Remove a file from quarantine across multiple devices.Restore a quarantined file from the Action Center.If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Actions taken through Live Response can't be undone.Īfter you've reviewed your alerts, your next step is to review remediation actions. Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through Live Response. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus: Remediation actions, such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Need help with suppression rules? See Suppress an alert and create a new suppression rule. In the Manage alert section, in the Classification field, classify the alert (True positive, Informational, expected activity, or False positive). In the Microsoft 365 Defender portal, in the navigation pane, choose Incidents & alerts, select Alerts and then select an alert.įor the selected alert, select Manage alert. Classifying alerts helps train Defender for Endpoint so that over time, you'll see more true alerts and fewer false alerts. The alert is accurate, but benign (unimportant)Ĭlassify the alert as a true positive, and then suppress the alert.Īlerts can be classified as false positives or true positives in the Microsoft 365 Defender portal. Create an indicator for Microsoft Defender for Endpoint.Ĥ. Classify the alert as a false positive.ģ. (To get help with this task, see Review alerts in Defender for Endpoint.)ĭepending on the alert status, take the steps described in the following table: Alert statusĪssign the alert, and then investigate it further.ġ. Select an alert to view more details about it. In the Microsoft 365 Defender portal, in the navigation pane, choose Incidents & alerts and then select Alerts. Determine whether an alert is accurateīefore you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. Taking these steps also helps reduce noise in your queue so that your security team can focus on higher priority work items. Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. We recommend that you also classify alerts. You can also suppress alerts that aren't necessarily false positives, but are unimportant. If you see an alert that arose because something's detected as malicious or suspicious and it shouldn't be, you can suppress the alert for that entity. This article is intended as guidance for security operators and security administrators who are using Defender for Endpoint. You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. Review and adjust your threat protection settings.Review remediation actions that were taken.
If you're seeing false positives/negatives occurring with Defender for Endpoint, your security operations can take steps to address them by using the following process: False positives/negatives can occur with any threat protection solution, including Defender for Endpoint.įortunately, steps can be taken to address and reduce these kinds of issues. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. In endpoint protection solutions, a false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat.
0 kommentar(er)
