Edit

Share via

Review remediation actions in the Action Center

  • Article

As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval. Examples of remediation actions include stopping a process from running or removing a scheduled task.

All remediation actions are tracked in the Action Center.

Screenshot of the ___location of the Action Center in the Microsoft Defender portal.

This article describes:

How to use the Action Center

  1. In the Defender portal at https://security.microsoft.com, go to Actions & submissions > Action Center. Or, to go directly to the Action Center page, use https://security.microsoft.com/action-center.

  2. On the Action Center page, use the available tabs:

    • Pending: View and approve (or reject) any pending actions. Actions on the Pending tab can arise from anti-virus protection, anti-malware protection, automated investigations, manual response activities, or live response sessions.
    • History: View completed actions.

Remediation actions

Defender for Business includes several remediation actions. These actions include manual response actions, actions following automated investigation, and live response actions.

The following table lists remediation actions that are available.

Source Actions
Automatic attack disruption
    Contain a device
  • Contain a user account on a device
  • Disable a user account
Automated investigations
    Quarantine a file
  • Remove a registry key
  • Kill a process
  • Stop a service
  • Disable a driver
  • Remove a scheduled task
Manual response actions
    Run antivirus scan
  • Isolate a device
  • Add an indicator to block or allow a file
Live response
    Collect forensic data
  • Analyze a file
  • Run a script
  • Send a suspicious entity to Microsoft for analysis
  • Remediate a file
  • Proactively hunt for threats

Next steps