Services
Microsoft Defender XDR
Summary
Microsoft Defender for Identity classic alerts will transition to the XDR detection platform on September 18, 2025, improving detection accuracy and performance. Users must update workflows with new Detector IDs and reconfigure alert exclusions using XDR Alert Tuning rules.
Details
On September 18, 2025, the following Microsoft Defender for Identity classic alerts will be moved to the MDI XDR detection platform. This transition is part of our ongoing effort to enhance detection capabilities across the environment. The move to XDR enables:
- Improved detection logic helping to reduce false positives.
- Enhanced performance
MDI Classic Alerts moving to MDI XDR alerts
| Alert title | External ID |
| Active Directory attributes Reconnaissance using LDAP | 2210 |
| User and IP address reconnaissance | 2012 |
| Account enumeration reconnaissance | 2003 |
| Suspected brute-force attack (LDAP) | 2004 |
| Suspicious network connection over Encrypting File System Remote Protocol | 2416 |
New MDI XDR Alerts
| Alert Title | Detector ID |
| Active Directory attributes Reconnaissance using LDAP | xdr_LdapSensitiveAttributeReconnaissanceSecurityAlert |
| User and IP address reconnaissance (SMB) | xdr_SmbSessionEnumeration |
| Account enumeration reconnaissance in AD FS | xdr_AccountEnumerationHintSecurityAlertAdfs |
| Account enumeration in reconnaissance in Kerberos | xdr_AccountEnumerationHintSecurityAlertKerberos |
| Account enumeration reconnaissance in NTLM | xdr_AccountEnumerationHintSecurityAlertNtlm |
| Suspected brute-force attack (LDAP) | xdr_LdapBindBruteforce |
| Suspicious network connection over Encrypting File System Remote Protocol | xdr_SuspiciousConnectionOverEFSRPC |
Action Required
- If you are using any of the MDI classic Alert IDs in your workflows or automation, please update them to use the corresponding Detector IDs listed above.
- If you have defined alert exclusions in the MDI settings, you will need to reconfigure those exclusions using XDR Alert Tuning rules.