Microsoft Defender for Identity alerts transitioning to XDR-based detection platform

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform on September 18, 2025, improving detection accuracy and performance. Users must update workflows with new Detector IDs and reconfigure alert exclusions using XDR Alert Tuning rules.

On September 18, 2025, the following Microsoft Defender for Identity classic alerts will be moved to the MDI XDR detection platform. This transition is part of our ongoing effort to enhance detection capabilities across the environment. The move to XDR enables:

• Improved detection logic helping to reduce false positives.
• Enhanced performance 

MDI Classic Alerts moving to MDI XDR alerts

Alert title	External ID
Active Directory attributes Reconnaissance using LDAP	2210
User and IP address reconnaissance	2012
Account enumeration reconnaissance	2003
Suspected brute-force attack (LDAP)	2004
Suspicious network connection over Encrypting File System Remote Protocol	2416

New MDI XDR Alerts

Alert Title	Detector ID
Active Directory attributes Reconnaissance using LDAP	xdr_LdapSensitiveAttributeReconnaissanceSecurityAlert
User and IP address reconnaissance (SMB)	xdr_SmbSessionEnumeration
Account enumeration reconnaissance in AD FS	xdr_AccountEnumerationHintSecurityAlertAdfs
Account enumeration in reconnaissance in Kerberos	xdr_AccountEnumerationHintSecurityAlertKerberos
Account enumeration reconnaissance in NTLM	xdr_AccountEnumerationHintSecurityAlertNtlm
Suspected brute-force attack (LDAP)	xdr_LdapBindBruteforce
Suspicious network connection over Encrypting File System Remote Protocol	xdr_SuspiciousConnectionOverEFSRPC

Action Required

• If you are using any of the MDI classic Alert IDs in your workflows or automation, please update them to use the corresponding Detector IDs listed above.
• If you have defined alert exclusions in the MDI settings, you will need to reconfigure those exclusions using XDR Alert Tuning rules.