What Changed
Modified the BeyondTrust PM Cloud Function App data connector to implement per-page transmission to Microsoft Sentinel instead of accumulating all pages in memory before sending. The fix affects both Activity Audits and Client Events functions.
Security Impact (Visibility & Fidelity)
Customer-reported production issue: Timer functions were hanging when processing large event backlogs, causing complete data ingestion failure for affected deployments. Customers experienced:
- No Activity Audit data ingestion during high-volume periods
- No Client Events data ingestion when processing event backlogs
- Function App timeouts preventing any security monitoring data from reaching Sentinel
The fix implements proper checkpointing after each page transmission, ensuring progress survives host timeouts and large datasets are processed incrementally rather than failing entirely.
Technical Details
- Memory optimization: Eliminates accumulation of entire result sets in memory before transmission
- Improved batching: Serializes log records individually so the Logs Ingestion SDK can batch sub-1MB requests correctly
- Progress persistence: Checkpoints state after each successful page transmission to survive Azure Function timeouts
- Live cursor tracking: Prevents duplicate record transmission across pages within the same invocation
This addresses both the ActivityAuditsFunction.cs and ClientEventsFunction.cs components that ingest administrative audit trails and endpoint security events respectively.
Affected Files
Solutions/BeyondTrustPMCloud/Data Connectors/AzureFunctionBeyondTrustPMCloud/Functions/ActivityAuditsFunction.cs
Solutions/BeyondTrustPMCloud/Data Connectors/AzureFunctionBeyondTrustPMCloud/Functions/ClientEventsFunction.cs
(packaging artefacts: BeyondTrustPMCloudFunctions.zip)