MC1137610 – Microsoft Defender for Identity alerts transitioning to XDR-based detection platform (archived)

Product:

Defender, Defender for Identity, Defender XDR

Platform:

Online, World tenant

Status:

Change type:

Feature update, Admin impact

Links:

Details:

Summary:
Microsoft Defender for Identity classic alerts will transition to the XDR detection platform on September 18, 2025, improving detection accuracy and performance. Users must update workflows with new Detector IDs and reconfigure alert exclusions using XDR Alert Tuning rules.

Details:
On September 18, 2025, the following Microsoft Defender for Identity classic alerts will be moved to the MDI XDR detection platform. This transition is part of our ongoing effort to enhance detection capabilities across the environment. The move to XDR enables:
Improved detection logic helping to reduce false positives.
Enhanced performance
MDI Classic Alerts moving to MDI XDR alerts
Alert titleExternal ID
Active Directory attributes Reconnaissance using LDAP2210
User and IP address reconnaissance2012
Account enumeration reconnaissance2003
Suspected brute-force attack (LDAP)2004
Suspicious network connection over Encrypting File System Remote Protocol2416

New MDI XDR Alerts
Alert TitleDetector ID
Active Directory attributes Reconnaissance using LDAPxdr_LdapSensitiveAttributeReconnaissanceSecurityAlert
User and IP address reconnaissance (SMB)xdr_SmbSessionEnumeration

Account enumeration reconnaissance in AD FSxdr_AccountEnumerationHintSecurityAlertAdfs
Account enumeration in reconnaissance in Kerberos xdr_AccountEnumerationHintSecurityAlertKerberos
Account enumeration reconnaissance in NTLMxdr_AccountEnumerationHintSecurityAlertNtlm
Suspected brute-force attack (LDAP)xdr_LdapBindBruteforce
Suspicious network connection over Encrypting File System Remote Protocolxdr_SuspiciousConnectionOverEFSRPC

Action Required
If you are using any of the MDI classic Alert IDs in your workflows or automation, please update them to use the corresponding Detector IDs listed above.
If you have defined alert exclusions in the MDI settings, you will need to reconfigure those exclusions using XDR Alert Tuning rules.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-08-19

updated:
2025-08-19

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Workflow Disruption
Failure to update workflows with new Detector IDs may lead to alerts not being triggered, resulting in undetected security threats.
   - roles: Security Analyst, IT Administrator
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-alerts-transitioning-to-xdr/ba-p/3851230

Increased False Negatives
Not reconfiguring alert exclusions may cause legitimate alerts to be ignored, increasing the risk of security breaches.
   - roles: Security Analyst, Compliance Officer
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-alerts-transitioning-to-xdr/ba-p/3851230

User Experience Degradation
Users may experience delays in incident response due to misconfigured alerts, leading to prolonged exposure to security risks.
   - roles: End User, Help Desk Support
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-alerts-transitioning-to-xdr/ba-p/3851230

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Automated Workflow Updates
With the transition to XDR, automating the update of workflows to reflect new Detector IDs can significantly reduce manual effort and errors. This can be achieved through scripting or integration with existing CI/CD pipelines, ensuring that workflows are always up-to-date with the latest alert configurations.
   - next-steps: Develop scripts to automate the detection ID updates and integrate them into the workflow management system. Test the scripts in a staging environment before full deployment.
   - roles: IT Administrators, Security Analysts, DevOps Engineers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-classic-alerts-transitioning-to/ba-p/3946438

Enhanced Alert Tuning
The new XDR Alert Tuning rules provide an opportunity to refine alert exclusions more effectively. By leveraging the enhanced tuning capabilities, organizations can tailor their alerts to reduce noise and focus on genuine threats, improving overall security posture.
   - next-steps: Review existing alert exclusions and analyze the new XDR Alert Tuning rules. Collaborate with security teams to adjust exclusions based on recent threat intelligence and performance metrics.
   - roles: Security Operations Center (SOC) Analysts, IT Security Managers, Compliance Officers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-classic-alerts-transitioning-to/ba-p/3946438

Training and Documentation
As the transition involves significant changes in alert handling, providing training sessions and updated documentation for relevant staff can enhance user experience and operational efficiency. This ensures that all teams are aligned with the new detection capabilities and can respond appropriately to alerts.
   - next-steps: Create a training program that includes hands-on sessions and documentation updates. Schedule regular refreshers and ensure resources are easily accessible to all relevant personnel.
   - roles: IT Support Staff, Security Team Members, Compliance Officers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-classic-alerts-transitioning-to/ba-p/3946438

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only