Skip to content

Commit 8a31a61

Browse files
committed
Update defender-endpoint-false-positives-negatives.md
1 parent f166b77 commit 8a31a61

File tree

1 file changed

+5
-6
lines changed

1 file changed

+5
-6
lines changed

defender-endpoint/defender-endpoint-false-positives-negatives.md

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,11 @@ search.appverid: met150
3737

3838
In endpoint protection solutions, a false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Defender for Endpoint](microsoft-defender-endpoint.md).
3939

40-
If you have Microsoft Defender XDR, review the "Alerts sources" as described in [Investigate alerts in Microsoft Defender XDR](/defender-xdr/investigate-alerts?tabs=settings).
40+
If you have Microsoft Defender XDR, review the "Alerts sources" as described in [Investigate alerts in Microsoft Defender XDR](/defender-xdr/investigate-alerts?tabs=settings). If the alert source is Defender for Endpoint, continue to read this article.
4141

42-
Continue here if the "Alert source" is "Microsoft Defender for Endpoint".
42+
## Identify the detection source
4343

44-
The next step is to review the "detection source":
44+
When you have a false positive, try to determine its detection source. The following table lists detection sources and potential solutions.
4545

4646
|Detection source| Information|
4747
| -------- | -------- |
@@ -50,6 +50,8 @@ The next step is to review the "detection source":
5050
| Custom TI| Custom indicators (Indicators <br/>- [file hash](/defender-endpoint/indicator-file)<br/>- [ip address or URL](/defender-endpoint/indicator-ip-domain)<br/>- [certificates](/defender-endpoint/indicator-certificates)) <br/><br/>Solution: [Manage indicators](/defender-endpoint/indicator-manage). <br/><br/> Or, if you see `CustomEnterpriseBlock`, your detection source could be one of the following: <br/><br/>1. Automated Investigation and Response (Auto-IR)<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/>-- Work-around: [Automation folder exclusions ](/defender-endpoint/manage-automation-folder-exclusions)<br/><br/>2. Custom detection rules deriving from Advanced Hunting (AH) <br/>-- Solution: [Manage existing custom detection rules ](/defender-xdr/custom-detection-rules)<br/><br/>3. EDR in block mode <br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>4. Live Response<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>5. PUA protection<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)|
5151
| Smartscreen|[Smartscreen](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)<br/>- [Report unsafe site](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site); <br/>or<br/>- It could be related to [Network Protection detection](https://www.microsoft.com/wdsi/support/report-exploit-guard)|
5252

53+
## False positives and how to address them
54+
5355
:::image type="content" source="media/false-positives-overview.png" alt-text="The definition of false positive and negatives in the Microsoft Defender portal" lightbox="media/false-positives-overview.png":::
5456

5557
Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives occurring with Defender for Endpoint, your security operations can take steps to address them by using the following process:
@@ -68,9 +70,6 @@ You can get help if you still have issues with false positives/negatives after p
6870

6971
:::image type="content" source="media/false-positives-step-diagram.png" alt-text="The steps to address false positives and negatives" lightbox="media/false-positives-step-diagram.png":::
7072

71-
> [!NOTE]
72-
> This article is intended as guidance for security operators and security administrators who are using [Defender for Endpoint](microsoft-defender-endpoint.md).
73-
7473
## Part 1: Review and classify alerts
7574

7675
If you see an [alert](api/alerts.md) that arose because something's detected as malicious or suspicious and it shouldn't be, you can suppress the alert for that entity. You can also suppress alerts that aren't necessarily false positives, but are unimportant. We recommend that you also classify alerts.

0 commit comments

Comments
 (0)