Update defender-endpoint-false-positives-negatives.md

denisebmsft · denisebmsft · commit 6d6f2b57077b · 2025-03-03T15:58:32.000-08:00
diff --git a/defender-endpoint/defender-endpoint-false-positives-negatives.md b/defender-endpoint/defender-endpoint-false-positives-negatives.md
@@ -47,7 +47,7 @@ When you have a false positive, a good first step is to try to determine its det
 | -------- | -------- |
 |Endpoint Detection and Response (EDR) | The alert is related to EDR in Defender for Endpoint <br/>- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/>- Work-around: Add an EDR exclusion or tune the alerts|
 |Antivirus|The alert relates to Microsoft Defender Antivirus in active mode (primary) where it blocks. <br/>- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/>- Work-around: Add [Indicators - File hash - allow ](/defender-endpoint/indicator-file) or an [Antivirus exclusion](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)<br/><br/>If Microsoft Defender Antivirus is in passive mode, EDR in block mode might just detect.|
-| Custom TI| Custom indicators (Indicators <br/>- [file hash](/defender-endpoint/indicator-file)<br/>- [ip address or URL](/defender-endpoint/indicator-ip-domain)<br/>- [certificates](/defender-endpoint/indicator-certificates)) <br/><br/>Solution: [Manage indicators](/defender-endpoint/indicator-manage). <br/><br/> Or, if you see `CustomEnterpriseBlock`, your detection source could be one of the following capabilities in Defender for Endpoint: <br/><br/>1. [Automated investigation and remediation](automated-investigations.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/>-- Work-around: [Automation folder exclusions  ](/defender-endpoint/manage-automation-folder-exclusions)<br/><br/>2. Custom detection rules deriving from [Advanced Hunting](/defender-xdr/advanced-hunting-overview) <br/>-- Solution: [Manage existing custom detection rules  ](/defender-xdr/custom-detection-rules)<br/><br/>3. [EDR in block mode](/defender-endpoint/edr-in-block-mode) <br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/indicator-file) or [Antivirus exclusions](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)<br/><br/>4. [Live response](live-response.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/indicator-file) or [Antivirus exclusions](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)<br/><br/>5. [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/indicator-file) or [Antivirus exclusions](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)|
+| Custom TI| Custom indicators:<br/>- [File hash](/defender-endpoint/indicator-file)<br/>- [IP address or URL](/defender-endpoint/indicator-ip-domain)<br/>- [Certificates](/defender-endpoint/indicator-certificates) <br/><br/>Solution: [Manage indicators](/defender-endpoint/indicator-manage). <br/><br/> Or, if you see `CustomEnterpriseBlock`, your detection source could be one of the following capabilities in Defender for Endpoint: <br/><br/>1. [Automated investigation and remediation](automated-investigations.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/>-- Work-around: [Automation folder exclusions  ](/defender-endpoint/manage-automation-folder-exclusions)<br/><br/>2. Custom detection rules deriving from [Advanced Hunting](/defender-xdr/advanced-hunting-overview) <br/>-- Solution: [Manage existing custom detection rules  ](/defender-xdr/custom-detection-rules)<br/><br/>3. [EDR in block mode](/defender-endpoint/edr-in-block-mode) <br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/indicator-file) or [Antivirus exclusions](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)<br/><br/>4. [Live response](live-response.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/indicator-file) or [Antivirus exclusions](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)<br/><br/>5. [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/indicator-file) or [Antivirus exclusions](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)|
 | Smartscreen|[Smartscreen](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx): You can [Report an unsafe site](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or [submit a network protection detection](https://www.microsoft.com/wdsi/support/report-exploit-guard)|
 
 ## False positives and how to address them
