Tampering with Microsoft Defender for Endpoint sensor settings alert false positive?

Steel Contributor

I am currently investigating the following timeline. All of the involved binaries are part of Windows. How can I make sure, whether this is a false positive, or whether I need to dig deeper?




3 Replies
There maybe Windows processes, but they don't appear to be the point of origin. They don't appear to be false positives to me. Do you have other MDE components enabled like ASR? Also, do you have automated incident response enabled in Defender portal?


Thank you, yes both are enabled. ASR rules in Block mode and automated incident response.


> they don't appear to be the point of origin.


How to investigate the point of origin here?


The timeline ideally should give you details. Otherwise, advanced hunting queries will be the next best option for investigation.