{"stig":{"title":"Microsoft Defender for Endpoint Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-272882","ruleId":"SV-272882r1119408_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must alert administrators on policy violations defined for endpoints.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nApplications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement.\n\nMalicious code includes viruses, worms, Trojan horses, and spyware. \n\nThis requirement applies to applications providing malicious code protection.\n\nSatisfies: SRG-APP-000207, SRG-APP-000279, SRG-APP-000464, SRG-APP-000471, SRG-APP-000485, SRG-APP-000940","checkContent":"Access the MDE portal as a user with at least a Security Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts.\n2. For each defined Notification rule:\n- Click on the rule and select \"Edit\" to enter the \"Update notification rule\" screen.\n- Verify the notification settings are configured as defined by the authorizing official (AO).\n- Verify the Recipient Emails are assigned as defined by the AO.\n3. Click \"Cancel\".\n4. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities.\n5. For each defined notification rule:\n- Click on the rule and select \"Edit\" to enter the \"Update notification rule\" screen.\n- Verify the notification settings are configured as defined by the AO.\n- Verify the Recipient Emails are assigned as defined by the AO.\n6. Click \"Cancel\".\n\nIf Settings >> Endpoints >> Email notifications (under Permissions) >> Alerts does not display rules as defined by the AO, this is a finding.\n\nIf Settings >> Endpoints >> Email notifications (under Permissions) >> Vulnerabilities does not display rules as defined by the AO, this is a finding.\n\nWhen selecting each rule individually, if the Notification Settings and Recipient Emails are not as defined by the AO, this is a finding.","fixText":"Access the MDE portal as a user with at least a Security Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Alerts. \n2. Click \"+Add notification rule\".\n3. Enter Name, Notification settings, and Recipients as defined by the AO.\n4. Click \"Save\". Repeat as necessary.\n5. In the navigation pane, select Settings >> Endpoints >> Email notifications (under General) >> Vulnerabilities. \n6. Click \"+Add notification rule\".\n7. Enter Name, Notification settings, and Recipients as defined by the AO.\n8. Click \"Save\". Repeat as necessary.","ccis":["CCI-001662","CCI-001243","CCI-002684","CCI-002664","CCI-002724","CCI-004966"]},{"vulnId":"V-272886","ruleId":"SV-272886r1119409_rule","severity":"medium","ruleTitle":"Roles for use with Microsoft Defender for Endpoint (MDE) must be configured within Entra ID.","description":"Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access application management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. \n\nUsing role-based access control (RBAC), roles and groups can be created within the security operations team to grant appropriate access to the MDE portal. Based on the roles and groups created, the capability will exist to have fine-grained control over what users with access to the portal can view and do.\n\nCreation of Entra ID roles is a prerequisite to configuring RBAC within the MDE portal itself.\n\nDefender for Endpoint RBAC is designed to support a role-based model and provides granular control over what roles can view, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:\n\n- Control who can take specific action.\n- Create custom roles and control what Defender for Endpoint capabilities they can access with granularity.\n- Control who can view information on specific device group or groups.\n\nSatisfies: SRG-APP-000211, SRG-APP-000267","checkContent":"Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles.\n\n1. Select Manage >> Roles and administrators. Click on the \"MDE Administrator\" role.\n2. Under \"Active assignments\" ensure one or more authorizing official (AO)-approved users are assigned to this role. This role is a top-level administrator within MDE.\nNote: A custom defined, AO-approved role may be created and used in lieu of the built-in MDE Administrator role.\n\nIf one or more AO-approved users have not been assigned to the security administrator (or equivalent AO-approved) role, this is a finding.\n\n1. Return to the Entra ID portal home and select Manage >> Groups. Click the number next to \"Total Groups\".\n2. Ensure one or more custom roles have been defined as subordinate roles for MDE administration. The structure of various subordinate groups is to be defined by the AO.\n3. Click on each of these groups and ensure one or more users have been assigned.\n\nIf one or more subordinate groups do not exist, this is a finding.\n\nIf one or more users do not exist in these subordinate groups, this is a finding.","fixText":"Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles and users/groups.\n\n1. Select Manage >> Roles and administrators.\n2. Click on the \"Security Administrator\" role ,then click \"+Add assignments\".\n3. Under \"Select Member(s)\" add AO-approved users for this role. This role is a top-level administrator within MDE.\nNote: A custom defined, AO-approved role may be created and used in lieu of the built-in \"MDE Administrator\" role.\n4. Return to the Entra ID portal home and select Manage >> Groups. Click \"New group\".\n5. Define at least one sub-level group for MDE administration as defined by the AO and assign users(s) to these groups.","ccis":["CCI-001082","CCI-001314"]},{"vulnId":"V-272887","ruleId":"SV-272887r1156554_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must be configured for a least privilege model by implementing Unified Role-Based Access Control (RBAC).","description":"When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID.\n\nThe permission tiers available to assign to custom roles are as follows:\n\nView data:\n- Security Operations - View all security operations data in the portal.\n- Defender Vulnerability Management - View Defender Vulnerability Management data in the portal.\n\nActive remediation actions:\n- Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators.\n- Defender Vulnerability Management.\n- Exception handling - Create new exceptions and manage active exceptions.\n\nDefender Vulnerability Management - Remediation handling:\n- Submit new remediation requests, create tickets, and manage existing remediation activities.\n\nDefender Vulnerability Management - Application handling:\n- Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions.\n\nSecurity baselines:\n- Defender Vulnerability Management.\n- Manage security baselines assessment profiles.\n- Create and manage profiles so users can assess if devices comply to security industry baselines.\n\nAlerts investigation:\n- Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files.\n\nManage portal system settings:\n- Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups.\n\nSatisfies: SRG-APP-000211, SRG-APP-000267","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles.\n2. For each defined role:\n- Click the role to enter the edit role screen.\n- Verify the Permissions are configured as defined by the authorizing official (AO).\n- Verify the appropriate user groups are assigned as defined by the AO.\n- Click \"Cancel\".\n\nIf Settings >> Microsoft Defender XDR >> Permissions and Roles does not display roles as defined by the AO, this is a finding.\n\nWhen selecting each role individually, if the permissions and user groups are not as defined by the AO, this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles. \n2. Select \"+Add role\".\n3. Enter a Role Name, select \"Permissions\" as defined by the AO, and then click \"Next\".\n4. Select the appropriate group as defined in MSDE-00-000300.","ccis":["CCI-001082","CCI-001314"]},{"vulnId":"V-272888","ruleId":"SV-272888r1119411_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Endpoint Detection and Response (EDR) in block mode.","description":"Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nIndividuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third parties.\n\nApplications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks.\n\nThe methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it.\n\nSatisfies: SRG-APP-000246, SRG-APP-000435","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Enable EDR in block mode\" is set to \"On\".\n\nIf the slide bar for \"Enable EDR in block mode\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Enable EDR in block mode\" to \"On\".","ccis":["CCI-001094","CCI-002385"]},{"vulnId":"V-272889","ruleId":"SV-272889r1119412_rule","severity":"high","ruleTitle":"Microsoft Defender for Endpoint (MDE) must be connected to a central log server.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nSatisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Microsoft Sentinel.\n2. Under \"Workspaces\", verify a Sentinel Workspace has been assigned. \n\nIf a Sentinel Workspace has not been assigned, this is a finding.\n\nIf another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the MDE portal select Settings >> Microsoft Sentinel.\n2. Under Workspaces connect a Sentinel Workspace.","ccis":["CCI-001851","CCI-000174","CCI-000139","CCI-001348","CCI-001876","CCI-001851","CCI-003821"]},{"vulnId":"V-275979","ruleId":"SV-275979r1119709_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Automatically Resolve Alerts.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting resolves an alert if automated investigation finds no threats or has successfully remediated all malicious artifacts.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Automatically Resolve Alerts\" to \"On\".","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Automatically Resolve Alerts\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275980","ruleId":"SV-275980r1119710_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Allow or block file.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting ensures Windows Defender Antivirus is turned on and the cloud-based protection feature is enabled to use the allow or block file feature.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Allow or block file\" is set to \"On\". \n\nIf the slide bar for \"Allow or block file\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Allow or block file\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275981","ruleId":"SV-275981r1119731_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Hide potential duplicate device records.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nWhen turned on, this setting will hide duplications that might occur for the following reasons:\n\n- Devices that were discovered more than once.\n- Discovery of onboarded devices.\n- Unintentionally discovered onboarded devices.\n\nThese duplications will be hidden from multiple experiences in the portal to create a more accurate view of the device inventory. The affected areas in the portal include the Device Inventory, Microsoft Defender Vulnerability Management screens, and Public API for machines data. These devices will still be viewable in global search, advanced hunting, and alert and incidents pages.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Hide potential duplicate device records\" is set to \"On\".\n\nIf the slide bar for \"Hide potential duplicate device records\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Hide potential duplicate device records\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275982","ruleId":"SV-275982r1119712_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Custom network indicators.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting configures devices to allow or block connections to IP addresses, domains, or URLs in custom indicator lists.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Custom network indicators\" is set to \"On\".\n\nIf the slide bar for \"Custom network indicators\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Custom network indicators\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275983","ruleId":"SV-275983r1119713_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Tamper protection.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nTamper protection prevents malicious apps from turning off security features like virus and threat protection, behavior monitoring, cloud-delivered protection, etc., preventing unwanted changes to security solutions and essential functions.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Tamper protection\" is set to \"On\".\n\nIf the slide bar for \"Tamper protection\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Tamper protection\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275984","ruleId":"SV-275984r1119714_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Show user details.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting enables displaying user details: picture, name, title, department, stored in Azure Active Directory.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Show user details\" is set to \"On\".\n\nIf the slide bar for \"Show user details\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Show user details\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275985","ruleId":"SV-275985r1119715_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Microsoft Defender for Cloud Apps.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting forwards Microsoft Defender for Endpoint signals to Defender for Cloud Apps, giving administrators deeper visibility into both sanctioned cloud apps and shadow IT. It also grants the ability to block unauthorized applications when the custom network indicators setting is turned on. Forwarded data is stored and processed in the same location as Cloud App Security data.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Microsoft Defender for Cloud Apps\" is set to \"On\".\n\nIf the slide bar for \"Microsoft Defender for Cloud Apps\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Microsoft Defender for Cloud Apps\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275986","ruleId":"SV-275986r1119716_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Web content filtering.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting blocks access to websites containing unwanted content and tracks web activity across all domains. To specify the web content categories to be blocked, a web content filtering policy must be created. Network protection must be set to block mode when deploying the Microsoft Defender for Endpoint security baseline.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Web content filtering\" is set to \"On\".\n\nIf the slide bar for \"Web content filtering\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Web content filtering\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275987","ruleId":"SV-275987r1119717_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Device discovery.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting allows onboarded devices to discover unmanaged devices in the network and assess vulnerabilities and risks.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Device discovery\" is set to \"On\".\n\nIf the slide bar for \"Device discovery\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Device discovery\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275988","ruleId":"SV-275988r1119718_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Download quarantined files.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting backs up quarantined files in a secure and compliant location so they can be downloaded directly from quarantine.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Download quarantined files\" is set to \"On\".\n\nIf the slide bar for \"Download quarantined files\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Download quarantined files\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275989","ruleId":"SV-275989r1119719_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Live Response.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting allows users with appropriate RBAC permissions to investigate devices they are authorized to access, using a remote shell connection.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Live Response\" is set to \"On\".\n\nIf the slide bar for \"Live Response\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Live Response\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275990","ruleId":"SV-275990r1119720_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Live Response for Servers.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting allows users with Live Response privileges to connect remotely to servers (Windows Server or Linux devices) they are authorized to access.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Live Response for Servers\" is set to \"On\".\n\nIf the slide bar for \"Live Response for Servers\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Live Response for Servers\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275991","ruleId":"SV-275991r1119721_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Share endpoint alerts with Microsoft Compliance Center.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting forwards endpoint security alerts and their triage status to Microsoft Purview portal, allowing enhanced insider risk management policies with alerts and the ability to remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as Office 365 data.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Share endpoint alerts with Microsoft Compliance Center\" is set to \"On\".\n\nIf the slide bar for \"Share endpoint alerts with Microsoft Compliance Center\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Share endpoint alerts with Microsoft Compliance Center\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275992","ruleId":"SV-275992r1119722_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Microsoft Intune connection.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nConnecting to Microsoft Intune enables sharing of device information and enhanced policy enforcement.\n\nIntune provides additional information about managed devices for secure score. It can use risk information to enforce conditional access and other security policies.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Microsoft Intune connection\" is set to \"On\".\n\nIf the slide bar for \"Microsoft Intune connection\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Microsoft Intune connection\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275993","ruleId":"SV-275993r1119723_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Authenticated telemetry.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThe authenticated telemetry setting prevents spoofing telemetry into the dashboard.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Verify the slide bar for \"Authenticated telemetry\" is set to \"On\".\n\nIf the slide bar for \"Authenticated telemetry\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General).\n2. Set the slide bar for \"Authenticated telemetry\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275994","ruleId":"SV-275994r1119724_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable File Content Analysis.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nContent analysis submits suspicious files identified by Automated investigation to the cloud for additional inspection. Only files with the specified extension names will be submitted.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules).\n2. Verify the slide bar for \"File Content Analysis\" is set to \"On\".\n\nIf the slide bar for \"File Content Analysis\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules).\n2. Set the slide bar for \"File Content Analysis\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275995","ruleId":"SV-275995r1119725_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Memory Content Analysis.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting automatically investigates memory content of processes. When enabled, memory content can be uploaded to MDE during an Automated investigation.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules).\n2. Verify the slide bar for \"Memory Content Analysis\" is set to \"On\".\n\nIf the slide bar for \"Memory Content Analysis\" is not set to \"On\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Automation uploads (under Rules).\n2. Set the slide bar for \"Memory Content Analysis\" to \"On\".","ccis":["CCI-001243"]},{"vulnId":"V-275996","ruleId":"SV-275996r1119726_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) Discovery Mode must enable Log4j2 detection.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting detects devices with applications using the vulnerable Log4j2 library through unauthenticated probing. This option will also enable discovery using Server 2019+ onboarded devices.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Device Discovery >> Discovery setup (under Discovery setup).\n2. Verify Standard discovery is selected and the slide bar for \"Enable Log4j2 detection\" is selected.\n\nIf the slide bar for \"Enable Log4j2 detection\" is not selected, this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Discovery setup (under Discovery setup).\n2. Select Standard discovery.\n3. Select the slide bar for \"Enable Log4j2 detection\".","ccis":["CCI-001243"]},{"vulnId":"V-275997","ruleId":"SV-275997r1119727_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) Discovery Mode must be set to All Devices.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nThis setting enables standard discovery for supported devices that have been onboarded.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Device Discovery. Select which devices to use for Standard discovery (under Discovery setup).\n2. Verify \"All devices (recommended)\" is selected.\n\nIf the slide bar for \"All devices (recommended)\" is not selected, this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints. Select which devices to use for Standard discovery (under Discovery setup).\n2. Select \"All devices (recommended)\".","ccis":["CCI-001243"]},{"vulnId":"V-275998","ruleId":"SV-275998r1119728_rule","severity":"medium","ruleTitle":"Microsoft Defender for Endpoint (MDE) must enable Full remediation for Device groups.","description":"Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nFull remediation is necessary to automatically investigate and remediate devices without human intervention which lowers SOC fatigue. This is also required for Attack Disruption.","checkContent":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Device groups (under Permissions).\n2. For all device groups: Verify the remediation column is set to Full remediation.\n\nIf the remediation column for all Device groups is not set to \"Full remediation\", this is a finding.","fixText":"Access the MDE portal as a user with at least an MDE Administrator or equivalent role:\n\n1. In the navigation pane, select Settings >> Endpoints >> Device groups (under Permissions).\n2. Enter each Device group and enable Full remediation.","ccis":["CCI-001243"]}]}