From 5a95a0a2fcf9286ed70efb477fd1cfa21e7cae1d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 19:12:31 -0800 Subject: [PATCH] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index caeb8f45d2..780fb5a960 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -117,8 +117,10 @@ When you're done reviewing and undoing actions that were taken as a result of fa ### Review completed actions +![Action center](images/autoir-action-center-1.png) + 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab to view a list of actions that were taken.
![Action center](images/autoir-action-center-1.png) +2. Select the **History** tab to view a list of actions that were taken. 3. Select an item to view more details about the remediation action that was taken. ### Undo an action @@ -137,10 +139,11 @@ If you find that a remediation action was taken automatically on an entity that ### Remove a file from quarantine across multiple devices +![Quarantine file](images/autoir-quarantine-file-1.png) + 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select a file that has the Action type **Quarantine file**. -3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
![Quarantine file](images/autoir-quarantine-file-1.png) - +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. ## Part 3: Review or define exclusions @@ -352,7 +355,6 @@ Depending on the [level of automation](https://docs.microsoft.com/windows/securi > [!TIP] > We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. - ## Still need help? If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. @@ -365,4 +367,4 @@ If you have worked through all the steps in this article and still need help, yo [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) -[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) \ No newline at end of file +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)