deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update defender-endpoint-false-positives-negatives.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2021-01-26 19:12:31 -08:00 committed by GitHub
parent 3f47103c00
commit 5a95a0a2fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
View File

@ -117,8 +117,10 @@ When you're done reviewing and undoing actions that were taken as a result of fa
### Review completed actions ### Review completed actions
![Action center](images/autoir-action-center-1.png)
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. Select the **History** tab to view a list of actions that were taken. <br/>![Action center](images/autoir-action-center-1.png) 2. Select the **History** tab to view a list of actions that were taken.
3. Select an item to view more details about the remediation action that was taken. 3. Select an item to view more details about the remediation action that was taken.
### Undo an action ### Undo an action
@ -137,10 +139,11 @@ If you find that a remediation action was taken automatically on an entity that
### Remove a file from quarantine across multiple devices ### Remove a file from quarantine across multiple devices
![Quarantine file](images/autoir-quarantine-file-1.png)
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. On the **History** tab, select a file that has the Action type **Quarantine file**. 2. On the **History** tab, select a file that has the Action type **Quarantine file**.
3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. <br/>![Quarantine file](images/autoir-quarantine-file-1.png) 3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
## Part 3: Review or define exclusions ## Part 3: Review or define exclusions
@ -352,7 +355,6 @@ Depending on the [level of automation](https://docs.microsoft.com/windows/securi
> [!TIP] > [!TIP]
> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. > We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
## Still need help? ## Still need help?
If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. If you have worked through all the steps in this article and still need help, your best bet is to contact technical support.
@ -365,4 +367,4 @@ If you have worked through all the steps in this article and still need help, yo
[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)
[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) [Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)