Information protection in Windows overview
Want to experience Defender for Endpoint? Sign up for a free trial.
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
Read our blog post about how Microsoft Defender for Endpoint integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices.
Defender for Endpoint applies the following methods to discover, classify, and protect data:
- Data discovery - Identify sensitive data on Windows devices at risk
- Data classification - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn't manually classified it.
Data discovery and data classification
Defender for Endpoint automatically discovers files with sensitivity labels and files that contain sensitive information types.
Sensitivity labels classify and help protect sensitive content.
Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see What the sensitive information type look for.
Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, Create a custom sensitive information type.
When a file is created or edited on a Windows device, Defender for Endpoint scans the content to evaluate if it contains sensitive information.
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Defender for Endpoint though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
Azure Information Protection - Data discovery dashboard
This dashboard presents a summarized discovery information of data discovered by both Defender for Endpoint and Azure Information Protection. Data from Defender for Endpoint is marked with Location Type - Endpoint.
Notice the Device Risk column on the right, this device risk is derived directly from Defender for Endpoint, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Defender for Endpoint.
Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
Data discovery based on Defender for Endpoint is also available in Azure Log Analytics, where you can perform complex queries over the raw data.
For more information on Azure Information Protection analytics, see Central reporting for Azure Information Protection.
Open Azure Log Analytics in Azure portal and open a query builder (standard or classic).
To view Defender for Endpoint data, perform a query that contains:
InformationProtectionLogs_CL | where Workload_s == "Windows Defender"
- Customers must have a subscription for Azure Information Protection.
- Enable Azure Information Protection integration in Microsoft Defender Security Center:
- Go to Settings in Microsoft Defender Security Center, click on Advanced Settings under General.