How to report false positives/negatives in automated investigation and response capabilities

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

If automated investigation and response (AIR) capabilities in Office 365 missed or wrongly detected something, there are steps your security operations team can take to fix it. Such actions include:

Use this article as a guide.

Report a false positive/negative to Microsoft for analysis

If AIR in Microsoft Defender for Office 365 missed an email message, an email attachment, a URL in an email message, or a URL in an Office file, you can submit suspected spam, phish, URLs, and files to Microsoft for Office 365 scanning.

You can also Submit a file to Microsoft for malware analysis.

Adjust an alert to prevent false positives from recurring

If an alert is triggered by legitimate use, or the alert is inaccurate, you can Manage alerts in the Cloud App Security portal.

If your organization is using Microsoft Defender for Endpoint in addition to Office 365, and a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create a custom indicator with an "Allow" action for your device.

Undo a remediation action

In most cases, if a remediation action was taken on an email message, email attachment, or URL, and the item is actually not a threat, your security operations team can undo the remediation action and take steps to prevent the false positive from recurring. You can either use Threat Explorer or the Actions tab for an investigation to undo an action.

Important

Make sure you have the necessary permissions before attempting to perform the following tasks.

Undo an action using Threat Explorer

With Threat Explorer, your security operations team can find an email affected by an action and potentially undo the action.



Scenario Undo Options Learn more
An email message was routed to a user's Junk Email folder
  • Move the message to the user's Deleted Items folder
  • Move the message to the user's Inbox
  • Delete the message
Find and investigate malicious email that was delivered in Office 365
An email message or a file was quarantined
  • Release the email or file
  • Delete the email or file
Manage quarantined messages as an admin

Undo an action in the Action center

In the Action center, you can see remediation actions that were taken and potentially undo the action.

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com).
  2. In the navigation pane, select Action center.
  3. Select the History tab to view the list of completed actions.
  4. Select an item. Its flyout pane opens.
  5. In the flyout pane, select Undo. (Only actions that can be undone will have an Undo button.)

See also