Use sensitivity labels to prioritize incident response
A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information such as confidential information.
Investigate incidents that involve sensitive data
Learn how to use data sensitivity labels to prioritize incident investigation.
Labels are detected for Windows 10, version 1809 or later.
In Microsoft Defender Security Center, select Incidents.
Scroll to the right to see the Data sensitivity column. This column reflects sensitivity labels that have been observed on machines related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
You can also filter based on Data sensitivity
Open the incident page to further investigate.
Select the Machines tab to identify machines storing files with sensitivity labels.
Select the machines that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.
You can narrow down the events shown on the machine timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.