Merge pull request #307154 from guywi-ms/Update-Microsoft-Sentinel-Account-Entity-Naming

prmerger-automator[bot] · web-flow · commit d0f2216f59c5 · 2025-11-09T07:49:51.000Z
Standardized account entity naming in Microsoft Sentinel incidents an…
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -1,8 +1,8 @@
 ---
 title: What's new in Microsoft Sentinel
 description: Learn about the latest new features and announcement in Microsoft Sentinel from the past few months.
-author: batamig
-ms.author: bagol
+author: guywi-ms
+ms.author: guywild
 ms.topic: concept-article
 ms.date: 09/28/2025
 #Customer intent: As a security team member, I want to stay updated on the latest features and enhancements in Microsoft Sentinel so that I can effectively manage and optimize my organization's security posture.
@@ -18,9 +18,37 @@ The listed features were released in the last six months. For information about
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
-## October 2025
+## November 2025
+
+- [Call to action: update queries and automation by December 13, 2025 - standardized account entity naming in incidents and alerts](#call-to-action-update-queries-and-automation-by-december-13-2025---standardized-account-entity-naming-in-incidents-and-alerts)
+
+### Call to action: update queries and automation by December 13, 2025 - standardized account entity naming in incidents and alerts
+
+Microsoft Sentinel is updating how it identifies account entities in incidents and alerts. This change introduces a standardized naming logic to improve consistency and reliability across your analytics and automation workflows.
+
+> [!IMPORTANT]
+> This change might affect your analytic rules, automation rules, playbooks, workbooks, hunting queries, and custom integrations.
+
+Sentinel will now select the most reliable account identifier using the following priority:
 
+1. **UPN prefix** – the part before “@” in a User Principal Name
+   - Example: `john.doe@contoso.com` → `john.doe`
+
+1. **Name** – used if UPN prefix is unavailable
+1. **Display Name** – fallback if both above are missing
+
+Update your KQL queries and automation logic to follow the new precedence-aware pattern. Use the [`coalesce()`(/kusto/query/coalesce-function)](/kusto/query/coalesce-function) function to ensure compatibility:
+
+```kql
+coalesce(Account.UPNprefix, Account.Name, Account.DisplayName)
+```
+Test all changes in a nonproduction workspace before rolling out to production.
+
+
+## October 2025
 
+- [Export STIX threat intelligence objects (Preview)](#export-stix-threat-intelligence-objects-preview)
+- [Call to action: update queries and automation by December 13, 2025 - standardized account entity naming in incidents and alerts](#call-to-action-update-queries-and-automation-by-december-13-2025---standardized-account-entity-naming-in-incidents-and-alerts)
 
 ### Export STIX threat intelligence objects (Preview)
 
