View and manage actions in the Action center
Applies to:
- Microsoft Defender XDR
Threat protection features in Microsoft Defender XDR can result in certain remediation actions. Here are some examples:
- Automated investigations can result in remediation actions that are taken automatically or await your approval.
- Antivirus, antimalware, and other threat protection features can result in remediation actions, such as blocking a file, URL, or process, or sending an artifact to quarantine.
- Your security operations team can take remediation actions manually, such as during advanced hunting or while investigating alerts or incidents.
Note
You must have appropriate permissions to approve or reject remediation actions. For more information, see the prerequisites.
To navigate to the Action center, take one of the following steps:
- Go to https://security.microsoft.com/action-center; or
- In the Microsoft Defender portal (https://security.microsoft.com), in the Automated investigation & response card, select Approve in Action Center.
Review pending actions in the Action center
It's important to approve (or reject) pending actions as soon as possible so that your automated investigations can proceed and complete in a timely manner.
Go to Microsoft Defender portal and sign in.
In the navigation pane under Actions and submissions, choose Action center.
In the Action center, on the Pending tab, select an item in the list. Its flyout pane opens. Here's an example.
Review the information in the flyout pane, and then take one of the following steps:
- Select Open investigation page to view more details about the investigation.
- Select Approve to initiate a pending action.
- Select Reject to prevent a pending action from being taken.
- Select Go hunt to go into Advanced hunting.
Tip
You now have more options to review and approve/reject a remediation action. In addition to using the Action center, you can also approve or reject a remediation action while reviewing an incident. For more information, see Approve or reject remediation actions.
Undo completed actions
If you've determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the History tab, you can undo any of the following actions:
Action source | Supported Actions |
---|---|
- Automated investigation - Microsoft Defender Antivirus - Manual response actions |
- Isolate device - Contain device - Contain user - Restrict code execution - Quarantine a file - Remove a registry key - Stop a service - Disable a driver - Remove a scheduled task |
Undo one remediation action
Go to the Action center (https://security.microsoft.com/action-center) and sign in.
On the History tab, select an action that you want to undo.
In the pane on the right side of the screen, select Undo.
Undo multiple remediation actions
Go to the Action center (https://security.microsoft.com/action-center) and sign in.
On the History tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens.
In the flyout pane, select Undo.
To remove a file from quarantine across multiple devices
Go to the Action center (https://security.microsoft.com/action-center) and sign in.
On the History tab, select a file that has a Quarantine file Action type.
In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.
Next steps
- View the details and results of an automated investigation
- Address false positives or false negatives
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.