MC1281506: Planned breaking changes to ASIM KQL functions used by Microsoft Sentinel for Developers
Microsoft Sentinel for Developers will have planned breaking changes to ASIM KQL functions, updating _Im_ProcessCreate to use targetusername_has instead of targetusername. Organizations should review and update queries by May 25 or later to avoid disruptions. Rollout dates will be announced later.
[Introduction]
We’re making planned breaking changes to some Advanced Security Information Model (ASIM) KQL functions used in Microsoft Sentinel for Developers. These changes align parameters with documentation to improve consistency and performance.
[When this will happen]
Rollout timing has not been finalized.
We’ll update this Message center post with specific start and end dates once they’re confirmed.
[How this affects your organization]
Who is affected
- Organizations using ASIM or normalization KQL functions in Microsoft Sentinel for Developers
- Security teams and partners building or maintaining detections and analytic rules that rely on these functions
What will happen (April 19)
- We will update _Im_ProcessCreate with the correct parameter, so that it will take both targetusername and targetusername_has.
- This will give time to partners to update their detections and KQL queries to switch to the parameter name targetusername_has, while not break any existing experiences.
What will happen (May 25 or later)
- Once we have given enough time and also checking with our usage telemetry that targetusername is not being used, we will remove targetusername as parameter.
[What you can do to prepare]
- Review detections and analytic rules that use ASIM or normalization functions.
- Update queries to use targetusername_has.
- Test updated detections before rollout.
- Notify teams or partners who maintain Sentinel detections.
[Compliance considerations]
No compliance considerations identified. Review as appropriate for your organization.