DE.AE-3Key Measure

Event data are collected and correlated from multiple sources

Detect · Anomalies and Events

Fully Automated

Compliance Score

80%

Partially Compliant

Documentation Maturity

4/ 5

Target: 2.5

Implementation Maturity

4/ 5

Target: 2.5

Control Description

Activity logs from multiple sources are collected centrally and correlated to detect potential security events. Alert rules are defined for suspicious patterns.

Microsoft Graph API Endpoints Used

GET /security/alerts_v2GET /auditLogs/directoryAudits

Required Permissions

SecurityAlert.Read.AllAuditLog.Read.All

Findings (1)

16/20 items compliant

Severity	Finding	Recommendation
medium	Improvement needed: Event data are collected and correlated from multiple sources Current implementation does not fully meet the requirements of DE.AE-3.	Enable Microsoft Defender XDR for unified incident correlation. Configure alert policies in Microsoft 365 Defender. Ensure logs flow from all sources (Entra ID, Exchange, SharePoint, endpoints). Review alerts daily.

Severity

Finding

medium

Improvement needed: Event data are collected and correlated from multiple sources

Current implementation does not fully meet the requirements of DE.AE-3.

Remediation Guidance

Enable Microsoft Defender XDR for unified incident correlation. Configure alert policies in Microsoft 365 Defender. Ensure logs flow from all sources (Entra ID, Exchange, SharePoint, endpoints). Review alerts daily.