Update defender-endpoint-false-positives-negatives.md

Author: denisebmsft

defender-endpoint/defender-endpoint-false-positives-negatives.md

@@ -45,9 +45,9 @@ When you have a false positive, a good first step is to try to determine its det
 
 |Detection source| Information|
 | -------- | -------- |
-|EDR|The alert is related to Microsoft Defender for Endpoint – Endpoint Detection and Response <br/>- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/>- Work-around: Tune the alerts|
-|Antivirus|The alert relates to Microsoft Defender Antivirus in Active mode (Primary) where it blocks. If Microsoft Defender Antivirus is in passive mode, EDR in block mode might just detect.<br/>- Solution: Submit the False Positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/>- Work-around: Add [Indicators - File hash - allow ](/defender-endpoint/defender-endpoint-false-positives-negatives)or an [Antivirus exclusion](/defender-endpoint/defender-endpoint-false-positives-negatives)|
-| Custom TI| Custom indicators (Indicators <br/>- [file hash](/defender-endpoint/indicator-file)<br/>- [ip address or URL](/defender-endpoint/indicator-ip-domain)<br/>- [certificates](/defender-endpoint/indicator-certificates)) <br/><br/>Solution: [Manage indicators](/defender-endpoint/indicator-manage). <br/><br/> Or, if you see `CustomEnterpriseBlock`, your detection source could be one of the following capabilities in Defender for Endpoint: <br/><br/>1. Automated Investigation and Response (Auto-IR)<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/>-- Work-around: [Automation folder exclusions  ](/defender-endpoint/manage-automation-folder-exclusions)<br/><br/>2. Custom detection rules deriving from Advanced Hunting (AH) <br/>-- Solution: [Manage existing custom detection rules  ](/defender-xdr/custom-detection-rules)<br/><br/>3. EDR in block mode <br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>4. Live Response<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>5. PUA protection<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)|
+|Endpoint Detection and Response (EDR) | The alert is related to EDR in Defender for Endpoint <br/>- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/>- Work-around: Tune the alerts|
+|Antivirus|The alert relates to Microsoft Defender Antivirus in active mode (primary) where it blocks. If Microsoft Defender Antivirus is in passive mode, EDR in block mode might just detect.<br/>- Solution: Submit the False Positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/>- Work-around: Add [Indicators - File hash - allow ](/defender-endpoint/defender-endpoint-false-positives-negatives)or an [Antivirus exclusion](/defender-endpoint/defender-endpoint-false-positives-negatives)|
+| Custom TI| Custom indicators (Indicators <br/>- [file hash](/defender-endpoint/indicator-file)<br/>- [ip address or URL](/defender-endpoint/indicator-ip-domain)<br/>- [certificates](/defender-endpoint/indicator-certificates)) <br/><br/>Solution: [Manage indicators](/defender-endpoint/indicator-manage). <br/><br/> Or, if you see `CustomEnterpriseBlock`, your detection source could be one of the following capabilities in Defender for Endpoint: <br/><br/>1. Automated investigation and remediation<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/>-- Work-around: [Automation folder exclusions  ](/defender-endpoint/manage-automation-folder-exclusions)<br/><br/>2. Custom detection rules deriving from Advanced Hunting (AH) <br/>-- Solution: [Manage existing custom detection rules  ](/defender-xdr/custom-detection-rules)<br/><br/>3. EDR in block mode <br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>4. Live response<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>5. PUA protection<br/>-- Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)|
 | Smartscreen|[Smartscreen](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)<br/>- [Report unsafe site](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site); <br/>or<br/>- It could be related to [Network Protection detection](https://www.microsoft.com/wdsi/support/report-exploit-guard)|
 
 ## False positives and how to address them