Remediation actions, such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Need help with suppression rules? See Suppress an alert and create a new suppression rule. (Use False alert to classify a false positive.) In the Manage alert section, select either True alert or False alert. Select Alerts queue, and then select an alert.įor the selected alert, select Actions > Manage alert. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. The alert is accurate, but benign (unimportant)Ĭlassify the alert as a true positive, and then suppress the alert.Īlerts can be classified as false positives or true positives in Microsoft 365 Defender. Create an indicator for Microsoft Defender for Endpoint.Ĥ. Classify the alert as a false positive.ģ. (See Review alerts in Microsoft Defender for Endpoint.)ĭepending on the alert status, take the steps described in the following table:Īssign the alert, and then investigate it further.ġ. Select an alert to more details about the alert. In the navigation pane, choose Alerts queue. Go to the Microsoft 365 Defender portal ( ) and sign in. Determine whether an alert is accurateīefore you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. We recommend that you classify alerts as well. You can also suppress alerts that are not necessarily false positives, but are unimportant. If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. This article is intended as guidance for security operators and security administrators who are using Microsoft Defender for Endpoint. You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. Review and adjust your threat protection settings.Review remediation actions that were taken.If you're seeing false positives/negatives in Microsoft 365 Defender, your security operations can take steps to address them by using the following process:
False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Endpoint.įortunately, steps can be taken to address and reduce these kinds of issues. A false negative is an entity that was not detected as a threat, even though it actually is malicious. In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat.
0 kommentar(er)
