MC1281506 - Planned breaking changes to ASIM KQL functions used by Microsoft Sentinel for Developers

Introduction

We’re making planned breaking changes to some Advanced Security Information Model (ASIM) KQL functions used in Microsoft Sentinel for Developers. These changes align parameters with documentation to improve consistency and performance.

When this will happen

Rollout timing has not been finalized.

We’ll update this Message center post with specific start and end dates once they’re confirmed.

How this affects your organization

Who is affected

• Organizations using ASIM or normalization KQL functions in Microsoft Sentinel for Developers
• Security teams and partners building or maintaining detections and analytic rules that rely on these functions

What will happen (April 19)

• We will update _Im_ProcessCreate with the correct parameter, so that it will take both targetusername and targetusername_has.
• This will give time to partners to update their detections and KQL queries to switch to the parameter name targetusername_has, while not break any existing experiences.

What will happen (May 25 or later)

• Once we have given enough time and also checking with our usage telemetry that targetusername is not being used, we will remove targetusername as parameter. 

What you can do to prepare

• Review detections and analytic rules that use ASIM or normalization functions.
• Update queries to use targetusername_has.
• Test updated detections before rollout.
• Notify teams or partners who maintain Sentinel detections.

Learn more: The Advanced Security Information Model (ASIM) Process Event normalization schema reference | Microsoft Sentinel | Security | Azure | Microsoft Learn

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.