Framework Reference

Framework Reference

This page provides detailed information about the security frameworks implemented in this audit tool, including their origins, purposes, and specific standards referenced.

Table of Contents

• ACSC Essential Eight Module
• CIS Module
• CISA Module
• CMMC Module
• Core Module
• DISA STIG Module
• ENISA Module
• GDPR Module
• HIPAA Module
• ISO 27001 Module
• Microsoft Module
• Microsoft Defender ATP Module
• NIST Module
• NSA Module
• PCI DSS Module
• SOC 2 Module
• References and Resources

---

DISA STIG Module

About DISA STIGs

Organization: Defense Information Systems Agency (DISA)
Framework: Security Technical Implementation Guides (STIGs)
Purpose: Standardize security configuration for DoD information systems

What are STIGs?

STIGs are configuration standards developed by DISA to secure information systems used by the U.S. Department of Defense. They provide technical guidance to "lock down" information systems and software to prevent unauthorized access, data breaches, and cyber attacks.

Severity Categories

Category	Risk Level	Impact	Examples
CAT I	High	Direct and immediate threat	UAC disabled, Firewall off, Guest account enabled
CAT II	Medium	Significant security weakness	Weak passwords, inadequate logging, outdated protocols
CAT III	Low	Degrades security posture	Non-critical configuration items

STIGs Referenced in This Module

• Windows 10 STIG (Version 2 Release 8 and later)
• Windows 11 STIG (Version 1 Release 5 and later)
• Windows Server 2016 STIG (Version 2 Release 8 and later)
• Windows Server 2019 STIG (Version 2 Release 8 and later)
• Windows Server 2022 STIG (Version 1 Release 4 and later)

Example STIG Requirements Checked

V-ID	Requirement	CAT
V-220718	Minimum password length must be 14 characters	II
V-220719	Account lockout threshold must be 3 or less	II
V-220726	Password history must remember 24 passwords	II
V-220929	Guest account must be disabled	I
V-220926	User Account Control must be enabled	I
V-220968	SMBv1 must be disabled	II

Resources

• DISA STIG Viewer: https://public.cyber.mil/stigs/srg-stig-tools/
• STIG Library: https://public.cyber.mil/stigs/downloads/
• STIG Automation: https://public.cyber.mil/announcement/disa-stigs/

Applicability

• Required: DoD systems and contractors handling CUI
• Recommended: Federal agencies, critical infrastructure, high-security environments
• Benefit: Most prescriptive and detailed security baseline available

---

NIST Module

About NIST

Organization: National Institute of Standards and Technology (NIST)
Parent Agency: U.S. Department of Commerce
Framework: NIST SP 800-53, NIST Cybersecurity Framework (CSF)

NIST SP 800-53

Full Name: Security and Privacy Controls for Information Systems and Organizations
Current Version: Revision 5 (September 2020)

NIST 800-53 provides a catalog of security and privacy controls for federal information systems and organizations. It's the primary security standard for federal systems under FISMA (Federal Information Security Management Act).

Control Families in This Module

Family	Code	Focus Area	Checks
Access Control	AC	Account management, privilege enforcement, remote access	5
Audit and Accountability	AU	Event logging, audit storage, log protection	4
Identification and Authentication	IA	User identification, password policies, authenticators	3
System and Communications Protection	SC	Boundary protection, encryption, transmission security	4
Configuration Management	CM	Baseline configuration, change control, least functionality	4
Incident Response	IR	Incident handling, monitoring capabilities	2
Media Protection	MP	Removable media controls	1
System and Information Integrity	SI	Flaw remediation, malware protection, monitoring	5

NIST Cybersecurity Framework (CSF)

Version: 1.1 (April 2018)

The CSF provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.

CSF Core Functions

1. Identify - Asset management, risk assessment
2. Protect - Access control, data security, protective technology
3. Detect - Anomaly detection, continuous monitoring
4. Respond - Response planning, communications, analysis
5. Recover - Recovery planning, improvements, communications

NIST 800-171

Full Name: Protecting Controlled Unclassified Information in Nonfederal Systems
Purpose: Protect CUI (Controlled Unclassified Information) in non-federal systems

While not explicitly a separate module, many 800-171 requirements overlap with 800-53 controls checked by this module.

Resources

• NIST SP 800-53 Rev 5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• NIST CSF: https://www.nist.gov/cyberframework
• NIST 800-171: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
• NVD (Vulnerability Database): https://nvd.nist.gov/

Applicability

• Required: Federal agencies (FISMA), FedRAMP cloud services, DoD contractors (NIST 800-171)
• Recommended: All organizations seeking structured security framework
• Benefit: Flexible, risk-based approach to security

---

CIS Module

About CIS

Organization: Center for Internet Security (CIS)
Type: Non-profit organization
Framework: CIS Benchmarks, CIS Controls

CIS Benchmarks

CIS Benchmarks are consensus-based, best-practice security configuration guides developed by cybersecurity professionals worldwide. They provide prescriptive guidance for hardening systems, software, networks, and cloud infrastructure.

Windows Benchmarks Referenced

• CIS Microsoft Windows 10 Enterprise Benchmark (v3.0.0 and later)
• CIS Microsoft Windows 11 Enterprise Benchmark (v2.0.0 and later)
• CIS Microsoft Windows Server 2016 Benchmark (v2.0.0 and later)
• CIS Microsoft Windows Server 2019 Benchmark (v2.0.0 and later)
• CIS Microsoft Windows Server 2022 Benchmark (v2.0.0 and later)

Recommendation Levels

Level	Description	Intended For
Level 1	Basic security requirements, minimal functionality impact	All environments
Level 2	Defense-in-depth, may impact functionality	High-security environments

Areas Covered

1. Account Policies

   • Password Policy
   • Account Lockout Policy
   • Kerberos Policy

2. Local Policies

   • Audit Policy
   • User Rights Assignment
   • Security Options

3. Event Log

   • Application, Security, System log configuration

4. Windows Firewall with Advanced Security

   • Domain, Private, Public profile settings

5. Advanced Audit Policy Configuration

   • Granular audit subcategories

6. Administrative Templates

   • System, Network, Windows Components policies

CIS Controls

The module also aligns with the CIS Critical Security Controls (formerly SANS Top 20):

• Control 3: Data Protection
• Control 4: Secure Configuration
• Control 5: Account Management
• Control 6: Access Control Management
• Control 8: Audit Log Management
• Control 10: Malware Defenses

Resources

• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
• CIS Controls: https://www.cisecurity.org/controls/
• CIS-CAT Assessment Tool: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/
• CIS Hardened Images: https://www.cisecurity.org/cis-hardened-images/

Applicability

• Recommended: All organizations as industry best practice baseline
• Benefit: Community-developed, widely accepted, regularly updated
• Adoption: Used by organizations worldwide across all sectors

---

NSA Module

About NSA Cybersecurity

Organization: National Security Agency (NSA) Cybersecurity Directorate
Mission: Prevent and eradicate threats to U.S. national security systems

The NSA provides cybersecurity guidance to protect National Security Systems and critical infrastructure from sophisticated nation-state threats.

NSA Guidance Documents Referenced

1. Cybersecurity Information Sheets (CSIs)

   • Windows security configuration recommendations
   • Network infrastructure security
   • Malware defense strategies

2. Cybersecurity Technical Reports (CTRs)

   • Advanced threat mitigation techniques
   • Zero trust architecture guidance
   • Supply chain risk management

3. Cybersecurity Advisories

   • Emerging threat notifications
   • Vulnerability mitigation guidance
   • Exploitation technique analysis

Focus Areas in This Module

Area	Purpose	Key Checks
Boot Security	Protect against bootkits/rootkits	Secure Boot, BitLocker, TPM
Application Control	Prevent unauthorized software	AppLocker, WDAC/Device Guard
Credential Protection	Defend against credential theft	Credential Guard, LSASS PPL, WDigest
Remote Access	Secure remote connections	RDP NLA, encryption, MFA
PowerShell Security	Prevent PowerShell abuse	Logging, v2 removal, transcription
SMB Security	Mitigate lateral movement	SMBv1 removal, signing, encryption
Endpoint Protection	Detect and block malware	Defender configuration, signatures
Audit and Logging	Enable threat detection	Advanced audit policy, log retention
Network Hardening	Reduce attack surface	Firewall, LLMNR/NetBIOS disablement

Notable NSA Guidance

• Mitigating Cloud Vulnerabilities
• Securing Wireless Devices in Public Settings
• Securing the Modern Workplace
• Defending Against Software Supply Chain Attacks
• Limiting Location Data Exposure

Resources

• NSA Cybersecurity Advisories: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
• NSA Cybersecurity Year in Review: https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/
• CISA-NSA Advisories: https://www.cisa.gov/cybersecurity-advisories

Applicability

• Required: National Security Systems, classified networks
• Recommended: Critical infrastructure, high-value targets
• Benefit: Nation-state level threat mitigation strategies

---

CISA Module

About CISA

Organization: Cybersecurity and Infrastructure Security Agency (CISA)
Parent Agency: U.S. Department of Homeland Security
Mission: Lead national effort to understand, manage, and reduce cyber and physical risks

CISA Cybersecurity Performance Goals (CPGs)

Released: March 2022
Purpose: Voluntary cybersecurity practices that offer the highest return on investment

The CPGs represent a minimum set of practices that, if implemented, will significantly reduce risks from common and impactful threats.

Priority Areas

1. Account Security

   • Multi-factor authentication
   • Password policies
   • Privileged account management

2. Device Security

   • Asset inventory
   • Secure configurations
   • Encryption

3. Data Security

   • Data backup and recovery
   • Data protection at rest and in transit
   • Email security

4. Vulnerability Management

   • Timely patching of Known Exploited Vulnerabilities (KEVs)
   • Automated patch management
   • Vulnerability scanning

5. Monitoring and Response

   • Centralized logging
   • Security monitoring
   • Incident response planning

Known Exploited Vulnerabilities (KEV) Catalog

CISA maintains a catalog of actively exploited vulnerabilities. This module checks for:

• Patch management processes
• Update automation
• Critical update status

KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CISA Services Referenced

• Cyber Hygiene Services - Vulnerability scanning
• Cyber Safety Review Board - Incident analysis
• Shields Up - Threat awareness campaign
• StopRansomware.gov - Ransomware defense resources

Resources

• Cybersecurity Performance Goals: https://www.cisa.gov/cpg
• CISA Resources: https://www.cisa.gov/resources-tools
• Shields Up: https://www.cisa.gov/shields-up
• Free Cybersecurity Services: https://www.cisa.gov/free-cybersecurity-services-and-tools

Applicability

• Recommended: Critical infrastructure sectors (16 identified by CISA)
• Benefit: Focused on high-ROI security practices
• Adoption: Increasingly adopted by state/local governments, small/medium businesses

---

Microsoft Module

About Microsoft Security Baselines

Organization: Microsoft Corporation
Tool: Security Compliance Toolkit (SCT)
Purpose: Provide recommended security configurations for Windows and Microsoft products

Security Compliance Toolkit

The SCT provides tools and resources to help organizations configure Windows and other Microsoft products according to Microsoft's security recommendations.

Components Used

1. Security Baseline (GPO Packages)

   • Group Policy Objects with recommended settings
   • Registry-based configuration items
   • Security templates

2. Policy Analyzer

   • Compare configurations against baselines
   • Identify deviations

3. LGPO Tool

   • Apply Group Policy to local systems
   • Automate baseline deployment

Baselines Referenced

• Windows 10 Security Baseline (Latest version)
• Windows 11 Security Baseline (Latest version)
• Windows Server Security Baseline (2016, 2019, 2022)
• Microsoft 365 Apps Security Baseline
• Microsoft Edge Security Baseline

Key Security Features Covered

Feature	Purpose	Module Coverage
Windows Defender	Antivirus, EDR, Application Guard	Comprehensive
Exploit Protection	EMET successor, ASLR, DEP, CFG	System-level checks
Attack Surface Reduction	Block malicious behaviors	ASR rules configuration
Network Protection	Block malicious connections	SmartScreen integration
Controlled Folder Access	Ransomware protection	Protected folders
SmartScreen	Phishing/malware protection	Windows and Edge
Device Guard	Application whitelisting	WDAC, Code Integrity
Credential Guard	Credential isolation	VBS-based protection
Windows Hello	Biometric authentication	PIN complexity, anti-spoofing

Microsoft Security Best Practices

• Zero Trust Architecture
• Assume Breach Mindset
• Least Privilege Access
• Defense in Depth

Resources

• Security Compliance Toolkit: https://www.microsoft.com/en-us/download/details.aspx?id=55319
• Windows Security Baselines Blog: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines
• Security Documentation: https://docs.microsoft.com/en-us/windows/security/
• Defender for Endpoint: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/

Applicability

• Recommended: All Windows environments
• Benefit: Direct from OS vendor, optimized for Windows features
• Updates: Baselines updated with major Windows releases

---

Core Module

About the Core Module

Purpose: Foundational security checks essential for all Windows systems
Developer: This project
Approach: Distilled best practices from all major frameworks

Philosophy

The Core module represents the "greatest hits" of Windows security - checks that appear across multiple frameworks and are universally recommended regardless of industry or threat model.

Coverage Areas

1. User Accounts

   • Local account enumeration
   • Administrator group membership
   • Built-in account status (Administrator, Guest)
   • Account policies

2. Authentication

   • Password requirements
   • Account lockout policies
   • Credential storage settings

3. Windows Defender

   • Real-time protection status
   • Signature update status
   • Scan history

4. Windows Firewall

   • Profile enablement
   • Default actions
   • Basic rule configuration

5. Windows Update

   • Service status
   • Automatic update configuration
   • Recent update history

6. System Security

   • UAC status
   • SMB version
   • Remote Desktop configuration
   • Audit policy basics

Use Cases

• Quick Assessment - 5-minute security check
• Pre-Deployment Validation - Verify basic security before production
• User Workstations - Lightweight audit for endpoints
• Initial Triage - First-pass assessment before comprehensive audit

Applicability

• Recommended: All Windows systems as minimum security check
• Benefit: Fast, essential checks with high security value
• Frequency: Can be run daily/multiple times per day

---

---

ACSC Essential Eight Module

About ACSC Essential Eight

Organization: Australian Signals Directorate (ASD) / Australian Cyber Security Centre (ACSC) Framework: Essential Eight Maturity Model (July 2023) Purpose: Prioritized mitigation strategies to protect against cyber threats

The Essential Eight is a set of eight baseline mitigation strategies that the ACSC recommends as a minimum standard for organizations. Each strategy targets specific threat vectors and is assessed at maturity levels 1 through 3.

Strategies Covered

1. Application Control — Prevent execution of unapproved applications
2. Patch Applications — Apply patches to applications within 48 hours for critical vulnerabilities
3. Configure Microsoft Office Macro Settings — Block macros from the internet
4. User Application Hardening — Disable Flash, ads, Java in browsers
5. Restrict Administrative Privileges — Minimize admin account usage
6. Patch Operating Systems — Apply OS patches within 48 hours for critical vulnerabilities
7. Multi-Factor Authentication — Require MFA for all remote access and privileged actions
8. Regular Backups — Perform and test backups of important data

Official Resources

• ACSC Essential Eight
• Essential Eight Maturity Model

---

CMMC Module

About CMMC

Organization: U.S. Department of Defense (DoD) Framework: Cybersecurity Maturity Model Certification (CMMC) 2.0, Level 2 Purpose: Protect Controlled Unclassified Information (CUI) in the Defense Industrial Base

CMMC Level 2 aligns with NIST SP 800-171 Rev. 2 and requires implementation of 110 security practices. The module evaluates the technical controls that can be assessed at the endpoint level.

Control Families Covered

• AC — Access Control
• AU — Audit and Accountability
• CM — Configuration Management
• IA — Identification and Authentication
• MP — Media Protection
• SC — System and Communications Protection
• SI — System and Information Integrity

Official Resources

• CMMC Program
• NIST SP 800-171 Rev. 2

---

ENISA Module

About ENISA

Organization: European Union Agency for Cybersecurity (ENISA) Framework: ENISA Good Practices for Cybersecurity / SME Cybersecurity Guide Purpose: Provide cybersecurity guidance for EU organizations

ENISA publishes guidelines for cybersecurity best practices targeting SMEs and organizations across the EU. The module implements technical checks aligned with ENISA's Good Practice categories.

Good Practice Categories Covered

• GP.1 — Network Security
• GP.2 — Identity and Access Management
• GP.3 — Patch Management
• GP.4 — Cryptographic Controls
• GP.5 — Logging and Monitoring
• GP.6 — Data Protection
• GP.7 — Incident Response
• GP.8 — System Hardening
• GP.9 — Email and Web Security
• GP.10 — Endpoint Protection

Official Resources

• ENISA Cybersecurity Guide for SMEs
• ENISA Good Practices

---

GDPR Module

About GDPR

Organization: European Parliament and Council Framework: General Data Protection Regulation (EU) 2016/679 Purpose: Protect personal data of EU residents

The GDPR module evaluates the technical controls relevant to GDPR compliance, focusing on Articles 5 (Principles), 25 (Data Protection by Design), 32 (Security of Processing), and 33-34 (Breach Notification).

Articles Covered

• Article 5 — Principles (integrity, confidentiality, storage limitation)
• Article 25 — Data Protection by Design and by Default
• Article 32 — Security of Processing (encryption, confidentiality, availability, testing)
• Articles 33-34 — Notification of breaches and communication to data subjects

Official Resources

• GDPR Full Text
• European Data Protection Board

---

HIPAA Module

About HIPAA

Organization: U.S. Department of Health and Human Services (HHS) Framework: HIPAA Security Rule (45 CFR Part 164, Subparts A and C) Purpose: Protect electronic Protected Health Information (ePHI)

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards. The module assesses technical safeguards that can be evaluated at the endpoint level.

Safeguard Areas Covered

• Access Control — Unique user identification, emergency access, automatic logoff, encryption
• Administrative Safeguards — Security management, workforce security, information access management
• Audit Controls — Audit logging, review mechanisms, log protection
• Person or Entity Authentication — Password policy, multi-factor authentication
• Integrity — Data integrity mechanisms, transmission integrity
• Physical Safeguards — Workstation security, device controls
• Transmission Security — Encryption in transit, integrity controls
• ePHI Protection — Data at rest encryption, backup, access trails

Official Resources

• HIPAA Security Rule
• NIST SP 800-66 Rev. 2 (HIPAA Implementation)

---

ISO 27001 Module

About ISO 27001

Organization: International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) Framework: ISO/IEC 27001:2022, Annex A Controls Purpose: Information security management system (ISMS) requirements

ISO 27001:2022 reorganized Annex A controls into 4 themes (Organizational, People, Physical, Technological). The module evaluates the technological controls applicable to Windows endpoints.

Annex A Categories Covered

• A.5 — Organizational Controls
• A.6 — People Controls
• A.7 — Physical Controls
• A.8 — Technological Controls (Authentication, Backup, Configuration, Cryptography, Endpoint Devices, Hardening, Logging, Network Security, Privileged Access, Vulnerabilities)

Official Resources

• ISO/IEC 27001:2022
• ISO 27002:2022 Code of Practice

---

PCI DSS Module

About PCI DSS

Organization: PCI Security Standards Council Framework: Payment Card Industry Data Security Standard (PCI DSS) v4.0 Purpose: Protect cardholder data and reduce payment card fraud

PCI DSS v4.0, effective March 2024, defines 12 requirements across 6 goals. The module evaluates Requirements 1-8 and 10-12 at the endpoint level.

Requirements Covered

• Req 1 — Install and Maintain Network Security Controls
• Req 2 — Apply Secure Configurations to All System Components
• Req 3 — Protect Stored Account Data
• Req 4 — Protect Cardholder Data with Strong Cryptography During Transmission
• Req 5 — Protect All Systems and Networks from Malicious Software
• Req 6 — Develop and Maintain Secure Systems and Software
• Req 7 — Restrict Access to System Components and Cardholder Data by Business Need to Know
• Req 8 — Identify Users and Authenticate Access to System Components
• Req 10 — Log and Monitor All Access to System Components and Cardholder Data
• Req 11 — Test Security of Systems and Networks Regularly
• Req 12 — Support Information Security with Organizational Policies and Programs

Official Resources

• PCI DSS v4.0
• PCI SSC

---

SOC 2 Module

About SOC 2

Organization: American Institute of Certified Public Accountants (AICPA) Framework: SOC 2 Type II Trust Service Criteria Purpose: Evaluate service organization controls for security, availability, and confidentiality

SOC 2 Type II evaluates the design and operating effectiveness of controls over a period. The module assesses technical controls aligned with the Trust Service Criteria relevant to endpoint security.

Trust Service Criteria Covered

• CC5 — Control Activities (security configuration, policy enforcement)
• CC6 — Logical and Physical Access Controls (authentication, authorization)
• CC7 — System Operations (monitoring, incident detection, response)
• CC8 — Change Management (configuration baselines, change control)
• A1 — Availability (backup, recovery, resilience)
• C1 — Confidentiality (encryption, data classification, access restrictions)

Official Resources

• AICPA SOC 2
• Trust Service Criteria

References and Resources

Primary Sources

DISA

• STIG Library: https://public.cyber.mil/stigs/downloads/
• STIG Viewing Tools: https://public.cyber.mil/stigs/srg-stig-tools/

NIST

• SP 800-53: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• Cybersecurity Framework: https://www.nist.gov/cyberframework
• SP 800-171: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

CIS

• Benchmarks: https://www.cisecurity.org/cis-benchmarks/
• Controls: https://www.cisecurity.org/controls/

NSA

• Cybersecurity Advisories: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

CISA

• Cybersecurity Performance Goals: https://www.cisa.gov/cpg
• Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Microsoft

• Security Compliance Toolkit: https://www.microsoft.com/en-us/download/details.aspx?id=55319
• Security Baselines Blog: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines

Additional Resources

MITRE ATT&CK Framework

• Adversary tactics and techniques: https://attack.mitre.org/

CVE/NVD

• Common Vulnerabilities and Exposures: https://cve.mitre.org/
• National Vulnerability Database: https://nvd.nist.gov/

OWASP

• Application security guidance: https://owasp.org/

Academic and Research

• SANS Institute - Security training and research
• Carnegie Mellon CERT - Vulnerability analysis and remediation
• IEEE Security & Privacy - Academic security research

Acknowledgments

This project gratefully acknowledges the work of security professionals, researchers, and organizations who have developed these frameworks. Their tireless efforts to improve cybersecurity benefit organizations and individuals worldwide.

Special Thanks To:

• Government agencies (DISA, NIST, NSA, CISA) for public security guidance
• CIS for community-driven benchmarks
• Microsoft for vendor security baselines
• Open-source security community
• Security researchers and practitioners

Citation

If you use this tool in research or publications, please cite:

Windows Security Audit Script
https://github.com/Sandler73/Windows-Security-Audit-Project
A comprehensive PowerShell-based security compliance auditing tool implementing
DISA STIG, NIST 800-53, CIS Benchmarks, NSA, CISA, and Microsoft security frameworks.

---

Last Updated: December 2024
Maintainer: Project Contributors
License: MIT

---

Microsoft Defender for Endpoint Module

About Microsoft Defender for Endpoint

Organization: Microsoft
Framework: Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)
Purpose: Endpoint detection and response, threat and vulnerability management

What is Defender for Endpoint?

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It provides behavioral-based analytics, cloud-powered machine learning, and threat intelligence to detect sophisticated attacks.

Capabilities Assessed

Capability	Description	Checks
EDR	Endpoint Detection and Response sensors and block mode	14
TVM	Threat and Vulnerability Management integration	6
AIR	Automated Investigation and Response	6
Tamper Protection	Prevention of security setting modification	6
ASR (Advanced)	Attack Surface Reduction rules deep analysis	5
Custom Indicators	Indicators of Compromise (IoC) management	4
Device Control	Removable media and device restrictions	4
Network/Web Filtering	Network protection and web content filtering	7
Onboarding & Connectivity	Service enrollment and cloud connectivity	17
Exclusions Audit	Security exceptions and their risk impact	7
Advanced Scanning	Enhanced scanning and detection capabilities	13

Cross-Framework Mapping

Defender for Endpoint checks map to:

MDE Capability	NIST 800-53	CIS Benchmark	STIG
EDR Sensors	SI-4 (Information System Monitoring)	8.1	—
TVM	RA-5 (Vulnerability Monitoring and Scanning)	—	—
Tamper Protection	SC-3 (Security Function Isolation)	—	—
AIR	IR-4 (Incident Handling)	—	—

Resources

• Defender for Endpoint Documentation: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/
• Onboarding Guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding
• Security Baselines: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-machines-security-baseline