diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
new file mode 100644
index 0000000000..562c89d6e7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@@ -0,0 +1,35 @@
+---
+title: Use sensitivity labels to investigate incidents
+description: Learn how to use sensitivity labels to prioritize and investigate incidents
+keywords: information, protection, data, loss, prevention,labels, dlp, incident, investigate, investigation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Use sensitivity labels to investigate incidents  
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be involved so that corporate data and information are protected.
+
+Microsoft Defender ATP helps to make the prioritization of security incidents where sensitive information are involved easier with the use of sensitivity labels.
+
+1. In Microsoft Defender Security Center, select **Incidents**. 
+
+2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on machines related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
+
+3. Open the incident page to further investigate. 
+
+4. Select the **Machines** tab to identify machines storing files with sensitivity labels.
\ No newline at end of file