Report false positives or false negatives in automated investigation and response (AIR)
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 includes powerful capabilities to detect and investigate threats. For more information, see Automated investigation and response.
But what if AIR incorrectly identifies something as a threat (a false positive) or missed something that turned out to be a threat (a false negative)? This article explains the options that are available to security operations (SecOps) personnel to deal with false positives and false negatives from AIR.
Submit false positives or false negatives to Microsoft
To submit or resubmit false positive and false negative email messages, email attachments, and URLs to Microsoft, see Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft.
Adjust alerts to prevent false positives from recurring
For instructions, see the following articles, based on the available subscriptions in your organization:
- Defender XDR: Tune an alert
- Defender for Endpoint: Create Allow actions for files, IP addresses URLs or domains that are misidentified as malware on devices. For instructions, see Create indicators.
Undo remediation actions
Tip
For permission and licensing requirements, see Required permissions and licensing for AIR.
SecOps personnel can often use 
Take action to undo the remediation action. For example:
- From Explorer (Threat Explorer). For details, see Email remediation.
- From the Email entity page. For more information, see Actions on the Email entity page.
- From the details flyout of entries on the History tab of the Action center at https://security.microsoft.com/action-center/history.
For details about the available actions in
Take action, see the Take action wizard.
- To take action on messages that were moved to the Junk Email folder in the mailbox, use Take action > Move to mailbox folder and then select one of the following destinations:
- Inbox for false positives.
- Deleted Items, Soft deleted items, or Hard deleted items for false negatives.
- To take action on messages that were quarantined, do one of the following steps:
- To release the message, use Take action > Move to mailbox folder > Inbox and then select Release to one or more of the original recipients of the email or Release to all recipients. Or, you can release the message directly from quarantine.
- Delete the message directly from quarantine if the user has access to the quarantined message.
- If the user doesn't have access to the quarantined message, you don't need to do anything (the message will eventually expire from quarantine).
- To take action on files that were quarantined, do one of the following steps:
- Release the quarantined file from quarantine.
- Delete the quarantined file from quarantine if the user has access to the quarantined file.
- If the user doesn't have access to the quarantined file, you don't need to do anything (the file will eventually expire from quarantine).