BeyondTrust PM Cloud: Critical Data Ingestion Fix Restores Partial Event Visibility

What Changed

Fixed a critical bug in the BeyondTrust PM Cloud Data Connector’s LogAnalyticsService.cs that was causing improper batching of events sent to Microsoft Sentinel via the Logs Ingestion API.

Security Impact (Visibility & Fidelity)

Critical data ingestion failure: The previous implementation wrapped entire event arrays in a single BinaryData payload, bypassing the SDK’s automatic batching mechanism. When BeyondTrust endpoint security events or activity audits exceeded the 1MB Log Analytics ingestion limit, the connector generated 413 (ContentLengthLimitExceeded) errors and failed to ingest those batches entirely.

Detection blind spot: Deployments running the affected connector version had gaps in visibility when BeyondTrust activity exceeded per-batch size limits. This created unpredictable blind spots in endpoint security monitoring and privileged access auditing — exactly when visibility was most critical during high-activity periods.

Data fidelity restored: The fix serializes each record individually, allowing the SDK to automatically split large payloads into multiple sub-1MB requests. All BeyondTrust events now ingest consistently regardless of batch size.

The connector retrieves endpoint security events from /v3/Events/FromStartDate (ECS format) and administrative activities from /v3/ActivityAudits/Details — both critical for detecting privileged access abuse and endpoint compromise.

Affected Files

Solutions/BeyondTrustPMCloud/Data Connectors/AzureFunctionBeyondTrustPMCloud/Services/LogAnalyticsService.cs
(packaging artefacts: BeyondTrustPMCloudFunctions.zip)