Microsoft Defender for Endpoint (MDE) must be connected to a central log server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272889 | MSDE-00-000450 | SV-272889r1119412_rule | CCI-001851 | high |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515, SRG-APP-000086, SRG-APP-000108, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000745 | ||||
| STIG | Date | |||
| Microsoft Defender for Endpoint Security Technical Implementation Guide | 2025-11-25 | |||
Details
Check Text (C-272889r1119412_chk)
Access the MDE portal as a user with at least an MDE Administrator or equivalent role:
1. In the navigation pane, select Settings >> Microsoft Sentinel.
2. Under "Workspaces", verify a Sentinel Workspace has been assigned.
If a Sentinel Workspace has not been assigned, this is a finding.
If another documented and authorizing official (AO)-approved SIEM/Central Log Server is in use, this is not a finding.
Fix Text (F-76885r1119367_fix)
Access the MDE portal as a user with at least an MDE Administrator or equivalent role:
1. In the MDE portal select Settings >> Microsoft Sentinel.
2. Under Workspaces connect a Sentinel Workspace.