Services
Summary
Threat actor attribution will be removed from Microsoft Defender for Endpoint alert pages on January 12, 2026, and moved to the Incident page and Threat Intelligence section. This change improves alert clarity without affecting detection or security. No admin action is needed, but update workflows accordingly.
Details
We’d like to inform you that threat actor attribution details will soon be removed from the alert page in Microsoft Defender for Endpoint. This change is designed to improve clarity and focus in alert content. Threat actor attribution is more meaningful and actionable when viewed in the context of the broader incident rather than at the individual alert level.
After this change, attribution details will be available on the Incident page and in the Threat Intelligence section within the Microsoft Defender portal.
When this will happen
January 12, 2026: Threat actor attribution information will be retired from alert pages.
How this affects your organization
Who is affected: Admins and security teams using Microsoft Defender for Endpoint.
What will happen:
- Threat actor attribution will no longer appear on individual alert pages.
- Attribution details will be available on the Incident page and in the Threat Intelligence experience.
- No impact to alert generation, detection logic, or security effectiveness.
What you can do to prepare
- No admin action is required; this change will occur automatically.
- If your workflows currently rely on alert-level actor attribution, review incident-based investigation processes to ensure continuity.
- Update internal workflows, playbooks, or automation rules to retrieve attribution from the Incident page or Threat Intelligence section.
- Inform SOC and threat intelligence teams about this change.
Compliance considerations
No compliance considerations identified, review as appropriate for your organization.