check before: 2026-03-16
Product:
Defender, Defender for Identity, Defender XDR
Platform:
Online, World tenant
Status:
Change type:
User impact, Admin impact, Retirement
Links:
Details:
Summary:
The “Suspected identity theft (pass-the-ticket)” classic alert will retire between March 18-22, 2026, replaced by the “Pass-the-Ticket (PtT) attack” XDR alert. Existing alerts remain accessible. No admin action is required, but update workflows, alert tuning, and documentation accordingly. No compliance issues noted.
Details:
[Introduction]
To streamline our alert catalog and focus investment on our unified Microsoft Defender XDR detection capabilities, we're retiring the "Suspected identity theft (pass‑the‑ticket)" classic alert (External ID: 2018). This retirement aligns with our move toward consolidated XDR alerting and improved detection fidelity.
We recommend using the "Pass‑the‑Ticket (PtT) attack" alert (Detector ID: xdr_PassTheTicketAttack), where ongoing development and enhancements will continue.
[When this will happen]
We'll retire the classic alert between March 18, 2026 and March 22, 2026.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-02-19
updated:
2026-02-19
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
The "Suspected identity theft (pass-the-ticket)" alert system will be retired between March 18 and March 22, 2026, and replaced by the more advanced "Pass-the-Ticket (PtT) attack" alert system, which provides clearer and more detailed threat detection, requiring IT teams to update their processes and training materials accordingly.
Direct effects for Operations**
Alert Generation Disruption
The retirement of the classic alert will stop generating new alerts, potentially leading to missed detections if teams do not transition to the new alert system in time.
- roles: Security Operations Team, IT Administrators
- references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-the-retirement-of-suspected-identity-theft-pass-the/ba-p/3741230
Workflow and Process Updates
Existing workflows and alert tuning processes may become outdated, leading to inefficiencies and potential security gaps if not updated to reference the new XDR alert.
- roles: Security Operations Team, IT Administrators
- references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-the-retirement-of-suspected-identity-theft-pass-the/ba-p/3741230
Increased Alert Triage Time
Without preparation, security teams may face increased time in triaging alerts due to lack of familiarity with the new XDR alert, impacting response times.
- roles: Security Operations Team, Incident Response Team
- references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-the-retirement-of-suspected-identity-theft-pass-the/ba-p/3741230
Documentation Gaps
Failure to update internal documentation regarding the new alert may lead to confusion and miscommunication among team members, affecting incident response.
- roles: IT Administrators, Security Operations Team
- references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-the-retirement-of-suspected-identity-theft-pass-the/ba-p/3741230
Potential Security Oversight
If teams do not transition to the new alert system, there is a risk of overlooking critical security incidents that the new alert is designed to detect.
- roles: Security Operations Team, Compliance Officers
- references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-the-retirement-of-suspected-identity-theft-pass-the/ba-p/3741230
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 weeks ago ago
