The Action center

Applies to:

  • Microsoft Defender XDR

The Action center provides a "single pane of glass" experience for incident and alert tasks such as:

  • Approving pending remediation actions.
  • Viewing an audit log of already approved remediation actions.
  • Reviewing completed remediation actions.

Because the Action center provides a comprehensive view of Microsoft Defender XDR at work, your security operations team can operate more effectively and efficiently.

The unified Action center

The unified Action center (https://security.microsoft.com/action-center) lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.

The unified Action center in the Microsoft Defender portal.

For example:

The unified Action center brings together remediation actions across Microsoft Defender for Endpoint and Microsoft Defender for Office 365. It defines a common language for all remediation actions and provides a unified investigation experience. Your security operations team has a "single pane of glass" experience to view and manage remediation actions.

You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:

Tip

To learn more, see Requirements.

You can navigate to the list of actions pending approval in two different ways:

Using the Action center

  1. Go to Microsoft Defender portal and sign in.

  2. In the navigation pane under Actions and submissions, choose Action center. Or, in the Automated investigation & response card, select Approve in Action Center.

  3. Use the Pending actions and History tabs. The following table summarizes what you'll see on each tab:

    Tab Description
    Pending Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file).

    Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner.
    History Serves as an audit log for actions that were taken, such as:
    • >Remediation actions that were taken as a result of automated investigations
    • Remediation actions that were taken on suspicious or malicious email messages, files, or URLs
    • Remediation actions that were approved by your security operations team
    • Commands that were run and remediation actions that were applied during Live Response sessions
    • Remediation actions that were taken by your antivirus protection


    Provides a way to undo certain actions (see Undo completed actions).
  4. You can customize, sort, filter, and export data in the Action center.

    Screenshot that shows the sort, filter, and customize capabilities of the Action center.

    • Select a column heading to sort items in ascending or descending order.
    • Use the time period filter to view data for the past day, week, 30 days, or 6 months.
    • Choose the columns that you want to view.
    • Specify how many items to include on each page of data.
    • Use filters to view just the items you want to see.
    • Select Export to export results to a .csv file.

Actions tracked in the Action center

All actions, whether they're pending approval or were already taken, are tracked in the Action center. Available actions include the following:

  • Collect investigation package
  • Isolate device (this action can be undone)
  • Offboard machine
  • Release code execution
  • Release from quarantine
  • Request sample
  • Restrict code execution (this action can be undone)
  • Run antivirus scan
  • Stop and quarantine
  • Contain devices from the network

In addition to remediation actions that are taken automatically as a result of automated investigations, the Action center also tracks actions your security team has taken to address detected threats, and actions that were taken as a result of threat protection features in Microsoft Defender XDR. For more information about automatic and manual remediation actions, see Remediation actions.

Viewing action source details

The improved Action center includes an Action source column that tells you where each action came from. The following table describes possible Action source values:

Action source value Description
Manual device action A manual action taken on a device. Examples include device isolation or file quarantine.
Manual email action A manual action taken on email. An example includes soft-deleting email messages or remediating an email message.
Automated device action An automated action taken on an entity, such as a file or process. Examples of automated actions include sending a file to quarantine, stopping a process, and removing a registry key. (See Remediation actions in Microsoft Defender for Endpoint.)
Automated email action An automated action taken on email content, such as an email message, attachment, or URL. Examples of automated actions include soft-deleting email messages, blocking URLs, and turning off external mail forwarding. (See Remediation actions in Microsoft Defender for Office 365.)
Advanced hunting action Actions taken on devices or email with advanced hunting.
Explorer action Actions taken on email content with Explorer.
Manual live response action Actions taken on a device with live response. Examples include deleting a file, stopping a process, and removing a scheduled task.
Live response action Actions taken on a device with Microsoft Defender for Endpoint APIs. Examples of actions include isolating a device, running an antivirus scan, and getting information about a file.

Required permissions for Action center tasks

To perform tasks, such as approving or rejecting pending actions in the Action center, you need specific permissions. You have the following options:

  • Microsoft Entra permissions: Membership these roles gives users the required permissions and permissions for other features in Microsoft 365:

    • Microsoft Defender for Endpoint remediation (devices): Membership in the Security Administrator role.

    • Microsoft Defender for Office 365 remediation (Office content and email):

      • Membership in the Security Administrator role.

      and

  • Email & collaboration permissions in the Microsoft Defender portal:

    • Microsoft Defender for Office 365 remediation (Office content and email):

      • Membership in the Security Administrator role group

      and

  • Microsoft Defender XDR Unified role based access control (RBAC)

    • Microsoft Defender for Endpoint remediation: Security operations \ Security data \ Response (manage).
    • Microsoft Defender for Office 365 remediation (Office content and email, if Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell):
      • Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
      • Remediate malicious email: Security operations/Security data/Email & collaboration advanced actions (manage).

    Tip

    Membership in the Security Administrator role group Email & collaboration permissions doesn't grant access to the Action center or Microsoft Defender XDR capabilities. For those, you need to be a member of the Security Administrator role in Microsoft Entra permissions.

  • Defender for Endpoint permissions:

    • Microsoft Defender for Endpoint remediation (devices): Membership in the Active remediation actions role.

Tip

Members of the Global Administrator role in Microsoft Entra ID can approve or reject any pending action in the Action center. However, as a best practice, you should limit the members of the Global Administrator role. We recommend using the alternative roles and role groups as described in the previous list for Action center permissions.

Next step

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.