DeltaPulse now has a public MCP server. Add / integrate this tool with your Copilot Agent(s).

MCP Documentation

Retirement of “Suspected identity theft (pass-the-ticket)” classic alert

Message ID
MC1234542
View in Message Center
Service
Microsoft Defender XDR
Category
Plan for Change
Tags
Major Change User impactAdmin impactRetirement
Act By
March 16, 2026
Rollout
March 2026

Summary

The “Suspected identity theft (pass-the-ticket)” classic alert will retire between March 18-22, 2026, replaced by the “Pass-the-Ticket (PtT) attack” XDR alert. Existing alerts remain accessible. No admin action is required, but update workflows, alert tuning, and documentation accordingly. No compliance issues noted.

Details

[Introduction]

To streamline our alert catalog and focus investment on our unified Microsoft Defender XDR detection capabilities, we’re retiring the “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018). This retirement aligns with our move toward consolidated XDR alerting and improved detection fidelity.

We recommend using the “Pass‑the‑Ticket (PtT) attack” alert (Detector ID: xdr_PassTheTicketAttack), where ongoing development and enhancements will continue.

[When this will happen]

We’ll retire the classic alert between March 18, 2026 and March 22, 2026.

[How this affects your organization]

Who is affected:

  • Organizations using Microsoft Defender for Identity within Microsoft Defender XDR services.
  • Security operations teams and administrators who rely on classic alerting.

What will happen:

  • The “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018) will stop generating new alerts after retirement.
  • Existing historical alerts will remain accessible in your environment.
  • The “Pass‑the‑Ticket (PtT) attack” XDR detector (ID: xdr_PassTheTicketAttack) will continue to operate and should be used going forward.
  • No changes will be made to user experiences outside security operations.

[What you can do to prepare]

No admin action is required for this change, but we recommend the following to ensure continuity in your security workflows:

  • Update alert triage processes, workflows, and automation to reference the XDR detector IDs.
  • Reconfigure alert exclusions or tuning rules using XDR Alert Tuning.
  • Notify security and operations teams of the upcoming retirement.
  • Update internal documentation to reference the new alert name and detector ID.
  • Review Microsoft documentation for configuring XDR Alert Tuning.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Change History

Show
Published: February 18, 2026
Last Updated: February 18, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free