Not a user yet?
Log in Register for free Suggest a product
Update

Account Name is now consistently the UPN prefix for analytics rule alerts

SentinelSentinel
Microsoft

April 2026

[Updated] Call to action: update automation by July 1, 2026 - Account Name is now consistently the UPN prefix for analytics rule alerts

Microsoft Sentinel is updating how the account entity's Account Name value is populated for analytics rule alerts when the full UPN is mapped into Account Name. This change improves consistency for downstream automation rules and Logic Apps playbooks.

This change might affect automation logic that filters on or compares the AccountName property (Logic Apps: AccountName), especially if it expects the full UPN.

What's changing

  • When a full UPN (for example, user@domain.com) is mapped to Account Name in an analytics rule, Account Name will always be the UPN prefix only (user). Previously, it could sometimes be user and sometimes user@domain.com.
  • Additional UPN-related fields will be added to the account entity in the SecurityAlert table: UserPrincipalName (full UPN, for example user@domain.com), UPNSuffix, and the UPN prefix.

For example:

  • Before: Analytics: user@domain.com -> Automation rule Account Name: user or user@domain.com
  • After: Analytics: user@domain.com -> Automation rule Account Name: user + UPNSuffix: domain.com

What you need to do
Update any automation rules or logic apps that compare against the full UPN. Replace direct equality checks with separate comparisons for the UPN prefix and UPN suffix. We strongly recommend using Contains and Starts with operations instead of strict equality to maintain compatibility both before and after the change.

For example, replace conditions such as AccountName Equals user@domain.com with logic like:

  • AccountName Contains user or Starts with user
  • UPNSuffix Equals domain.com / Starts with domain.com / Contains domain.com

Microsoft Sentinel data federation (Preview)
Powered by Microsoft Fabric, Microsoft Sentinel data federation lets you analyze security data where it already lives, without copying or duplicating it. You can federate data from Microsoft Fabric, Azure Data Lake Storage, and Azure Databricks into Microsoft Sentinel data lake, then use familiar Microsoft Sentinel experiences like KQL, notebooks, and custom graphs across both federated and native data.

Transform data with filter and split features (Preview)
Native filtering and splitting in the Microsoft Defender portal helps you reduce noise before ingestion, control costs, and intelligently route data between analytics and data lake tiers so you can optimize what gets analyzed versus retained. For more information, see Transform data using filter and split in Microsoft Sentinel.

Accelerate Microsoft Sentinel connector development with Visual Studio Code connector builder agent (Preview)
An AI-powered, low-code agent in Visual Studio Code helps you build Microsoft Sentinel connectors in minutes, bringing in new data sources faster and unlocking security outcomes sooner. For more information, see Get started with custom connectors using AI agent in Microsoft Sentinel.

Build custom graphs (Preview)
Build tailored security graphs across the Sentinel data lake and third-party data to uncover attack paths, blast radius, and hidden relationships. These graphs also serve as a foundation for advanced investigations and AI agents. For more information, see Custom Graph overview.

Graphs experience in the Microsoft Defender portal (Preview)
After creating your custom graphs, you can access them in the graphs section of the Defender portal under Microsoft Sentinel. From there, you can run Graph Query Language (GQL) queries, view the graph schema, visualize the graph, view graph results in tabular format, and interactively traverse the graph to the next hop with a simple click.

Entity analyzer is now generally available
Entity analyzer in the Microsoft Sentinel Model Context Protocol (MCP) data exploration tool collection lets you get out-of-the-box, explainable entity risk assessments for URLs and identities using threat intelligence, prevalence, and organizational context.

Important

Starting April 1, 2026, you're charged for the Security Compute Units (SCUs) required when using the entity analyzer. For more information, see: Understand Microsoft Sentinel MCP server pricing, limits, and availability.

AI-powered SIEM migration tool is now generally available
Accelerate migrations to Microsoft Sentinel from Splunk and QRadar using an AI-assisted SIEM migration experience designed to reduce manual effort and speed time-to-value. For more information, see Migrate to Microsoft Sentinel with the SIEM migration experience.

Cost estimation tool for customers and partners (Preview)
A guided, meter-level Microsoft Sentinel cost estimator with three-year projections helps organizations model data growth, predict spend, and plan Microsoft Sentinel adoption with confidence. For more information, see Microsoft Sentinel pricing.

Configure row-level access using Microsoft Sentinel scoping (Preview)
Microsoft Sentinel now supports scoping (row-level RBAC) to control access to specific subsets of Sentinel data without requiring workspace separation. Administrators can define logical scopes, tag data at ingestion time, and assign users or groups to scopes using Unified RBAC, enabling multiple teams to work securely within a shared Sentinel environment. Scoping is configured in the Microsoft Defender portal. For more information see Configure Microsoft Sentinel scoping (row-level RBAC).

More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech