M365 Defender ASIM Parser: TargetUserSessionId Field Restoration Fixes Data Fidelity Gap

What Changed

Microsoft 365 Defender ASIM ProcessEvent parsers (both ASimProcessEventMicrosoft365D v0.3.1 and vimProcessEventMicrosoft365D v0.4.1) now include the previously missing TargetUserSessionId field in their project statements.

Parser Impact

The TargetUserSessionId field was mapped in the parser logic (TargetUserSessionId = tostring(LogonId)) but omitted from the final project statement. Queries referencing TargetUserSessionId against these parsers previously returned null for all rows — this is a data fidelity fix, not a cosmetic update.

Session correlation queries using this field for process-to-logon event linking can now function correctly. No change to other normalised field names or filter logic — safe for existing detections using these parsers.

Affected Files

Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json
Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json
Parsers/ASimProcessEvent/CHANGELOG/ASimProcessEventMicrosoft365D.md
Parsers/ASimProcessEvent/CHANGELOG/vimProcessEventMicrosoft365D.md
Parsers/ASimProcessEvent/Parsers/ASimProcessEventMicrosoft365D.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessEventMicrosoft365D.yaml

What Changed#

Parser Impact#

Affected Files#

What Changed

Parser Impact

Affected Files