diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index f61361d92e..caeb8f45d2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -33,6 +33,8 @@ ms.custom: FPFN
 
 In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
 
+![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png)
+
 Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process:
 
 1.	[Review and classify alerts](#part-1-review-and-classify-alerts) 
@@ -43,6 +45,8 @@ Fortunately, steps can be taken to address and reduce these kinds of issues. If
 
 And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article.
 
+![Steps to address false positives and negatives](images/false-positives-step-diagram.png)
+
 > [!NOTE]
 > This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md).
 
@@ -189,10 +193,13 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c
 - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
 
 You can create indicators for:
+
 - [Files](#indicators-for-files)
 - [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
 - [Application certificates](#indicators-for-application-certificates)
 
+![Indicator types diagram](images/false-positives-indicators.png)
+
 #### Indicators for files
 
 When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png
new file mode 100644
index 0000000000..e30347f04c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png
new file mode 100644
index 0000000000..c2092639af
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png
new file mode 100644
index 0000000000..85a91de789
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png differ