Services
Summary
Microsoft Sentinel for Developers will have planned breaking changes to ASIM KQL functions, updating _Im_ProcessCreate to use targetusername_has instead of targetusername. Organizations should review and update queries by May 25 or later to avoid disruptions. Rollout dates will be announced later.
Details
Introduction
We’re making planned breaking changes to some Advanced Security Information Model (ASIM) KQL functions used in Microsoft Sentinel for Developers. These changes align parameters with documentation to improve consistency and performance.
When this will happen
Rollout timing has not been finalized.
We’ll update this Message center post with specific start and end dates once they’re confirmed.
How this affects your organization
Who is affected
- Organizations using ASIM or normalization KQL functions in Microsoft Sentinel for Developers
- Security teams and partners building or maintaining detections and analytic rules that rely on these functions
What will happen (April 19)
- We will update _Im_ProcessCreate with the correct parameter, so that it will take both targetusername and targetusername_has.
- This will give time to partners to update their detections and KQL queries to switch to the parameter name targetusername_has, while not break any existing experiences.
What will happen (May 25 or later)
- Once we have given enough time and also checking with our usage telemetry that targetusername is not being used, we will remove targetusername as parameter.
What you can do to prepare
- Review detections and analytic rules that use ASIM or normalization functions.
- Update queries to use targetusername_has.
- Test updated detections before rollout.
- Notify teams or partners who maintain Sentinel detections.
Compliance considerations
No compliance considerations identified. Review as appropriate for your organization.