDR >> Email notifications (under Permissions) >> Threat Analytics does not display rules as defined by the AO, this is a finding. When selecting each rule individually, if the Notification Settings and Recipient Emails are not as defined by the AO, this is a finding.

Fix: F-76879r1085692_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Email notifications (under General) >> Incidents. 2. Click "+Add incident notification rule". 3. Enter Name, Notification settings, and Recipients as defined by the AO. 4. Click "Save". Repeat as necessary. 5. In the navigation pane, select Settings >> Microsoft Defender XDR >> Email notifications (under General) >> Threat analytics. 6. Click "+Add notification rule". 7. Enter Name, Notification settings, and Recipients as defined by the AO. 8. Click "Save". Repeat as necessary.

b
Microsoft Defender Endpoint (MDE) must enable Safe Attachments.
SC-18 - Medium - CCI-001166 - V-272884 - SV-272884r1085732_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001166
Version
MSDE-00-000200
Vuln IDs
  • V-272884
Rule IDs
  • SV-272884r1085732_rule
The Safe Attachments feature will scan messages for attachments with malicious content. All messages with attachments not already flagged by anti-malware protections in EOP are downloaded to a Microsoft virtual environment for further analysis. Safe Attachments then uses machine learning and other analysis techniques to detect malicious intent. While Safe Attachments for Exchange Online is automatically configured in the preset policies, separate action is needed to enable it for other products. Satisfies: SRG-APP-000209, SRG-APP-000112, SRG-APP-000206
Checks: C-76975r1085694_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select Safe Attachments (under policies). 3. Verify a policy has been configured as defined by the AO and the Status is "On". If no policy has been configured and set to "On", this is a finding.

Fix: F-76880r1085731_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select "Safe Attachments" (under policies). 3. Create and enable a policy as defined by the AO.

b
Microsoft Defender Endpoint (MDE) must enable Impersonation protection.
SC-18 - Medium - CCI-001170 - V-272885 - SV-272885r1085735_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001170
Version
MSDE-00-000250
Vuln IDs
  • V-272885
Rule IDs
  • SV-272885r1085735_rule
Impersonation protection checks incoming emails to verify if the sender address is similar to the users or domains on an agency-defined list. If the sender address is significantly similar, as to indicate an impersonation attempt, the email is quarantined. Satisfies: SRG-APP-000210, SRG-APP-000272
Checks: C-76976r1085733_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select "Preset Security Policies" (under Templated policies). 3. Under Standard protection, verify the slide bar shows "Standard protection is on". 4. Under Strict protection, verify the slide bar shows "Strict protection is on". If the slide bar shows "Standard protection is off" or "Strict protection is off", this is a finding.

Fix: F-76881r1085734_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select "Preset Security Policies" (under Templated policies). 3. For both Standard protection and Strict protection, complete the following: - Click "Manage protection settings". - Under "Apply Exchange Online Protection", select recipients as defined by the authorizing official (AO). - Click "Manage protection settings". - Under "Apply Exchange Online Protection", select recipients as defined by the AO. - Click "Next". - Under "Apply Defender for Office 365 protection", select recipients as defined by the AO and then click "Next". - Under "Impersonation protection", click "Next". - Configure users, groups, and domains as defined by the AO and then click "Next". - Under Policy mode, select the "Turn policy on when finished" radio button. Click "Next" and then click "Confirm".

b
Roles for use with Microsoft Defender Endpoint (MDE) must be configured within Entra ID.
SC-2 - Medium - CCI-001082 - V-272886 - SV-272886r1085737_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
MSDE-00-000300
Vuln IDs
  • V-272886
Rule IDs
  • SV-272886r1085737_rule
Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access application management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. Using role-based access control (RBAC), roles and groups can be created within the security operations team to grant appropriate access to the MDE portal. Based on the roles and groups created, the capability will exist to have fine-grained control over what users with access to the portal can view and do. Creation of Entra ID roles is a prerequisite to configuring RBAC within the MDE portal itself. Defender for Endpoint RBAC is designed to support a role-based model and provides granular control over what roles can view, devices they can access, and actions they can take. The RBAC framework is centered around the following controls: - Control who can take specific action. - Create custom roles and control what Defender for Endpoint capabilities they can access with granularity. - Control who can view information on specific device group or groups. Satisfies: SRG-APP-000211, SRG-APP-000267
Checks: C-76977r1085736_chk

Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles. 1. Select Manage >> Roles and administrators. Click on the "Security Administrator" role. 2. Under "Active assignments" ensure one or more authorizing official (AO)-approved users are assigned to this role. This role is a top-level administrator within MDE. Note: A custom defined, AO-approved role may be created and used in lieu of the built-in Security Administrator role. If one or more AO-approved users have not been assigned to the Security Administrator (or equivalent AO-approved) role, this is a finding. 1. Return to the Entra ID portal home and select Manage >> Groups. Click the number next to "Total Groups". 2. Ensure one or more custom roles have been defined as subordinate roles for MDE administration. The structure of various subordinate groups is to be defined by the AO. 3. Click on each of these groups and ensure one or more users have been assigned. If one or more subordinate groups do not exist, this is a finding. If one or more users do not exist in these subordinate groups, this is a finding.

Fix: F-76882r1083345_fix

Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles and users/groups. 1. Select Manage >> Roles and administrators. 2. Click on the "Security Administrator" role ,then click "+Add assignments". 3. Under "Select Member(s)" add AO-approved users for this role. This role is a top-level administrator within MDE. Note: A custom defined, AO-approved role may be created and used in lieu of the built-in "Security Administrator" role. 4. Return to the Entra ID portal home and select Manage >> Groups. Click "New group". 5. Define at least one sub-level group for MDE administration as defined by the AO, and assign users(s) to these groups.

b
Microsoft Defender Endpoint (MDE) must be configured for a least privilege model by implementing Role-Based Access Control (RBAC).
SC-2 - Medium - CCI-001082 - V-272887 - SV-272887r1085739_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
MSDE-00-000350
Vuln IDs
  • V-272887
Rule IDs
  • SV-272887r1085739_rule
When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID. The permission tiers available to assign to custom roles are as follows: View data: - Security Operations - View all security operations data in the portal. - Defender Vulnerability Management - View Defender Vulnerability Management data in the portal. Active remediation actions: - Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators. - Defender Vulnerability Management. - Exception handling - Create new exceptions and manage active exceptions. Defender Vulnerability Management - Remediation handling: - Submit new remediation requests, create tickets, and manage existing remediation activities. Defender Vulnerability Management - Application handling: - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions Security baselines: - Defender Vulnerability Management. - Manage security baselines assessment profiles. - Create and manage profiles so users can assess if devices comply to security industry baselines. Alerts investigation: - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files. Manage portal system settings: - Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups. Satisfies: SRG-APP-000211, SRG-APP-000267
Checks: C-76978r1085738_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Roles (under Permissions). 2. For each defined role: - Click on the role to enter the edit role screen. - Verify the Permissions are configured as defined by the authorizing official (AO). - Verify the appropriate user groups are assigned as defined by the AO. - Click "Cancel". If Settings >> Endpoints >> Roles (under Permissions) does not display roles as defined by the AO, this is a finding. When selecting each role individually, if the permissions and user groups are not as defined by the AO, this is a finding.

Fix: F-76883r1085701_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >>Endpoints >> Roles (under Permissions). 2. Select "+Add role". 3. Enter a Role Name, select Permissions as defined by the AO, and then click "Next". 4. Select the appropriate group as defined in MSDE-00-000300.

b
Microsoft Defender Endpoint (MDE) must enable Endpoint Detection and Response (EDR) in block mode.
SC-5 - Medium - CCI-001094 - V-272888 - SV-272888r1085705_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001094
Version
MSDE-00-000400
Vuln IDs
  • V-272888
Rule IDs
  • SV-272888r1085705_rule
Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third parties. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it. Satisfies: SRG-APP-000246, SRG-APP-000435
Checks: C-76979r1085703_chk

Access the MDE portal as user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Enable EDR in block mode" is set to "On". If the slide bar for "Enable EDR in block mode" is not set to "On", this is a finding.

Fix: F-76884r1085704_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Enable EDR in block mode" to "On".

c
Microsoft Defender Endpoint (MDE) must be connected to a central log server.
AU-4 - High - CCI-001851 - V-272889 - SV-272889r1085707_rule
RMF Control
AU-4
Severity
High
CCI
CCI-001851
Version
MSDE-00-000450
Vuln IDs
  • V-272889
Rule IDs
  • SV-272889r1085707_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745
Checks: C-76980r1085706_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Sentinel. 2. Under "Workspaces", verify a Sentinel Workspace has been assigned. If a Sentinel Workspace has not been assigned, this is a finding. If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.

Fix: F-76885r1083354_fix

1. In the MDE portal select Settings >> Microsoft Sentinel. 2. Under Workspaces connect a Sentinel Workspace.