Merge remote-tracking branch 'upstream/surface-2s-update' into surface-2s-update-vjokai

windows/security/threat-protection/TOC.md

@@ -95,6 +95,7 @@
 #####  [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
 ##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
 ##### [Information protection in Windows overview](microsoft-defender-atp/information-protection-in-windows-overview.md)
+###### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
 
 
 

windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md

@@ -37,6 +37,9 @@ MITRE tested the ability of products to detect techniques commonly used by the t
 
 Windows Defender Antivirus is  part of the  [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
 
+- **Transparency report**: [Examining industry test results, May 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
+
+
 ### AV-TEST: Protection score of 6.0/6.0 in the latest test
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").

windows/security/threat-protection/microsoft-defender-atp/TOC.md

@@ -101,6 +101,7 @@
 ####  [Protect users, data, and devices with Conditional Access](conditional-access.md)
 #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
 #### [Information protection in Windows overview](information-protection-in-windows-overview.md)
+##### [Use sensitivity labels to prioritize incident response ](information-protection-investigation.md)
 
 
 

windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/05/2018
 ---
 
 # Configure information protection in Windows 
@@ -23,18 +22,22 @@ ms.date: 12/05/2018
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Learn how you can use Microsoft Defender ATP to expand the coverage of Microsoft Information Protection (WIP) to protect files based on their label, regardless of their origin.
+Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
 
 >[!TIP]
 > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
 
+If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file.
+
+
+
 ## Prerequisites
 - Endpoints need to be on Windows 10, version 1809 or later
 - You'll need the appropriate license to leverage the Microsoft Defender ATP and Azure Information Protection integration
 - Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
 
 
-## Configuration steps
+## Configure endpoint data loss prevention
 1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. 
 2. Define which labels need to get WIP protection in Office 365 Security and Compliance. 
     
@@ -42,7 +45,7 @@ Learn how you can use Microsoft Defender ATP to expand the coverage of Microsoft
     2. Create a new label or edit an existing one. 
     3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
 
-    ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
+    ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png)
 
     4. Repeat for every label that you want to get WIP applied to in Windows. 
 
@@ -52,5 +55,36 @@ After completing these steps Microsoft Defender ATP will automatically identify
 >- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
 >- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
 
+
+## Configure auto labeling
+
+Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
+
+Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
+
+>[!NOTE]
+> Auto-labeling requires Windows 10, version 1903.
+
+
+1. In Office 365 Security & Compliance, go to **Classifications > Labels**.
+
+2. Create a new label or edit an existing one. 
+
+
+3. Set a policy for Data classification:
+   
+   1. Go through the label creation wizard.
+   2. When you reach the Auto labeling page, turn on auto labeling toggle on.
+   3. Add a new auto-labeling rule with the conditions that you require. 
+    
+    ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png)    
+
+   4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label".
+ 
+
+
+
+
+
 ## Related topic
 - [Information protection in Windows overview](information-protection-in-windows-overview.md)

windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md

@@ -31,36 +31,52 @@ Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection t
 > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
 
 
-Microsoft Defender ATP applies two methods to discover and protect data:
+Microsoft Defender ATP applies the following methods to discover, classify, and protect data:
 - **Data discovery** - Identify sensitive data on Windows devices at risk
+- **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it.
 - **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label
 
 
-## Data discovery 
+## Data discovery and data classification
-Microsoft Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Microsoft Defender Security Center. For more information, see [Configure advanced features](advanced-features.md#azure-information-protection).
+Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types. 
 
+Sensitivity labels classify and help protect sensitive content. 
+
+
+Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
+-	Default
+-	Custom
+
+Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for). 
+
+Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-custom-sensitive-information-type).
+
+
+When a file is created or edited on a  Windows device, Windows Defender ATP scans the content to evaluate if it contains sensitive information. 
+
+Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
 
 ![Image of settings page with Azure Information Protection](images/atp-settings-aip.png)
 
-After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically reports the signal to Azure Information Protection.
+The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard. 
 
-The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
+## Azure Information Protection - Data discovery dashboard 
-
+This dashboard presents a summarized discovery information of data discovered by bothMicrosoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint. 
-### Azure Information Protection - Data discovery dashboard 
-This dashboard presents a summarized discovery information of data discovered by both Microsoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint. 
 
 ![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png)
 
 
 Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP.
 
-Clicking the device risk level will redirect you to the device page in Microsoft Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. 
+Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
-
 
 >[!NOTE]
->Microsoft Defender ATP does not currently report the Information Types. 
+>Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
 
-### Log Analytics 
+
+
+
+## Log Analytics 
 Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
 
 For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). 
@@ -82,10 +98,15 @@ InformationProtectionLogs_CL
 
 
 ## Data protection 
-For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
 
+### Endpoint data loss prevention
+For data to be protected, they must first be identified through labels. 
 
-When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). 
+Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
+
+When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention. 
+
+For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices). 
 
 
 ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
@@ -94,6 +115,17 @@ Once, the policy is set and published, Microsoft Defender ATP automatically enab
 
 This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. 
 
+For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
+
+## Auto labeling
+
+Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. When Microsoft Defender ATP scans the content of a file in a Windows device and finds that it contains sensitive information, it will automatically apply a label to it even if the user hasn't manually classified it.
+
+> [!NOTE]
+> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves.
+
+
+
 For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
 
 

windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md

@@ -0,0 +1,65 @@
+---
+title: Use sensitivity labels to prioritize incident response
+description: Learn how to use sensitivity labels to prioritize and investigate incidents
+keywords: information, protection, data, loss, prevention,labels, dlp, incident, investigate, investigation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Use sensitivity labels to prioritize incident response  
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
+
+Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information such as confidential information. 
+
+## Investigate incidents that involve sensitive data
+Learn how to use data sensitivity labels to prioritize incident investigation.
+
+>[!NOTE]
+>Labels are detected for Windows 10, version 1809 or later.
+
+1. In Microsoft Defender Security Center, select **Incidents**. 
+
+2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on machines related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
+
+    ![Image of data sensitivity column](images/data-sensitivity-column.png)
+
+    You can also filter based on **Data sensitivity** 
+
+    ![Image of data sensitivity filter](images/data-sensitivity-filter.png)
+
+3. Open the incident page to further investigate.
+
+    ![Image of incident page details](images/incident-page.png)
+
+4. Select the **Machines** tab to identify machines storing files with sensitivity labels.
+
+    ![Image of machine tab](images/investigate-machines-tab.png)
+   
+
+5. Select the machines that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected. 
+
+   You can narrow down the events shown on the machine timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
+
+    ![Image of machine timeline with narrowed down search results based on label](images/machine-timeline-labels.png)
+
+>[!NOTE] 
+> The event side pane now provides additional insight to the WIP and AIP protection status.  
+
+
+>[!TIP]
+>These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.