There is no need for this to be an accusatory conversation. This can also be a situation where a formal email template or survey form can be helpful. If you are talking about MDE there are automated and remote remediation tools at your disposal.
A user conversation might sound like 'Our security monitoring detected unusual activity on your system recently (maybe share the time). This may be an inaccurate reading. We have remotely scheduled a full antivirus scan as a precaution. If you have any feedback or additional comments please contact your IT Security rep or complete the survey form provided in the following link.'
The goal is not to accuse the user. Rather, the user might have useful information to help explain the situation (if they are open to sharing). Maybe they let someone else use the PC or were on a risky website. The few times that I have popped for security violations, I had a good idea of what happened. They may not be willing to share or tech savvy enough to recognize what happened. Can't hurt to ask.