From 131da8346ac47dac17b151b7ed07ff7c81cfd056 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 15 Dec 2020 15:56:57 -0800
Subject: [PATCH] Update defender-endpoint-false-positives-negatives.md

---
 ...nder-endpoint-false-positives-negatives.md | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 72ede58c51..7a8b28a303 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -35,4 +35,25 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou
 
 | Step | Description |
 |:---|:---|
-| 1. Identify a false positive/negative |   |
\ No newline at end of file
+| 1. Identify a false positive/negative |   |
+| 2. Review/define exclusions for Defender for Endpoint  |  |
+| 3. Review/define indicators for Defender for Endpoint |  |
+| 4. Classify a false positive/negative in Defender for Endpoint |  |
+| 5. Submit a file for analysis |  |
+| 6. Confirm your software uses EV code signing  |  |
+
+## Identify a false positive/negative
+
+*How do we know something is a false positive or negative? What do we want customers to look for?*
+
+## Review or define exclusions
+
+*Exclusions are defined for AutoIR and for MDAV, yes?*
+
+## Review or define indicators
+
+## Classify a false positive or false negative
+
+## Submit a file for analysis
+
+## Confirm your software uses EV code signing
\ No newline at end of file