Merge pull request #5088 from DebLanger/US490274_Purview

Add Purview eDLP tagging for Critical Assets - three new device class…

Author: DebLanger

exposure-management/predefined-classification-rules-and-levels.md

@@ -6,7 +6,7 @@ author: dlanger
 manager: ornat-spodek
 ms.topic: reference
 ms.service: exposure-management
-ms.date: 06/16/2025
+ms.date: 09/30/2025
 ---
 
 # Predefined classifications - Microsoft Security Research
@@ -50,6 +50,9 @@ Current asset types are:
 | VMware vCenter             | Device     | High                      | The VMware vCenter Server is crucial for managing virtual environments. It provides centralized management of virtual machines and ESXi hosts. If it fails, it could disrupt the administration and control of your virtual infrastructure, including provisioning, migration, load balancing of virtual machines, and data center automation. However, as there are often redundant vCenter Servers and High Availability configurations, the immediate halt of all operations might not occur. Its failure could still cause significant inconvenience and potential performance issues. |
 | Hyper-V Server             | Device     | High                      | The Hyper-V hypervisor is essential for running and managing virtual machines within your infrastructure, serving as the core platform for their creation and management. If the Hyper-V host fails, it can lead to the unavailability of hosted virtual machines, potentially causing downtime and disrupting business operations. Moreover, it can result in significant performance degradation and operational challenges. Ensuring the reliability and stability of Hyper-V hosts is therefore critical for maintaining seamless operations in a virtual environment. |
 | SharePoint Server          | Device     | Medium                    | The SharePoint server is responsible for secure content management, collaboration, and document sharing across teams. It hosts intranet portals and enterprise search within an organization. Compromise could lead to unauthorized access to sensitive information and disruption of content services. |
+| Devices with Sensitive Information (Azure Document DB Auth Key) | Device | High | Devices that have accessed documents containing Azure Document DB Auth Keys, which are identified as sensitive data. These devices are automatically classified as High criticality when interacting with sensitive content and revert to their baseline classification after 5 consecutive days without accessing the sensitive file. Learn more [here](/purview/sit-sensitive-information-type-learn-about) |
+| Devices with Sensitive Information (Azure Redis Cache Connection String) | Device | High | Devices that have accessed documents containing Azure Redis Cache Connection Strings, which are identified as sensitive data. These devices are automatically classified as High criticality when interacting with sensitive content and revert to their baseline classification after 5 consecutive days without accessing the sensitive file. Learm more [here](/purview/sit-defn-azure-redis-cache-connection-string).|
+| Devices with Sensitive Information (Azure Storage Account Key) | Device | High | Devices that have accessed documents containing Azure Storage Account Keys, which are identified as sensitive data. These devices are automatically classified as High criticality when interacting with sensitive content and revert to their baseline classification after 5 consecutive days without accessing the sensitive file. Learn more [here](/purview/sit-defn-azure-storage-account-key).|
 
 ##### Identity
 

exposure-management/whats-new.md

@@ -26,6 +26,23 @@ Learn more about MSEM by reading the blogs, [here](https://techcommunity.microso
 
 ## September 2025
 
+### Critical assets classified based on interaction with sensitive documents (Purview eDLP)
+
+Microsoft Security Exposure Management now integrates with Microsoft Purview Endpoint Data Loss Prevention (eDLP) to automatically identify and classify critical assets based on their interaction with sensitive documents. This new capability introduces dynamic criticality reclassification where endpoints accessing high-sensitivity documents are automatically tagged as high criticality.
+
+Key features include:
+
+- **Dynamic reclassification**: Endpoints are automatically elevated to high criticality when accessing sensitive content
+- **Automatic reversion**: Asset classification reverts to baseline after 5 consecutive days of inactivity with sensitive content
+- **Out-of-the-box detection**: Built-in detection rules for three Purview Classifier Sensitive Information Types:
+  - Azure Document DB Auth Key
+  - Azure Redis Cache Connection String  
+  - Azure Storage Account Key
+- **Enhanced visibility**: Critical assets are surfaced across Microsoft Defender XDR experiences for improved security posture management
+
+This integration provides the first offering to combine the experience between Purview and Microsoft Defender Portal for classifying critical assets and gathering important pre-breach insights.
+
+For more information, see [Predefined classifications](predefined-classification-rules-and-levels.md).
 ### Blast radius analysis
 
 Blast radius analysis is an advanced graph visualization integrated into incident investigation experience. Built on the Microsoft Sentinel data lake and graph infrastructure, it generates an interactive graph showing possible propagation paths from the selected node to predefined critical targets scoped to the user’s permissions.