A typical advanced persistent threat lifecycle (or APT) involves some data exfiltration -- the point at which data is taken from the organization. In those situations, sensitivity labels can tell security operations where to start by spelling out what data is highest priority to protect.
Defender for Endpoint helps to make prioritization of security incidents simpler with the use of sensitivity labels too. For example, sensitivity labels quickly identify incidents that can involve devices with sensitive information on them (such as confidential information).
Here's how to use sensitivity labels in Defender for Endpoint.
Investigate incidents that involve sensitive data on devices with Defender for Endpoint
Learn how to use data sensitivity labels to prioritize incident investigation.
Notă
Labels are detected for Windows 10, version 1809 or later, and Windows 11.
In Microsoft Defender portal, select Incidents & alerts > Incidents.
Scroll over to see the Data sensitivity column. This column reflects sensitivity labels that are observed on devices related to the incidents providing an indication of whether sensitive files are impacted by the incident.
You can also filter based on Data sensitivity
Open the incident page to further investigate.
Select the Devices tab to identify devices storing files with sensitivity labels.
Select the devices that store sensitive data and search through the timeline to identify which files might be impacted then take appropriate action to ensure that data is protected.
You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this shows only events associated with files that the label name.
Sfat
These data points are also exposed through the 'DeviceFileEvents' in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
This module examines how sensitivity labels from the Microsoft Information Protection solution let you classify and protect your organization's data, while making sure that user productivity and collaboration isn't hindered.
This article provides a description of Anomaly detection policies and provides reference information about the building blocks of an anomaly detection policy.
Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running an antivirus scan, and restricting app execution.
