Handle false positives/negatives in automated investigation and response capabilities

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

False positives/negatives can occasionally occur with any threat protection solution. If automated investigation and response capabilities in Microsoft 365 Defender missed or wrongly detected something, there are steps your security operations team can take:

The following sections describe how to perform these tasks.

Report a false positive/negative to Microsoft for analysis

Item missed or wrongly detected Service What to do
- Email message
- Email attachment
- URL in an email message
- URL in an Office file
Microsoft Defender for Office 365 Submit suspected spam, phish, URLs, and files to Microsoft for scanning
File or app on a device Microsoft Defender for Endpoint Submit a file to Microsoft for malware analysis

Adjust an alert to prevent false positives from recurring

Scenario Service What to do
- An alert is triggered by legitimate use
- An alert is inaccurate
Microsoft Cloud App Security
or
Azure Advanced Threat Detection
Manage alerts in the Cloud App Security portal
A file, IP address, URL, or domain is treated as malware on a device, even though it's safe Microsoft Defender for Endpoint Create a custom indicator with an "Allow" action

Undo a remediation action that was taken on a device

If a remediation action was taken on an entity (such as a device or an email message) and the affected entity is not actually a threat, your security operations team can undo the remediation action in the Action center.

  1. Go to https://security.microsoft.com and sign in.
  2. In the navigation pane, choose Action center.
  3. On the History tab, select an action that you want to undo. Its flyout pane opens.
  4. In the flyout pane, select Undo.

See also