STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Defender for Endpoint Security Technical Implementation Guide

V-272889

CAT I (High)

Microsoft Defender for Endpoint (MDE) must be connected to a central log server.

Rule ID

SV-272889r1119412_rule

STIG

Microsoft Defender for Endpoint Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001851CCI-000174CCI-000139CCI-001348CCI-001876CCI-001851CCI-003821

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745

Check Content

Access the MDE portal as a user with at least an MDE Administrator or equivalent role:

1. In the navigation pane, select Settings >> Microsoft Sentinel.
2. Under "Workspaces", verify a Sentinel Workspace has been assigned. 

If a Sentinel Workspace has not been assigned, this is a finding.

If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.

Fix Text

Access the MDE portal as a user with at least an MDE Administrator or equivalent role:

1. In the MDE portal select Settings >> Microsoft Sentinel.
2. Under Workspaces connect a Sentinel Workspace.