Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicjo56gotzkakoaabio6eawtydws7n4inzyw6egecg3x5adi64mey",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mf6fevhrk5o2"
  },
  "description": "The “Suspected identity theft (pass-the-ticket)” classic alert will retire between March 18-22, 2026, replaced by the “Pass-the-Ticket (PtT) attack” XDR alert. Existing alerts remain accessible. No admin action is required, but update workflows, alert tuning, and documentation accordingly. No com...",
  "path": "/m365-message-center/message/mc1234542/",
  "publishedAt": "2026-02-19T01:00:06.000Z",
  "site": "https://blog.tophhie.cloud",
  "textContent": "🚨\n\n**Major Update:** This post contains a significant change that may impact your organisation.\n\n**[Introduction]**\n\nTo streamline our alert catalog and focus investment on our unified Microsoft Defender XDR detection capabilities, we’re retiring the “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018). This retirement aligns with our move toward consolidated XDR alerting and improved detection fidelity.\n\nWe recommend using the “Pass‑the‑Ticket (PtT) attack” alert (Detector ID: xdr_PassTheTicketAttack), where ongoing development and enhancements will continue.\n\n**[When this will happen]**\n\nWe’ll retire the classic alert between **March 18, 2026** and **March 22, 2026**.\n\n**[How this affects your organization]**\n\nWho is affected:\n\n  * Organizations using Microsoft Defender for Identity within Microsoft Defender XDR services.\n  * Security operations teams and administrators who rely on classic alerting.\n\n\n\nWhat will happen:\n\n  * The “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018) will stop generating new alerts after retirement.\n  * Existing historical alerts will remain accessible in your environment.\n  * The “Pass‑the‑Ticket (PtT) attack” XDR detector (ID: xdr_PassTheTicketAttack) will continue to operate and should be used going forward.\n  * No changes will be made to user experiences outside security operations.\n\n\n\n**[What you can do to prepare]**\n\nNo admin action is required for this change, but we recommend the following to ensure continuity in your security workflows:\n\n  * Update alert triage processes, workflows, and automation to reference the XDR detector IDs.\n  * Reconfigure alert exclusions or tuning rules using**XDR Alert Tuning**.\n  * Notify security and operations teams of the upcoming retirement.\n  * Update internal documentation to reference the new alert name and detector ID.\n  * Review Microsoft documentation for configuring XDR Alert Tuning.\n\n\n\n**[Compliance considerations]**\n\nNo compliance considerations identified. Review as appropriate for your organization.",
  "title": "MC1234542: Retirement of “Suspected identity theft (pass-the-ticket)” classic alert",
  "updatedAt": "2026-02-19T01:00:06.000Z"
}