MC1187397 – Microsoft Defender for Endpoint: Threat actor attribution information will be removed from alert page

Product:

Defender, Defender for Endpoint, Defender XDR

Platform:

Online, World tenant

Status:

Change type:

Retirement

Links:

Details:

Summary:
Threat actor attribution will be removed from Microsoft Defender for Endpoint alert pages on January 12, 2026, and moved to the Incident page and Threat Intelligence section. This change improves alert clarity without affecting detection or security. No admin action is needed, but update workflows accordingly.

Details:
We'd like to inform you that threat actor attribution details will soon be removed from the alert page in Microsoft Defender for Endpoint. This change is designed to improve clarity and focus in alert content. Threat actor attribution is more meaningful and actionable when viewed in the context of the broader incident rather than at the individual alert level.
After this change, attribution details will be available on the Incident page and in the Threat Intelligence section within the Microsoft Defender portal.
When this will happen
January 12, 2026: Threat actor attribution information will be retired from alert pages.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-11-18

updated:
2025-11-18

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Loss of Immediate Context in Alerts
Removal of threat actor attribution from alert pages may lead to confusion during incident response, as security teams will need to adjust to a new workflow for accessing this information.
   - roles: Security Analysts, Incident Responders
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-endpoint-threat-actor-attribution/ba-p/3851230

Increased Response Time
Security teams may experience delays in incident response due to the need to navigate to the Incident page for attribution details, potentially impacting the speed of threat mitigation.
   - roles: Security Analysts, SOC Managers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-endpoint-threat-actor-attribution/ba-p/3851230

Workflow Disruption
Existing workflows that depend on alert-level actor attribution will be disrupted, requiring updates to incident investigation processes and automation rules.
   - roles: Security Engineers, IT Operations Managers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-endpoint-threat-actor-attribution/ba-p/3851230

Training and Knowledge Gaps
Security teams may require additional training to adapt to the new system of accessing threat actor attribution, leading to potential knowledge gaps during the transition period.
   - roles: Security Trainers, Team Leads
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-endpoint-threat-actor-attribution/ba-p/3851230

Potential for Increased Security Risks
If teams fail to adapt quickly to the new attribution access method, there may be a temporary increase in security risks due to slower response times to threats.
   - roles: CISO, Security Analysts
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-endpoint-threat-actor-attribution/ba-p/3851230

Configutation Options**

XXXXXXX ... paid membership only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only