| title | Report false positives or false negatives following automated investigation and response | ||
|---|---|---|---|
| description | Was something missed or wrongly detected by AIR in Microsoft Defender for Office 365 Plan 2? Learn how to submit false positives or false negatives to Microsoft for analysis. | ||
| search.appverid | met150 | ||
| f1.keywords |
|
||
| author | chrisda | ||
| ms.author | chrisda | ||
| manager | bagol | ||
| ms.service | defender-office-365 | ||
| ms.date | 07/10/2024 | ||
| ms.localizationpriority | medium | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.topic | how-to | ||
| ms.custom |
|
||
| appliesto |
|
[!INCLUDE MDO Trial banner]
Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 includes powerful capabilities to detect and investigate threats. For more information, see Automated investigation and response.
But what if AIR incorrectly identifies something as a threat (a false positive) or missed something that turned out to be a threat (a false negative)? This article explains the options that are available to security operations (SecOps) personnel to deal with false positives and false negatives from AIR.
To submit or resubmit false positive and false negative email messages, email attachments, and URLs to Microsoft, see Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft.
For instructions, see the following articles, based on the available subscriptions in your organization:
- Defender XDR: Tune an alert
- Defender for Endpoint: Create Allow actions for files, IP addresses URLs or domains that are misidentified as malware on devices. For instructions, see Create indicators.
Tip
For permission and licensing requirements, see Required permissions and licensing for AIR.
SecOps personnel can often use :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: Take action to undo the remediation action. For example:
- From Explorer (Threat Explorer). For details, see Email remediation.
- From the Email entity page. For more information, see Actions on the Email entity page.
- From the details flyout of entries on the History tab of the Action center at https://security.microsoft.com/action-center/history.
For details about the available actions in :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: Take action, see the Take action wizard.
- To take action on messages that were moved to the Junk Email folder in the mailbox, use Take action > Move to mailbox folder and then select one of the following destinations:
- Inbox for false positives.
- Deleted Items, Soft deleted items, or Hard deleted items for false negatives.
- To take action on messages that were quarantined, do one of the following steps:
- To release the message, use Take action > Move to mailbox folder > Inbox and then select Release to one or more of the original recipients of the email or Release to all recipients. Or, you can release the message directly from quarantine.
- Delete the message directly from quarantine if the user has access to the quarantined message.
- If the user doesn't have access to the quarantined message, you don't need to do anything (the message will eventually expire from quarantine).
- To take action on files that were quarantined, do one of the following steps:
- Release the quarantined file from quarantine.
- Delete the quarantined file from quarantine if the user has access to the quarantined file.
- If the user doesn't have access to the quarantined file, you don't need to do anything (the file will eventually expire from quarantine).