Not a user yet?
Log in Register for free Suggest a product
Update

Call to action: update queries and automation

SentinelSentinel
Microsoft

November 2025

Call to action: update queries and automation by December 13, 2025 - standardized account entity naming in incidents and alerts
Microsoft Sentinel is updating how it identifies account entities in incidents and alerts. This change introduces a standardized naming logic to improve consistency and reliability across your analytics and automation workflows.

Sentinel will now select the most reliable account identifier using the following priority:

  1. UPN prefix – the part before “@” in a User Principal Name
    Example: john.doe@contoso.com → john.doe
  2. Name – used if UPN prefix is unavailable
  3. Display Name – fallback if both above are missing
    Update your KQL queries and automation logic to follow the new precedence-aware pattern. Use the coalesce()(/kusto/query/coalesce-function) function to ensure compatibility:

kql
coalesce(Account.UPNprefix, Account.Name, Account.DisplayName)
Test all changes in a nonproduction workspace before rolling out to production.

More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech