Address false positives or false negatives in Microsoft Defender XDR
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
- Microsoft Defender XDR
False positives or negatives can occasionally occur with any threat protection solution. If automated investigation and response capabilities in Microsoft Defender XDR missed or wrongly detected something, there are steps your security operations team can take:
- Report a false positive/negative to Microsoft
- Adjust your alerts (if needed)
- Undo remediation actions that were taken on devices
The following sections describe how to perform these tasks.
Report a false positive/negative to Microsoft for analysis
|Item missed or wrongly detected||Service||What to do|
|- Email message
- Email attachment
- URL in an email message
- URL in an Office file
|Microsoft Defender for Office 365||Submit suspected spam, phish, URLs, and files to Microsoft for scanning|
|File or app on a device||Microsoft Defender for Endpoint||Submit a file to Microsoft for malware analysis|
Adjust an alert to prevent false positives from recurring
|Scenario||Service||What to do|
|- An alert is triggered by legitimate use
- An alert is inaccurate
|Microsoft Defender for Cloud Apps
Azure threat protection
|Manage alerts in the Defender for Cloud Apps portal|
|A file, IP address, URL, or domain is treated as malware on a device, even though it's safe||Microsoft Defender for Endpoint||Create a custom indicator with an "Allow" action|
Undo a remediation action that was taken on a device
If a remediation action was taken on an entity (such as a device or an email message) and the affected entity is not actually a threat, your security operations team can undo the remediation action in the Action center.
- Go to Microsoft Defender portal and sign in.
- In the navigation pane, choose Action center.
- On the History tab, select an action that you want to undo. Its flyout pane opens.
- In the flyout pane, select Undo.
- View the details and results of an automated investigation
- Proactively hunt for threats with advanced hunting in Microsoft Defender XDR
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.