Use sensitivity labels to prioritize incident response

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.

Defender for Endpoint helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information.

Investigate incidents that involve sensitive data

Learn how to use data sensitivity labels to prioritize incident investigation.


Labels are detected for Windows 10, version 1809 or later.

  1. In Microsoft Defender Security Center, select Incidents.

  2. Scroll to the right to see the Data sensitivity column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.

    Image of data sensitivity column

    You can also filter based on Data sensitivity

    Image of data sensitivity filter

  3. Open the incident page to further investigate.

    Image of incident page details

  4. Select the Devices tab to identify devices storing files with sensitivity labels.

    Image of device tab

  5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.

    You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.

    Image of device timeline with narrowed down search results based on label


These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.