在自動化調查與回應功能中處理誤對/負數Handle false positives/negatives in automated investigation and response capabilities

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

Microsoft 365 Defender 中的自動化調查與回應功能是否遺漏或誤偵測到某些專案?Did automated investigation and response capabilities in Microsoft 365 Defender miss or wrongly detect something? 您可以採取一些步驟來修正此問題。There are steps you can take to fix it. 您可以:You can:

使用這篇文章做為指南。Use this article as a guide.

向 Microsoft 報告誤正/負數以進行分析Report a false positive/negative to Microsoft for analysis

未接或偵測到錯誤的專案Item missed or wrongly detected 服務Service 處理方式What to do
- 電子郵件訊息- Email message
- 電子郵件附件- Email attachment
- 電子郵件訊息中的 URL- URL in an email message
- Office 檔案中的 URL- URL in an Office file
適用於 Office 365 的 Microsoft DefenderMicrosoft Defender for Office 365 將可疑的垃圾郵件、網路釣魚、URL 和檔案提交到 Microsoft 掃描Submit suspected spam, phish, URLs, and files to Microsoft for scanning
裝置上的檔案或應用程式File or app on a device 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint 提交檔案至 Microsoft 進行惡意攻擊分析Submit a file to Microsoft for malware analysis

調整警示以防止誤將重複出現Adjust an alert to prevent false positives from recurring

案例Scenario 服務Service 處理方式What to do
- 合法使用會觸發警示- An alert is triggered by legitimate use
- 通知不正確- An alert is inaccurate
Microsoft 雲端 App 安全性Microsoft Cloud App Security
or
Azure 進位威脅偵測Azure Advanced Threat Detection
在雲端 App 安全性入口網站中管理警示Manage alerts in the Cloud App Security portal
即使裝置是安全的,檔案、IP 位址、URL 或網域還是會被視為惡意攻擊A file, IP address, URL, or domain is treated as malware on a device, even though it's safe 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint 建立具有「允許」動作的自訂標記Create a custom indicator with an "Allow" action

復原在裝置上採取的補救動作Undo a remediation action that was taken on a device

如果在 Windows 10 裝置 (等裝置上採取補救動作) 且該專案實際上並非威脅,您的安全性作業小組可以在控制中心復原補救 動作If a remediation action was taken on a device (such as a Windows 10 device) and the item is actually not a threat, your security operations team can undo the remediation action in the Action center.

重要

嘗試執行 下列工作之前 ,請確認您擁有必要許可權。Make sure you have the necessary permissions before attempting to perform the following task.

  1. 移至 https://security.microsoft.com 並登入。Go to https://security.microsoft.com and sign in.

  2. 在功能窗格中,選擇 [控制中心]。In the navigation pane, choose Action center.

  3. 在歷程 記錄上 ,選取要復原的動作。On the History tab, select an action that you want to undo. 這會開啟飛出視窗。This opens a flyout.

    提示

    使用篩選來縮小結果清單。Use filters to narrow down the list of results.

  4. 在選定專案的飛出飛出中,選取開啟 調查頁面In the flyout for the selected item, select Open investigation page.

  5. 在調查詳細資料檢視中,選取動作 按鈕In the investigation details view, select the Actions tab.

  6. 選取狀態為已完成 的專案,在決策欄中尋找連結 ,例如****已核准。Select an item that has status of Completed, and look for a link, such as Approved, in the Decisions column. 這會開啟一個飛出視窗,包含有關動作的更多詳細資料。This opens a flyout with more details about the action.

  7. 若要復原動作,請選取 Delete 修復To undo the action, select Delete remediation.

另請參閱See also