Retirement of “Suspected identity theft (pass-the-ticket)” classic alert

Introduction

To streamline our alert catalog and focus investment on our unified Microsoft Defender XDR detection capabilities, we’re retiring the “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018). This retirement aligns with our move toward consolidated XDR alerting and improved detection fidelity.

We recommend using the “Pass‑the‑Ticket (PtT) attack” alert (Detector ID: xdr_PassTheTicketAttack), where ongoing development and enhancements will continue.

When this will happen

We’ll retire the classic alert between March 18, 2026 and March 22, 2026.

How this affects your organization

Who is affected:

• Organizations using Microsoft Defender for Identity within Microsoft Defender XDR services.
• Security operations teams and administrators who rely on classic alerting.

What will happen:

• The “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018) will stop generating new alerts after retirement.
• Existing historical alerts will remain accessible in your environment.
• The “Pass‑the‑Ticket (PtT) attack” XDR detector (ID: xdr_PassTheTicketAttack) will continue to operate and should be used going forward.
• No changes will be made to user experiences outside security operations.

What you can do to prepare

No admin action is required for this change, but we recommend the following to ensure continuity in your security workflows:

• Update alert triage processes, workflows, and automation to reference the XDR detector IDs.
• Reconfigure alert exclusions or tuning rules using XDR Alert Tuning.
• Notify security and operations teams of the upcoming retirement.
• Update internal documentation to reference the new alert name and detector ID.
• Review Microsoft documentation for configuring XDR Alert Tuning.

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.