diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 89da6e7ecf..43eebf368e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -33,8 +33,13 @@ ms.custom: FPFN
 
 In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution. 
 
+![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png)
+
 If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include:
 
+![Steps to address false positives and negatives](images/false-positives-step-diagram.png)
+
+
 1.	[Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 
 2.	[Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
 3.	[Reviewing and defining exclusions](#part-3-review-or-define-exclusions)
@@ -184,10 +189,13 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c
 - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
 
 You can create indicators for:
+
 - [Files](#indicators-for-files)
 - [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
 - [Application certificates](#indicators-for-application-certificates)
 
+![Indicator types diagram](images/false-positives-indicators.png)
+
 #### Indicators for files
 
 When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png
new file mode 100644
index 0000000000..733db3cb46
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png
new file mode 100644
index 0000000000..e86ad1454d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png
new file mode 100644
index 0000000000..85a91de789
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png differ