The Action center
Applies to:
- Microsoft Defender XDR
The Action center provides a "single pane of glass" experience for incident and alert tasks such as:
- Approving pending remediation actions.
- Viewing an audit log of already approved remediation actions.
- Reviewing completed remediation actions.
Because the Action center provides a comprehensive view of Microsoft Defender XDR at work, your security operations team can operate more effectively and efficiently.
The unified Action center (https://security.microsoft.com/action-center) lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.
For example:
- If you were using the Action center in the Microsoft Defender Security Center (https://securitycenter.windows.com/action-center), try the unified Action center in the Microsoft Defender portal.
- If you were already using the Microsoft Defender portal, you'll see several improvements in the Action center (https://security.microsoft.com/action-center).
The unified Action center brings together remediation actions across Microsoft Defender for Endpoint and Microsoft Defender for Office 365. It defines a common language for all remediation actions and provides a unified investigation experience. Your security operations team has a "single pane of glass" experience to view and manage remediation actions.
You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:
Tip
To learn more, see Requirements.
You can navigate to the list of actions pending approval in two different ways:
- Go to https://security.microsoft.com/action-center; or
- In the Microsoft Defender portal (https://security.microsoft.com), in the Automated investigation & response card, select Approve in Action Center.
Go to Microsoft Defender portal and sign in.
In the navigation pane under Actions and submissions, choose Action center. Or, in the Automated investigation & response card, select Approve in Action Center.
Use the Pending actions and History tabs. The following table summarizes what you'll see on each tab:
Tab Description Pending Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file).
Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner.History Serves as an audit log for actions that were taken, such as: - >Remediation actions that were taken as a result of automated investigations
- Remediation actions that were taken on suspicious or malicious email messages, files, or URLs
- Remediation actions that were approved by your security operations team
- Commands that were run and remediation actions that were applied during Live Response sessions
- Remediation actions that were taken by your antivirus protection
Provides a way to undo certain actions (see Undo completed actions).You can customize, sort, filter, and export data in the Action center.
- Select a column heading to sort items in ascending or descending order.
- Use the time period filter to view data for the past day, week, 30 days, or 6 months.
- Choose the columns that you want to view.
- Specify how many items to include on each page of data.
- Use filters to view just the items you want to see.
- Select Export to export results to a .csv file.
All actions, whether they're pending approval or were already taken, are tracked in the Action center. Available actions include the following:
- Collect investigation package
- Isolate device (this action can be undone)
- Offboard machine
- Release code execution
- Release from quarantine
- Request sample
- Restrict code execution (this action can be undone)
- Run antivirus scan
- Stop and quarantine
- Contain devices from the network
In addition to remediation actions that are taken automatically as a result of automated investigations, the Action center also tracks actions your security team has taken to address detected threats, and actions that were taken as a result of threat protection features in Microsoft Defender XDR. For more information about automatic and manual remediation actions, see Remediation actions.
The improved Action center includes an Action source column that tells you where each action came from. The following table describes possible Action source values:
Action source value | Description |
---|---|
Manual device action | A manual action taken on a device. Examples include device isolation or file quarantine. |
Manual email action | A manual action taken on email. An example includes soft-deleting email messages or remediating an email message. |
Automated device action | An automated action taken on an entity, such as a file or process. Examples of automated actions include sending a file to quarantine, stopping a process, and removing a registry key. (See Remediation actions in Microsoft Defender for Endpoint.) |
Automated email action | An automated action taken on email content, such as an email message, attachment, or URL. Examples of automated actions include soft-deleting email messages, blocking URLs, and turning off external mail forwarding. (See Remediation actions in Microsoft Defender for Office 365.) |
Advanced hunting action | Actions taken on devices or email with advanced hunting. |
Explorer action | Actions taken on email content with Explorer. |
Manual live response action | Actions taken on a device with live response. Examples include deleting a file, stopping a process, and removing a scheduled task. |
Live response action | Actions taken on a device with Microsoft Defender for Endpoint APIs. Examples of actions include isolating a device, running an antivirus scan, and getting information about a file. |
To perform tasks, such as approving or rejecting pending actions in the Action center, you need specific permissions. You have the following options:
Microsoft Entra permissions: Membership these roles gives users the required permissions and permissions for other features in Microsoft 365:
Microsoft Defender for Endpoint remediation (devices): Membership in the Security Administrator role.
Microsoft Defender for Office 365 remediation (Office content and email):
- Membership in the Security Administrator role.
and
- Membership in a role group in Email & collaboration permissions with the Search and Purge role assigned. By default, this role is assigned only to the Data Investigator and Organization Management role groups in Email & collaboration permissions. You can add users to those role groups, or you can create a new role group in Email & collaboration permissions with the Search and Purge role assigned, and add the users to the custom role group.
Email & collaboration permissions in the Microsoft Defender portal:
Microsoft Defender for Office 365 remediation (Office content and email):
- Membership in the Security Administrator role group
and
- Membership in a role group in Email & collaboration permissions with the Search and Purge role assigned. By default, this role is assigned only to the Data Investigator and Organization Management role groups in Email & collaboration permissions. You can add users to those role groups, or you can create a new role group in Email & collaboration permissions with the Search and Purge role assigned, and add the users to the custom role group.
Microsoft Defender XDR Unified role based access control (RBAC)
- Microsoft Defender for Endpoint remediation: Security operations \ Security data \ Response (manage).
- Microsoft Defender for Office 365 remediation (Office content and email, if Email & collaboration > Defender for Office 365 permissions is
Active. Affects the Defender portal only, not PowerShell):
- Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
- Remediate malicious email: Security operations/Security data/Email & collaboration advanced actions (manage).
Tip
Membership in the Security Administrator role group Email & collaboration permissions doesn't grant access to the Action center or Microsoft Defender XDR capabilities. For those, you need to be a member of the Security Administrator role in Microsoft Entra permissions.
Defender for Endpoint permissions:
- Microsoft Defender for Endpoint remediation (devices): Membership in the Active remediation actions role.
Tip
Members of the Global Administrator role in Microsoft Entra ID can approve or reject any pending action in the Action center. However, as a best practice, you should limit the members of the Global Administrator role. We recommend using the alternative roles and role groups as described in the previous list for Action center permissions.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.