I’m seeing something strange in Microsoft Defender XDR.
In the incidents/alerts view, I see the Data sensitivity column. I also noticed that several devices in Device Inventory show different sensitivity values, for example:
Data sensitivity: Highly Confidential or Data sensitivity: Internal Only
The weird part is that these labels are not actually used on the related devices or files.
For example, our “Highly Confidential” label is only available for emails, and from what I can confirm, the users never applied or used that label.
Also, on my own device, Defender XDR shows Data sensitivity: Internal Only, but that label is only used for SharePoint/Teams container labeling, not for files or emails.
I can’t find any emails, files, or device-related content with those labels applied.
Has anyone seen this before?
Could Defender XDR be displaying a sensitivity value based on label availability/publishing scope or some kind of tenant/user association, instead of actual labeled content observed on the device?
Thanks!