[Introduction]

To streamline our alert catalog and focus investment on our unified Microsoft Defender XDR detection capabilities, we’re retiring the “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018). This retirement aligns with our move toward consolidated XDR alerting and improved detection fidelity.

We recommend using the “Pass‑the‑Ticket (PtT) attack” alert (Detector ID: xdr_PassTheTicketAttack), where ongoing development and enhancements will continue.

[When this will happen]

We’ll retire the classic alert between March 18, 2026 and March 22, 2026.

[How this affects your organization]

Who is affected:

• Organizations using Microsoft Defender for Identity within Microsoft Defender XDR services.
• Security operations teams and administrators who rely on classic alerting.

What will happen:

• The “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018) will stop generating new alerts after retirement.
• Existing historical alerts will remain accessible in your environment.
• The “Pass‑the‑Ticket (PtT) attack” XDR detector (ID: xdr_PassTheTicketAttack) will continue to operate and should be used going forward.
• No changes will be made to user experiences outside security operations.

[What you can do to prepare]

No admin action is required for this change, but we recommend the following to ensure continuity in your security workflows:

• Update alert triage processes, workflows, and automation to reference the XDR detector IDs.
• Reconfigure alert exclusions or tuning rules using XDR Alert Tuning.
• Notify security and operations teams of the upcoming retirement.
• Update internal documentation to reference the new alert name and detector ID.
• Review Microsoft documentation for configuring XDR Alert Tuning.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.