Visit the Action center to see remediation actions
During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how Microsoft Defender for Endpoint is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed remediation actions in the Action center.
(NEW!) A unified Action center
We are pleased to announce a new, unified Action center (https://security.microsoft.com/action-center)!
The following table compares the new, unified Action center to the previous Action center.
|The new, unified Action center||The previous Action center|
|Lists pending and completed actions for devices and email in one location
(Microsoft Defender for Endpoint plus Microsoft Defender for Office 365)
|Lists pending and completed actions for devices
(Microsoft Defender for Endpoint only)
|Is located at:
|Is located at:
|In the Microsoft 365 security center, choose Action center.
|In the Microsoft Defender Security Center, choose Automated investigations > Action center.
The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience.
You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:
To learn more, see Requirements.
Using the Action center
To get to the unified Action center in the improved Microsoft 365 security center:
- Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.
- In the navigation pane, select Action center.
When you visit the Action center, you see two tabs: Pending actions and History. The following table summarizes what you'll see on each tab:
|Pending||Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file).
TIP: Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner.
|History||Serves as an audit log for actions that were taken, such as:
- Remediation actions that were taken as a result of automated investigations
- Remediation actions that were approved by your security operations team
- Commands that were run and remediation actions that were applied during Live Response sessions
- Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus
Provides a way to undo certain actions (see Undo completed actions).
You can customize, sort, filter, and export data in the Action center.
- Select a column heading to sort items in ascending or descending order.
- Use the time period filter to view data for the past day, week, 30 days, or 6 months.
- Choose the columns that you want to view.
- Specify how many items to include on each page of data.
- Use filters to view just the items you want to see.
- Select Export to export results to a .csv file.
- View and approve remediation actions
- See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint