Address false positives or false negatives in Microsoft Defender XDR

Applies to:

  • Microsoft Defender XDR

False positives or negatives can occasionally occur with any threat protection solution. If automated investigation and response capabilities in Microsoft Defender XDR missed or wrongly detected something, there are steps your security operations team can take:

The following sections describe how to perform these tasks.

Report a false positive/negative to Microsoft for analysis

Item missed or wrongly detected Service What to do
- Email message
- Email attachment
- URL in an email message
- URL in an Office file
Microsoft Defender for Office 365 Submit suspected spam, phish, URLs, and files to Microsoft for scanning
File or app on a device Microsoft Defender for Endpoint Submit a file to Microsoft for malware analysis

Adjust an alert to prevent false positives from recurring

Scenario Service What to do
- An alert is triggered by legitimate use
- An alert is inaccurate
Microsoft Defender for Cloud Apps
or
Azure threat protection
Manage alerts in the Defender for Cloud Apps portal
A file, IP address, URL, or domain is treated as malware on a device, even though it's safe Microsoft Defender for Endpoint Create a custom indicator with an "Allow" action

Undo a remediation action that was taken on a device

If a remediation action was taken on an entity (such as a device or an email message) and the affected entity is not actually a threat, your security operations team can undo the remediation action in the Action center.

  1. Go to Microsoft Defender portal and sign in.
  2. In the navigation pane, choose Action center.
  3. On the History tab, select an action that you want to undo. Its flyout pane opens.
  4. In the flyout pane, select Undo.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.