A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it’s important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
Defender for Endpoint helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information.
Investigate incidents that involve sensitive data
Learn how to use data sensitivity labels to prioritize incident investigation.
Labels are detected for Windows 10, version 1809 or later, and Windows 11.
- In Microsoft 365 Defender portal, select Incidents & alerts > Incidents.
- Scroll to the right to see the Data sensitivity column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
You can also filter based on Data sensitivity
- Open the incident page to further investigate.
- Select the Devices tab to identify devices storing files with sensitivity labels.
- Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.
You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.