Microsoft Defender for Endpoint sensitivity labels protect and prioritize incident response

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

A typical advanced persistent threat lifecycle (or APT) involves some data exfiltration -- the point at which data is taken from the organization. In those situations, sensitivity labels can tell security operations where to start by spelling out what data is highest priority to protect.

Defender for Endpoint helps to make prioritization of security incidents simpler with the use of sensitivity labels too. For example, sensitivity labels quickly identify incidents that may involve devices with sensitive information on them (such as confidential information).

Here's how to use sensitivity labels in Defender for Endpoint.

Investigate incidents that involve sensitive data on devices with Defender for Endpoint

Learn how to use data sensitivity labels to prioritize incident investigation.


Labels are detected for Windows 10, version 1809 or later, and Windows 11.

  1. In Microsoft Defender portal, select Incidents & alerts > Incidents.

  2. Scroll to the right to see the Data sensitivity column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.

    The Highly confidential option in the data sensitivity column

    You can also filter based on Data sensitivity

    The data sensitivity filter

  3. Open the incident page to further investigate.

    The incident page details

  4. Select the Devices tab to identify devices storing files with sensitivity labels.

    The Device tab

  5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.

    You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.

    The device timeline with narrowed down search results based on label


These data points are also exposed through the 'DeviceFileEvents' in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.