Visit the Action center to see remediation actions

During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how Microsoft Defender for Endpoint is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed remediation actions in the Action center.

Applies to:

(NEW!) A unified Action center

We are pleased to announce a new, unified Action center (https://security.microsoft.com/action-center)!

Action center in Microsoft 365 security center

The following table compares the new, unified Action center to the previous Action center.

The new, unified Action center The previous Action center
Lists pending and completed actions for devices and email in one location
(Microsoft Defender for Endpoint plus Microsoft Defender for Office 365)
Lists pending and completed actions for devices
(Microsoft Defender for Endpoint only)
Is located at:
https://security.microsoft.com/action-center
Is located at:
https://securitycenter.windows.com/action-center
In the Microsoft 365 security center, choose Action center.

Navigating to the Action Center in the Microsoft 365 security center

In the Microsoft Defender Security Center, choose Automated investigations > Action center.

Navigating to the Action center from the Microsoft Defender Security Center

The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience.

You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:

Tip

To learn more, see Requirements.

Using the Action center

To get to the unified Action center in the improved Microsoft 365 security center:

  1. Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.
  2. In the navigation pane, select Action center.

When you visit the Action center, you see two tabs: Pending actions and History. The following table summarizes what you'll see on each tab:

Tab Description
Pending Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file).
TIP: Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner.
History Serves as an audit log for actions that were taken, such as:
- Remediation actions that were taken as a result of automated investigations
- Remediation actions that were approved by your security operations team
- Commands that were run and remediation actions that were applied during Live Response sessions
- Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus

Provides a way to undo certain actions (see Undo completed actions).

You can customize, sort, filter, and export data in the Action center.

Columns and filters in the Action center

  • Select a column heading to sort items in ascending or descending order.
  • Use the time period filter to view data for the past day, week, 30 days, or 6 months.
  • Choose the columns that you want to view.
  • Specify how many items to include on each page of data.
  • Use filters to view just the items you want to see.
  • Select Export to export results to a .csv file.

Next steps

See also