Use sensitivity labels to prioritize incident response

Applies to:

A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.

Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information such as confidential information.

Investigate incidents that involve sensitive data

Learn how to use data sensitivity labels to prioritize incident investigation.

Note

Labels are detected for Windows 10, version 1809 or later.

  1. In Microsoft Defender Security Center, select Incidents.

  2. Scroll to the right to see the Data sensitivity column. This column reflects sensitivity labels that have been observed on machines related to the incidents providing an indication of whether sensitive files may be impacted by the incident.

    Image of data sensitivity column

    You can also filter based on Data sensitivity

    Image of data sensitivity filter

  3. Open the incident page to further investigate.

    Image of incident page details

  4. Select the Machines tab to identify machines storing files with sensitivity labels.

    Image of machine tab

  5. Select the machines that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.

    You can narrow down the events shown on the machine timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.

    Image of machine timeline with narrowed down search results based on label

Tip

These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.