Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihsfh46bddfaazhinzvg44t3rg462jju6u7ytdqcwzgxtcx6bn7qm",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mjl45vdoh6l2"
  },
  "description": "Microsoft Sentinel for Developers will have planned breaking changes to ASIM KQL functions, updating _Im_ProcessCreate to use targetusername_has instead of targetusername. Organizations should review and update queries by May 25 or later to avoid disruptions. Rollout dates will be announced later.",
  "path": "/m365-message-center/message/mc1281506/",
  "publishedAt": "2026-04-16T00:00:15.000Z",
  "site": "https://blog.tophhie.cloud",
  "tags": [
    "The Advanced Security Information Model (ASIM) Process Event normalization schema reference | Microsoft Sentinel | Security | Azure | Microsoft Learn"
  ],
  "textContent": "🚨\n\n**Major Update:** This post contains a significant change that may impact your organisation.\n\n**[Introduction]**\n\nWe’re making **planned breaking changes** to some **Advanced Security Information Model (ASIM) KQL functions** used in _Microsoft Sentinel for Developers_. These changes align parameters with documentation to improve consistency and performance.\n\n**[When this will happen]**\n\nRollout timing has not been finalized.\n\nWe’ll update this Message center post with specific start and end dates once they’re confirmed.\n\n**[How this affects your organization]**\n\n_Who is affected_\n\n  * Organizations using ASIM or normalization KQL functions in _Microsoft Sentinel for Developers_\n  * Security teams and partners building or maintaining detections and analytic rules that rely on these functions\n\n\n\n _What will happen (April 19)_\n\n  * We will update _Im_ProcessCreate with the correct parameter, so that it will take both targetusername and targetusername_has.\n  * This will give time to partners to update their detections and KQL queries to switch to the parameter name targetusername_has, while not break any existing experiences.\n\n\n\n_What will happen (May 25 or later)_\n\n  * Once we have given enough time and also checking with our usage telemetry that targetusername is not being used, we will remove targetusername as parameter.\n\n\n\n**[What you can do to prepare]**\n\n  * Review detections and analytic rules that use ASIM or normalization functions.\n  * Update queries to use **targetusername_has**.\n  * Test updated detections before rollout.\n  * Notify teams or partners who maintain Sentinel detections.\n\n\n\nLearn more: The Advanced Security Information Model (ASIM) Process Event normalization schema reference | Microsoft Sentinel | Security | Azure | Microsoft Learn\n\n**[Compliance considerations]**\n\nNo compliance considerations identified. Review as appropriate for your organization.",
  "title": "MC1281506: Planned breaking changes to ASIM KQL functions used by Microsoft Sentinel for Developers",
  "updatedAt": "2026-04-16T00:00:15.363Z"
}