Edit

The Action center

  • Article

Applies to:

  • Microsoft Defender XDR

The Action center provides a "single pane of glass" experience for incident and alert tasks such as:

  • Approving pending remediation actions.
  • Viewing an audit log of already approved remediation actions.
  • Reviewing completed remediation actions.

Because the Action center provides a comprehensive view of Microsoft Defender XDR at work, your security operations team can operate more effectively and efficiently.

The unified Action center

The unified Action center (https://security.microsoft.com/action-center) lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.

The unified Action center in the Microsoft Defender portal.

For example:

The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions and provides a unified investigation experience. Your security operations team has a "single pane of glass" experience to view and manage remediation actions.

You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:

Tip

To learn more, see Requirements.

You can navigate to the list of actions pending approval in two different ways:

Using the Action center

  1. Go to Microsoft Defender portal and sign in.

  2. In the navigation pane under Actions and submissions, choose Action center. Or, in the Automated investigation & response card, select Approve in Action Center.

  3. Use the Pending actions and History tabs. The following table summarizes what you'll see on each tab:

    Tab Description
    Pending Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file).

    Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner.
    History Serves as an audit log for actions that were taken, such as:
    - Remediation actions that were taken as a result of automated investigations
    - Remediation actions that were taken on suspicious or malicious email messages, files, or URLs
    - Remediation actions that were approved by your security operations team
    - Commands that were run and remediation actions that were applied during Live Response sessions
    - Remediation actions that were taken by your antivirus protection

    Provides a way to undo certain actions (see Undo completed actions).

  4. You can customize, sort, filter, and export data in the Action center.

    Screenshot that shows the sort, filter, and customize capabilities of the Action center.

    • Select a column heading to sort items in ascending or descending order.
    • Use the time period filter to view data for the past day, week, 30 days, or 6 months.
    • Choose the columns that you want to view.
    • Specify how many items to include on each page of data.
    • Use filters to view just the items you want to see.
    • Select Export to export results to a .csv file.

Actions tracked in the Action center

All actions, whether they're pending approval or were already taken, are tracked in the Action center. Available actions include the following:

  • Collect investigation package
  • Isolate device (this action can be undone)
  • Offboard machine
  • Release code execution
  • Release from quarantine
  • Request sample
  • Restrict code execution (this action can be undone)
  • Run antivirus scan
  • Stop and quarantine
  • Contain devices from the network

In addition to remediation actions that are taken automatically as a result of automated investigations, the Action center also tracks actions your security team has taken to address detected threats, and actions that were taken as a result of threat protection features in Microsoft Defender XDR. For more information about automatic and manual remediation actions, see Remediation actions.

Viewing action source details

(NEW!) The improved Action center now includes an Action source column that tells you where each action came from. The following table describes possible Action source values:

Action source value Description
Manual device action A manual action taken on a device. Examples include device isolation or file quarantine.
Manual email action A manual action taken on email. An example includes soft-deleting email messages or remediating an email message.
Automated device action An automated action taken on an entity, such as a file or process. Examples of automated actions include sending a file to quarantine, stopping a process, and removing a registry key. (See Remediation actions in Microsoft Defender for Endpoint.)
Automated email action An automated action taken on email content, such as an email message, attachment, or URL. Examples of automated actions include soft-deleting email messages, blocking URLs, and turning off external mail forwarding. (See Remediation actions in Microsoft Defender for Office 365.)
Advanced hunting action Actions taken on devices or email with advanced hunting.
Explorer action Actions taken on email content with Explorer.
Manual live response action Actions taken on a device with live response. Examples include deleting a file, stopping a process, and removing a scheduled task.
Live response action Actions taken on a device with Microsoft Defender for Endpoint APIs. Examples of actions include isolating a device, running an antivirus scan, and getting information about a file.

Required permissions for Action center tasks

To perform tasks, such as approving or rejecting pending actions in the Action center, you must have permissions assigned as listed in the following table:

Remediation action Required roles and permissions
Microsoft Defender for Endpoint remediation (devices) Security Administrator role assigned in either Microsoft Entra ID (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com)
--- or ---
Active remediation actions role assigned in Microsoft Defender for Endpoint

To learn more, see the following resources:
- Microsoft Entra built-in roles
- Create and manage roles for role-based access control (Microsoft Defender for Endpoint)
Microsoft Defender for Office 365 remediation (Office content and email) Security Administrator role assigned in either Microsoft Entra ID (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com)
--- and ---
Search and Purge role assigned in the Microsoft Defender XDR > Email & collaboration roles

IMPORTANT: If you have the Security Administrator role assigned only in the Microsoft Defender XDR > Email & collaboration roles, you will not be able to access the Action center or Microsoft Defender XDR capabilities. You must have the Security Administrator role assigned in Microsoft Entra ID or the Microsoft 365 admin center.

To learn more, see the following resources:
- Microsoft Entra built-in roles
- Permissions in the Security & Compliance Center

Tip

Users who have the Global Administrator role assigned in Microsoft Entra ID can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the Global Administrator role assigned. We recommend using the Security Administrator, Active remediation actions, and Search and Purge roles listed in the preceding table for Action center permissions.

Next step

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.