Address false positives or false negatives in Microsoft 365 Defender
Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.
- Microsoft 365 Defender
False positives or negatives can occasionally occur with any threat protection solution. If automated investigation and response capabilities in Microsoft 365 Defender missed or wrongly detected something, there are steps your security operations team can take:
- Report a false positive/negative to Microsoft
- Adjust your alerts (if needed)
- Undo remediation actions that were taken on devices
The following sections describe how to perform these tasks.
Report a false positive/negative to Microsoft for analysis
|Item missed or wrongly detected||Service||What to do|
|- Email message
- Email attachment
- URL in an email message
- URL in an Office file
|Microsoft Defender for Office 365||Submit suspected spam, phish, URLs, and files to Microsoft for scanning|
|File or app on a device||Microsoft Defender for Endpoint||Submit a file to Microsoft for malware analysis|
Adjust an alert to prevent false positives from recurring
|Scenario||Service||What to do|
|- An alert is triggered by legitimate use
- An alert is inaccurate
|Microsoft Defender for Cloud Apps
Azure threat protection
|Manage alerts in the Defender for Cloud Apps portal|
|A file, IP address, URL, or domain is treated as malware on a device, even though it's safe||Microsoft Defender for Endpoint||Create a custom indicator with an "Allow" action|
Undo a remediation action that was taken on a device
If a remediation action was taken on an entity (such as a device or an email message) and the affected entity is not actually a threat, your security operations team can undo the remediation action in the Action center.
- Go to Microsoft 365 Defender portal and sign in.
- In the navigation pane, choose Action center.
- On the History tab, select an action that you want to undo. Its flyout pane opens.
- In the flyout pane, select Undo.
Submit and view feedback for