Microsoft Defender for Identity alerts transitioning to XDR-based detection platform

Originally posted by Microsoft Aug 19, 2025 Uncategorized 0 Comments

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform on September 18, 2025, improving detection accuracy and performance. Users must update workflows with new Detector IDs and reconfigure alert exclusions using XDR Alert Tuning rules.

On September 18, 2025, the following Microsoft Defender for Identity classic alerts will be moved to the MDI XDR detection platform. This transition is part of our ongoing effort to enhance detection capabilities across the environment. The move to XDR enables:

  • Improved detection logic helping to reduce false positives.
  • Enhanced performance 

MDI Classic Alerts moving to MDI XDR alerts

Alert title External ID
Active Directory attributes Reconnaissance using LDAP 2210
User and IP address reconnaissance 2012
Account enumeration reconnaissance 2003
Suspected brute-force attack (LDAP) 2004
Suspicious network connection over Encrypting File System Remote Protocol 2416

New MDI XDR Alerts

Alert Title Detector ID
Active Directory attributes Reconnaissance using LDAP xdr_LdapSensitiveAttributeReconnaissanceSecurityAlert
User and IP address reconnaissance (SMB) xdr_SmbSessionEnumeration
Account enumeration reconnaissance in AD FS xdr_AccountEnumerationHintSecurityAlertAdfs
Account enumeration in reconnaissance in Kerberos  xdr_AccountEnumerationHintSecurityAlertKerberos
Account enumeration reconnaissance in NTLM xdr_AccountEnumerationHintSecurityAlertNtlm
Suspected brute-force attack (LDAP) xdr_LdapBindBruteforce
Suspicious network connection over Encrypting File System Remote Protocol xdr_SuspiciousConnectionOverEFSRPC

Action Required

  • If you are using any of the MDI classic Alert IDs in your workflows or automation, please update them to use the corresponding Detector IDs listed above.
  • If you have defined alert exclusions in the MDI settings, you will need to reconfigure those exclusions using XDR Alert Tuning rules.

Message ID: MC1137610

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: