View STIG - Microsoft Defender for Endpoint Security Technical Implementation Guide V1R2

b

Microsoft Defender for Endpoint (MDE) must alert administrators on policy violations defined for endpoints.

SC-18 - Medium - CCI-001662 - V-272882 - SV-272882r1119408_rule

RMF Control

SC-18

Severity

Medium

CCI

CCI-001662

Version

MSDE-00-000100

Vuln IDs

V-272882

Rule IDs

SV-272882r1119408_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement. Malicious code includes viruses, worms, Trojan horses, and spyware. This requirement applies to applications providing malicious code protection. Satisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940

Checks: C-76973r1119211_chk

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. For each defined Notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the authorizing official (AO). - Verify the Recipient Emails are assigned as defined by the AO. 3. Click "Cancel". 4. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 5. For each defined notification rule: - Click on the rule and select "Edit" to enter the "Update notification rule" screen. - Verify the notification settings are configured as defined by the AO. - Verify the Recipient Emails are assigned as defined by the AO. 6. Click "Cancel". If Settings >> Endpoints >> Email notifications (under Permissions) >> Alerts does not display rules as defined by the AO, this is a finding. If Settings >> Endpoints >> Email notifications (under Permissions) >> Vulnerabilities does not display rules as defined by the AO, this is a finding. When selecting each rule individually, if the Notification Settings and Recipient Emails are not as defined by the AO, this is a finding.

Fix: F-76878r1119212_fix

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. 2. Click "+Add notification rule". 3. Enter Name, Notification settings, and Recipients as defined by the AO. 4. Click "Save". Repeat as necessary. 5. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. 6. Click "+Add notification rule". 7. Enter Name, Notification settings, and Recipients as defined by the AO. 8. Click "Save". Repeat as necessary.

b

Roles for use with Microsoft Defender for Endpoint (MDE) must be configured within Entra ID.

SC-2 - Medium - CCI-001082 - V-272886 - SV-272886r1119409_rule

RMF Control

SC-2

Severity

Medium

CCI

CCI-001082

Version

MSDE-00-000300

Vuln IDs

V-272886

Rule IDs

SV-272886r1119409_rule

Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access application management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. Using role-based access control (RBAC), roles and groups can be created within the security operations team to grant appropriate access to the MDE portal. Based on the roles and groups created, the capability will exist to have fine-grained control over what users with access to the portal can view and do. Creation of Entra ID roles is a prerequisite to configuring RBAC within the MDE portal itself. Defender for Endpoint RBAC is designed to support a role-based model and provides granular control over what roles can view, devices they can access, and actions they can take. The RBAC framework is centered around the following controls: - Control who can take specific action. - Create custom roles and control what Defender for Endpoint capabilities they can access with granularity. - Control who can view information on specific device group or groups. Satisfies: SRG-APP-000211, SRG-APP-000267

Checks: C-76977r1119292_chk

Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles. 1. Select Manage >> Roles and administrators. Click on the "MDE Administrator" role. 2. Under "Active assignments" ensure one or more authorizing official (AO)-approved users are assigned to this role. This role is a top-level administrator within MDE. Note: A custom defined, AO-approved role may be created and used in lieu of the built-in MDE Administrator role. If one or more AO-approved users have not been assigned to the security administrator (or equivalent AO-approved) role, this is a finding. 1. Return to the Entra ID portal home and select Manage >> Groups. Click the number next to "Total Groups". 2. Ensure one or more custom roles have been defined as subordinate roles for MDE administration. The structure of various subordinate groups is to be defined by the AO. 3. Click on each of these groups and ensure one or more users have been assigned. If one or more subordinate groups do not exist, this is a finding. If one or more users do not exist in these subordinate groups, this is a finding.

Fix: F-76882r1119293_fix

Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles and users/groups. 1. Select Manage >> Roles and administrators. 2. Click on the "Security Administrator" role ,then click "+Add assignments". 3. Under "Select Member(s)" add AO-approved users for this role. This role is a top-level administrator within MDE. Note: A custom defined, AO-approved role may be created and used in lieu of the built-in "MDE Administrator" role. 4. Return to the Entra ID portal home and select Manage >> Groups. Click "New group". 5. Define at least one sub-level group for MDE administration as defined by the AO and assign users(s) to these groups.

b

Microsoft Defender for Endpoint (MDE) must be configured for a least privilege model by implementing Unified Role-Based Access Control (RBAC).

SC-2 - Medium - CCI-001082 - V-272887 - SV-272887r1156554_rule

RMF Control

SC-2

Severity

Medium

CCI

CCI-001082

Version

MSDE-00-000350

Vuln IDs

V-272887

Rule IDs

SV-272887r1156554_rule

When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID. The permission tiers available to assign to custom roles are as follows: View data: - Security Operations - View all security operations data in the portal. - Defender Vulnerability Management - View Defender Vulnerability Management data in the portal. Active remediation actions: - Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators. - Defender Vulnerability Management. - Exception handling - Create new exceptions and manage active exceptions. Defender Vulnerability Management - Remediation handling: - Submit new remediation requests, create tickets, and manage existing remediation activities. Defender Vulnerability Management - Application handling: - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions. Security baselines: - Defender Vulnerability Management. - Manage security baselines assessment profiles. - Create and manage profiles so users can assess if devices comply to security industry baselines. Alerts investigation: - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files. Manage portal system settings: - Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups. Satisfies: SRG-APP-000211, SRG-APP-000267

Checks: C-76978r1156552_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles. 2. For each defined role: - Click the role to enter the edit role screen. - Verify the Permissions are configured as defined by the authorizing official (AO). - Verify the appropriate user groups are assigned as defined by the AO. - Click "Cancel". If Settings >> Microsoft Defender XDR >> Permissions and Roles does not display roles as defined by the AO, this is a finding. When selecting each role individually, if the permissions and user groups are not as defined by the AO, this is a finding.

Fix: F-76883r1156553_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles. 2. Select "+Add role". 3. Enter a Role Name, select "Permissions" as defined by the AO, and then click "Next". 4. Select the appropriate group as defined in MSDE-00-000300.

b

Microsoft Defender for Endpoint (MDE) must enable Endpoint Detection and Response (EDR) in block mode.

SC-5 - Medium - CCI-001094 - V-272888 - SV-272888r1119411_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-001094

Version

MSDE-00-000400

Vuln IDs

V-272888

Rule IDs

SV-272888r1119411_rule

Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third parties. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it. Satisfies: SRG-APP-000246, SRG-APP-000435

Checks: C-76979r1119365_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Enable EDR in block mode" is set to "On". If the slide bar for "Enable EDR in block mode" is not set to "On", this is a finding.

Fix: F-76884r1119299_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Enable EDR in block mode" to "On".

c

Microsoft Defender for Endpoint (MDE) must be connected to a central log server.

AU-4 - High - CCI-001851 - V-272889 - SV-272889r1119412_rule

RMF Control

AU-4

Severity

High

CCI

CCI-001851

Version

MSDE-00-000450

Vuln IDs

V-272889

Rule IDs

SV-272889r1119412_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745

Checks: C-76980r1119301_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Sentinel. 2. Under "Workspaces", verify a Sentinel Workspace has been assigned. If a Sentinel Workspace has not been assigned, this is a finding. If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.

Fix: F-76885r1119367_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the MDE portal select Settings >> Microsoft Sentinel. 2. Under Workspaces connect a Sentinel Workspace.

b

Microsoft Defender for Endpoint (MDE) must enable Automatically Resolve Alerts.

SI-3 - Medium - CCI-001243 - V-275979 - SV-275979r1119709_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000500

Vuln IDs

V-275979

Rule IDs

SV-275979r1119709_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting resolves an alert if automated investigation finds no threats or has successfully remediated all malicious artifacts.

Checks: C-80117r1119303_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Automatically Resolve Alerts" to "On".

Fix: F-80022r1119304_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Automatically Resolve Alerts" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Allow or block file.

SI-3 - Medium - CCI-001243 - V-275980 - SV-275980r1119710_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000550

Vuln IDs

V-275980

Rule IDs

SV-275980r1119710_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting ensures Windows Defender Antivirus is turned on and the cloud-based protection feature is enabled to use the allow or block file feature.

Checks: C-80118r1119306_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Allow or block file" is set to "On". If the slide bar for "Allow or block file" is not set to "On", this is a finding.

Fix: F-80023r1119307_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Allow or block file" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Hide potential duplicate device records.

SI-3 - Medium - CCI-001243 - V-275981 - SV-275981r1119731_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000600

Vuln IDs

V-275981

Rule IDs

SV-275981r1119731_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. When turned on, this setting will hide duplications that might occur for the following reasons: - Devices that were discovered more than once. - Discovery of onboarded devices. - Unintentionally discovered onboarded devices. These duplications will be hidden from multiple experiences in the portal to create a more accurate view of the device inventory. The affected areas in the portal include the Device Inventory, Microsoft Defender Vulnerability Management screens, and Public API for machines data. These devices will still be viewable in global search, advanced hunting, and alert and incidents pages.

Checks: C-80119r1119369_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Hide potential duplicate device records" is set to "On". If the slide bar for "Hide potential duplicate device records" is not set to "On", this is a finding.

Fix: F-80024r1119310_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Hide potential duplicate device records" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Custom network indicators.

SI-3 - Medium - CCI-001243 - V-275982 - SV-275982r1119712_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000650

Vuln IDs

V-275982

Rule IDs

SV-275982r1119712_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting configures devices to allow or block connections to IP addresses, domains, or URLs in custom indicator lists.

Checks: C-80120r1119371_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Custom network indicators" is set to "On". If the slide bar for "Custom network indicators" is not set to "On", this is a finding.

Fix: F-80025r1119313_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Custom network indicators" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Tamper protection.

SI-3 - Medium - CCI-001243 - V-275983 - SV-275983r1119713_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000700

Vuln IDs

V-275983

Rule IDs

SV-275983r1119713_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Tamper protection prevents malicious apps from turning off security features like virus and threat protection, behavior monitoring, cloud-delivered protection, etc., preventing unwanted changes to security solutions and essential functions.

Checks: C-80121r1119373_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Tamper protection" is set to "On". If the slide bar for "Tamper protection" is not set to "On", this is a finding.

Fix: F-80026r1119316_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Tamper protection" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Show user details.

SI-3 - Medium - CCI-001243 - V-275984 - SV-275984r1119714_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000750

Vuln IDs

V-275984

Rule IDs

SV-275984r1119714_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting enables displaying user details: picture, name, title, department, stored in Azure Active Directory.

Checks: C-80122r1119375_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Show user details" is set to "On". If the slide bar for "Show user details" is not set to "On", this is a finding.

Fix: F-80027r1119319_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Show user details" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Microsoft Defender for Cloud Apps.

SI-3 - Medium - CCI-001243 - V-275985 - SV-275985r1119715_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000800

Vuln IDs

V-275985

Rule IDs

SV-275985r1119715_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting forwards Microsoft Defender for Endpoint signals to Defender for Cloud Apps, giving administrators deeper visibility into both sanctioned cloud apps and shadow IT. It also grants the ability to block unauthorized applications when the custom network indicators setting is turned on. Forwarded data is stored and processed in the same location as Cloud App Security data.

Checks: C-80123r1119377_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Microsoft Defender for Cloud Apps" is set to "On". If the slide bar for "Microsoft Defender for Cloud Apps" is not set to "On", this is a finding.

Fix: F-80028r1119322_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Microsoft Defender for Cloud Apps" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Web content filtering.

SI-3 - Medium - CCI-001243 - V-275986 - SV-275986r1119716_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000850

Vuln IDs

V-275986

Rule IDs

SV-275986r1119716_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting blocks access to websites containing unwanted content and tracks web activity across all domains. To specify the web content categories to be blocked, a web content filtering policy must be created. Network protection must be set to block mode when deploying the Microsoft Defender for Endpoint security baseline.

Checks: C-80124r1119379_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Web content filtering" is set to "On". If the slide bar for "Web content filtering" is not set to "On", this is a finding.

Fix: F-80029r1119325_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Web content filtering" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Device discovery.

SI-3 - Medium - CCI-001243 - V-275987 - SV-275987r1119717_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000900

Vuln IDs

V-275987

Rule IDs

SV-275987r1119717_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting allows onboarded devices to discover unmanaged devices in the network and assess vulnerabilities and risks.

Checks: C-80125r1119381_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Device discovery" is set to "On". If the slide bar for "Device discovery" is not set to "On", this is a finding.

Fix: F-80030r1119328_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Device discovery" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Download quarantined files.

SI-3 - Medium - CCI-001243 - V-275988 - SV-275988r1119718_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-000950

Vuln IDs

V-275988

Rule IDs

SV-275988r1119718_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting backs up quarantined files in a secure and compliant location so they can be downloaded directly from quarantine.

Checks: C-80126r1119383_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Download quarantined files" is set to "On". If the slide bar for "Download quarantined files" is not set to "On", this is a finding.

Fix: F-80031r1119331_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Download quarantined files" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Live Response.

SI-3 - Medium - CCI-001243 - V-275989 - SV-275989r1119719_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001000

Vuln IDs

V-275989

Rule IDs

SV-275989r1119719_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting allows users with appropriate RBAC permissions to investigate devices they are authorized to access, using a remote shell connection.

Checks: C-80127r1119385_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Live Response" is set to "On". If the slide bar for "Live Response" is not set to "On", this is a finding.

Fix: F-80032r1119334_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Live Response" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Live Response for Servers.

SI-3 - Medium - CCI-001243 - V-275990 - SV-275990r1119720_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001050

Vuln IDs

V-275990

Rule IDs

SV-275990r1119720_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting allows users with Live Response privileges to connect remotely to servers (Windows Server or Linux devices) they are authorized to access.

Checks: C-80128r1119387_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Live Response for Servers" is set to "On". If the slide bar for "Live Response for Servers" is not set to "On", this is a finding.

Fix: F-80033r1119337_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Live Response for Servers" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Share endpoint alerts with Microsoft Compliance Center.

SI-3 - Medium - CCI-001243 - V-275991 - SV-275991r1119721_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001100

Vuln IDs

V-275991

Rule IDs

SV-275991r1119721_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting forwards endpoint security alerts and their triage status to Microsoft Purview portal, allowing enhanced insider risk management policies with alerts and the ability to remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as Office 365 data.

Checks: C-80129r1119389_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Share endpoint alerts with Microsoft Compliance Center" is set to "On". If the slide bar for "Share endpoint alerts with Microsoft Compliance Center" is not set to "On", this is a finding.

Fix: F-80034r1119340_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Share endpoint alerts with Microsoft Compliance Center" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Microsoft Intune connection.

SI-3 - Medium - CCI-001243 - V-275992 - SV-275992r1119722_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001150

Vuln IDs

V-275992

Rule IDs

SV-275992r1119722_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Connecting to Microsoft Intune enables sharing of device information and enhanced policy enforcement. Intune provides additional information about managed devices for secure score. It can use risk information to enforce conditional access and other security policies.

Checks: C-80130r1119391_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Microsoft Intune connection" is set to "On". If the slide bar for "Microsoft Intune connection" is not set to "On", this is a finding.

Fix: F-80035r1119343_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Microsoft Intune connection" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Authenticated telemetry.

SI-3 - Medium - CCI-001243 - V-275993 - SV-275993r1119723_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001200

Vuln IDs

V-275993

Rule IDs

SV-275993r1119723_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. The authenticated telemetry setting prevents spoofing telemetry into the dashboard.

Checks: C-80131r1119393_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Authenticated telemetry" is set to "On". If the slide bar for "Authenticated telemetry" is not set to "On", this is a finding.

Fix: F-80036r1119346_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Authenticated telemetry" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable File Content Analysis.

SI-3 - Medium - CCI-001243 - V-275994 - SV-275994r1119724_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001250

Vuln IDs

V-275994

Rule IDs

SV-275994r1119724_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Content analysis submits suspicious files identified by Automated investigation to the cloud for additional inspection. Only files with the specified extension names will be submitted.

Checks: C-80132r1119395_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules). 2. Verify the slide bar for "File Content Analysis" is set to "On". If the slide bar for "File Content Analysis" is not set to "On", this is a finding.

Fix: F-80037r1119349_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules). 2. Set the slide bar for "File Content Analysis" to "On".

b

Microsoft Defender for Endpoint (MDE) must enable Memory Content Analysis.

SI-3 - Medium - CCI-001243 - V-275995 - SV-275995r1119725_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001300

Vuln IDs

V-275995

Rule IDs

SV-275995r1119725_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting automatically investigates memory content of processes. When enabled, memory content can be uploaded to MDE during an Automated investigation.

Checks: C-80133r1119397_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules). 2. Verify the slide bar for "Memory Content Analysis" is set to "On". If the slide bar for "Memory Content Analysis" is not set to "On", this is a finding.

Fix: F-80038r1119352_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules). 2. Set the slide bar for "Memory Content Analysis" to "On".

b

Microsoft Defender for Endpoint (MDE) Discovery Mode must enable Log4j2 detection.

SI-3 - Medium - CCI-001243 - V-275996 - SV-275996r1119726_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001350

Vuln IDs

V-275996

Rule IDs

SV-275996r1119726_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting detects devices with applications using the vulnerable Log4j2 library through unauthenticated probing. This option will also enable discovery using Server 2019+ onboarded devices.

Checks: C-80134r1119399_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Device Discovery >> Discovery setup (under Discovery setup). 2. Verify Standard discovery is selected and the slide bar for "Enable Log4j2 detection" is selected. If the slide bar for "Enable Log4j2 detection" is not selected, this is a finding.

Fix: F-80039r1119400_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Discovery setup (under Discovery setup). 2. Select Standard discovery. 3. Select the slide bar for "Enable Log4j2 detection".

b

Microsoft Defender for Endpoint (MDE) Discovery Mode must be set to All Devices.

SI-3 - Medium - CCI-001243 - V-275997 - SV-275997r1119727_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001400

Vuln IDs

V-275997

Rule IDs

SV-275997r1119727_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. This setting enables standard discovery for supported devices that have been onboarded.

Checks: C-80135r1119402_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Device Discovery. Select which devices to use for Standard discovery (under Discovery setup). 2. Verify "All devices (recommended)" is selected. If the slide bar for "All devices (recommended)" is not selected, this is a finding.

Fix: F-80040r1119403_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints. Select which devices to use for Standard discovery (under Discovery setup). 2. Select "All devices (recommended)".

b

Microsoft Defender for Endpoint (MDE) must enable Full remediation for Device groups.

SI-3 - Medium - CCI-001243 - V-275998 - SV-275998r1119728_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

MSDE-00-001450

Vuln IDs

V-275998

Rule IDs

SV-275998r1119728_rule

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Full remediation is necessary to automatically investigate and remediate devices without human intervention which lowers SOC fatigue. This is also required for Attack Disruption.

Checks: C-80136r1119405_chk

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Device groups (under Permissions). 2. For all device groups: Verify the remediation column is set to Full remediation. If the remediation column for all Device groups is not set to "Full remediation", this is a finding.

Fix: F-80041r1119406_fix

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Device groups (under Permissions). 2. Enter each Device group and enable Full remediation.

Microsoft Defender for Endpoint Security Technical Implementation Guide - V1R2

Compare

View

Checks: C-76973r1119211_chk

Fix: F-76878r1119212_fix

Generate Mitigation Statement:

Checks: C-76977r1119292_chk

Fix: F-76882r1119293_fix

Generate Mitigation Statement:

Checks: C-76978r1156552_chk

Fix: F-76883r1156553_fix

Generate Mitigation Statement:

Checks: C-76979r1119365_chk

Fix: F-76884r1119299_fix

Generate Mitigation Statement:

Checks: C-76980r1119301_chk

Fix: F-76885r1119367_fix

Generate Mitigation Statement:

Checks: C-80117r1119303_chk

Fix: F-80022r1119304_fix

Generate Mitigation Statement:

Checks: C-80118r1119306_chk

Fix: F-80023r1119307_fix

Generate Mitigation Statement:

Checks: C-80119r1119369_chk

Fix: F-80024r1119310_fix

Generate Mitigation Statement:

Checks: C-80120r1119371_chk

Fix: F-80025r1119313_fix

Generate Mitigation Statement:

Checks: C-80121r1119373_chk

Fix: F-80026r1119316_fix

Generate Mitigation Statement:

Checks: C-80122r1119375_chk

Fix: F-80027r1119319_fix

Generate Mitigation Statement:

Checks: C-80123r1119377_chk

Fix: F-80028r1119322_fix

Generate Mitigation Statement:

Checks: C-80124r1119379_chk

Fix: F-80029r1119325_fix

Generate Mitigation Statement:

Checks: C-80125r1119381_chk

Fix: F-80030r1119328_fix

Generate Mitigation Statement:

Checks: C-80126r1119383_chk

Fix: F-80031r1119331_fix

Generate Mitigation Statement:

Checks: C-80127r1119385_chk

Fix: F-80032r1119334_fix

Generate Mitigation Statement:

Checks: C-80128r1119387_chk

Fix: F-80033r1119337_fix

Generate Mitigation Statement:

Checks: C-80129r1119389_chk

Fix: F-80034r1119340_fix

Generate Mitigation Statement:

Checks: C-80130r1119391_chk

Fix: F-80035r1119343_fix

Generate Mitigation Statement:

Checks: C-80131r1119393_chk

Fix: F-80036r1119346_fix

Generate Mitigation Statement:

Checks: C-80132r1119395_chk

Fix: F-80037r1119349_fix

Generate Mitigation Statement:

Checks: C-80133r1119397_chk

Fix: F-80038r1119352_fix

Generate Mitigation Statement:

Checks: C-80134r1119399_chk

Fix: F-80039r1119400_fix

Generate Mitigation Statement:

Checks: C-80135r1119402_chk

Fix: F-80040r1119403_fix

Generate Mitigation Statement:

Checks: C-80136r1119405_chk

Fix: F-80041r1119406_fix

Generate Mitigation Statement: