Skip to Content

MC1234542: Retirement of “Suspected identity theft (pass-the-ticket)” classic alert

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1234542: Retirement of “Suspected identity theft (pass-the-ticket)” classic alert

Summary

  • Microsoft is retiring the “Suspected identity theft (pass-the-ticket)” classic alert to focus on unified Microsoft Defender XDR capabilities.
  • The new “Pass-the-Ticket (PtT) attack” alert will continue to receive updates and should be used moving forward.
  • Existing historical alerts will remain accessible, but no new alerts will be generated for the retired classic alert.
  • Organizations using Microsoft Defender for Identity and security teams should update processes and notify teams about this change.
  • No compliance considerations have been identified for this change.

Admin Impact: Medium
User Impact: Low
Release Start: 18 Mar 2026
Release End: 22 Mar 2026
Services: Defender XDR
Category: Plan for change
Tags: User Adoption, Admin Action, Retirement

History

2/18/2026 Item Added to Message Center

Microsoft Message

Introduction

To streamline our alert catalog and focus investment on our unified Microsoft Defender XDR detection capabilities, we’re retiring the “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018). This retirement aligns with our move toward consolidated XDR alerting and improved detection fidelity.

We recommend using the “Pass‑the‑Ticket (PtT) attack” alert (Detector ID: xdr_PassTheTicketAttack), where ongoing development and enhancements will continue.

When this will happen

We’ll retire the classic alert between March 18, 2026 and March 22, 2026.

How this affects your organization

Who is affected:

  • Organizations using Microsoft Defender for Identity within Microsoft Defender XDR services.
  • Security operations teams and administrators who rely on classic alerting.

What will happen:

  • The “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018) will stop generating new alerts after retirement.
  • Existing historical alerts will remain accessible in your environment.
  • The “Pass‑the‑Ticket (PtT) attack” XDR detector (ID: xdr_PassTheTicketAttack) will continue to operate and should be used going forward.
  • No changes will be made to user experiences outside security operations.

What you can do to prepare

No admin action is required for this change, but we recommend the following to ensure continuity in your security workflows:

  • Update alert triage processes, workflows, and automation to reference the XDR detector IDs.
  • Reconfigure alert exclusions or tuning rules using XDR Alert Tuning.
  • Notify security and operations teams of the upcoming retirement.
  • Update internal documentation to reference the new alert name and detector ID.
  • Review Microsoft documentation for configuring XDR Alert Tuning.

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.