Forum Discussion
Tampering with Microsoft Defender for Endpoint sensor settings alert false positive?
I am currently investigating the following timeline. All of the involved binaries are part of Windows. How can I make sure, whether this is a false positive, or whether I need to dig deeper? ...
Thank you, yes both are enabled. ASR rules in Block mode and automated incident response.
> they don't appear to be the point of origin.
How to investigate the point of origin here?
The timeline ideally should give you details. Otherwise, advanced hunting queries will be the next best option for investigation.