MC1281506: Planned breaking changes to ASIM KQL functions used by Microsoft Sentinel for Developers

Home » Update » MC1281506: Planned breaking changes to ASIM KQL functions used by Microsoft Sentinel for Developers

Table of Contents

Summary
History
Microsoft Message
Introduction
When this will happen
How this affects your organization
What you can do to prepare
Compliance considerations

Summary

Planned changes to Advanced Security Information Model (ASIM) KQL functions in Microsoft Sentinel for Developers will enhance consistency and performance.
Organizations using ASIM functions will need to transition to using the new parameter name, targetusername_has.
Outdated parameters will be removed after ensuring they are not in use, enabling smoother transition for users.
Security teams should review and update their detections and analytic rules to incorporate the new parameter.
No compliance considerations are identified; organizations should assess their situation appropriately.

Admin Impact: High
User Impact: Low
Release Start: 19 Apr 2024
Release End: 25 May 2024
Services: Defender XDR
Category: Plan for change
Tags: User Adoption, Admin Action

History

4/15/2026 Item Added to Message Center

Microsoft Message

Introduction

We’re making planned breaking changes to some Advanced Security Information Model (ASIM) KQL functions used in Microsoft Sentinel for Developers. These changes align parameters with documentation to improve consistency and performance.

When this will happen

Rollout timing has not been finalized.

We’ll update this Message center post with specific start and end dates once they’re confirmed.

How this affects your organization

Who is affected

Organizations using ASIM or normalization KQL functions in Microsoft Sentinel for Developers
Security teams and partners building or maintaining detections and analytic rules that rely on these functions

What will happen (April 19)

We will update _Im_ProcessCreate with the correct parameter, so that it will take both targetusername and targetusername_has.
This will give time to partners to update their detections and KQL queries to switch to the parameter name targetusername_has, while not break any existing experiences.

What will happen (May 25 or later)

Once we have given enough time and also checking with our usage telemetry that targetusername is not being used, we will remove targetusername as parameter.

What you can do to prepare

Review detections and analytic rules that use ASIM or normalization functions.
Update queries to use targetusername_has.
Test updated detections before rollout.
Notify teams or partners who maintain Sentinel detections.

Learn more: The Advanced Security Information Model (ASIM) Process Event normalization schema reference | Microsoft Sentinel | Security | Azure | Microsoft Learn

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.