check before: 2026-04-24
Product:
Defender, Defender XDR
Platform:
Developer, Online, World tenant
Status:
Change type:
User impact, Admin impact
Links:
Details:
Summary:
Microsoft Sentinel for Developers will have planned breaking changes to ASIM KQL functions, updating _Im_ProcessCreate to use targetusername_has instead of targetusername. Organizations should review and update queries by May 25 or later to avoid disruptions. Rollout dates will be announced later.
Details:
[Introduction]
We're making planned breaking changes to some Advanced Security Information Model (ASIM) KQL functions used in Microsoft Sentinel for Developers. These changes align parameters with documentation to improve consistency and performance.
[When this will happen]
Rollout timing has not been finalized.
We'll update this Message center post with specific start and end dates once they're confirmed.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-04-16
updated:
2026-04-16
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Breaking Changes to KQL Functions
If organizations do not prepare for the change in KQL functions, they may experience disruptions in their detection and analytic rules, leading to potential security gaps.
- roles: Security Teams, Developers
- references: https://learn.microsoft.com/azure/sentinel/normalization-schema-process-event
Inconsistent Query Performance
Failure to update queries may result in inconsistent performance of security detections, affecting the reliability of security monitoring.
- roles: Security Analysts, IT Operations
- references: https://learn.microsoft.com/azure/sentinel/normalization-schema-process-event
Increased Incident Response Time
Without timely updates to KQL queries, incident response teams may face delays in identifying and responding to security incidents, increasing risk exposure.
- roles: Incident Response Teams, Security Analysts
- references: https://learn.microsoft.com/azure/sentinel/normalization-schema-process-event
User Experience Degradation
Users relying on automated security alerts may experience a degradation in service if alerts are not generated due to outdated queries.
- roles: End Users, Security Teams
- references: https://learn.microsoft.com/azure/sentinel/normalization-schema-process-event
Lack of Compliance with Security Standards
Organizations may inadvertently fall out of compliance with internal or external security standards if detection rules are not updated, leading to potential audits or penalties.
- roles: Compliance Officers, Security Managers
- references: https://learn.microsoft.com/azure/sentinel/normalization-schema-process-event
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
