Possible breaking change for Sentinel
On February 25, 2026, there will be a change that could break some of your Sentinel automated processes. If you’re using advanced hunting data in scripts, playbooks, or other integrations, these will stop functioning. A schema change is being made where Boolean field values will move from numeric values (1 and 0) to textual values (True and False).
For more info, check out the Learn docs here.
What You Need to Know
Impacted Area: This change affects downstream consumers of exported results, such as custom scripts, SOAR integrations, and playbooks that check if a Boolean value equals 1 or 0.
What is NOT Affected: KQL queries and custom detection rules will automatically handle this change and do not require manual updates.
Action Required: Review and update your automated processes and scripts to look for “True/False” instead of “1/0” before February 25, 2026, to prevent breaking.
Background: This change is part of the ongoing refinement of the Advanced Hunting schema to improve data consistency.