Version: 11.3.0

Ingest HYPR Audit Events into Microsoft Sentinel via Azure Logic Apps

Purpose

This playbook describes how to forward HYPR audit events into Microsoft Sentinel for SIEM analysis. The pattern is:

HYPR emits an audit event and POSTs it to a registered HYPR Event Hook.
The Event Hook's invocation endpoint is an Azure Logic App that receives the payload, transforms it, and writes it to a Microsoft Sentinel workspace.
Sentinel ingests the event for downstream detection, hunting, and alerting.

The integration relies on OAuth client credentials so the Logic App authenticates each incoming HYPR request.

Architecture

HYPR Control Center
       │
       │  POST <event payload>
       │  Authorization: Bearer <token from Entra>
       ▼
Azure Logic App  (HTTP trigger → Compose → Send Data action)
       │
       ▼
Microsoft Sentinel workspace

Prerequisites

An Azure subscription with permission to create:
- An Entra ID App Registration (for the Logic App's OAuth client credentials)
- A Logic App
- A Microsoft Sentinel workspace (or access to an existing one)
HYPR Control Center with Event Hooks enabled on the tenant.
Familiarity with Azure Logic Apps and Microsoft Sentinel administration.

Procedure

Step 1 — Create the App Registration for OAuth

Create an Entra ID App Registration that the Logic App will use to validate incoming HYPR requests.

In the Azure Portal, go to Microsoft Entra ID → App registrations → New registration.
Name: HYPR-Sentinel-Bridge (or your preferred name).
Supported account types: Accounts in this organizational directory only.
Click Register.
From the app's Overview, copy:
- Application (client) ID — used by HYPR Event Hook as clientId.
- Directory (tenant) ID — used as part of the OAuth authorization endpoint.
Open Certificates & secrets → Client secrets → New client secret.
- Choose an expiration per policy.
- Copy the secret's Value immediately (it is not retrievable later) — used by HYPR Event Hook as clientSecret.

Step 2 — Create the Logic App

Create a new Logic App (Consumption) in the same region as your Sentinel workspace.
Open the workflow designer and add the trigger When an HTTP request is received.
Configure the trigger to require OAuth client credentials and accept the schema below.

Request body JSON schema

Paste this schema into the Request Body JSON Schema field of the trigger so the workflow parses HYPR payload fields as typed objects:

{
  "type": "object",
  "properties": {
    "version": { "type": "string" },
    "id": { "type": "string" },
    "detail-type": { "type": "string" },
    "source": { "type": "string" },
    "account": { "type": "string" },
    "time": { "type": "string", "format": "date-time" },
    "region": { "type": "string" },
    "resources": { "type": "array" },
    "detail": {
      "type": "object",
      "properties": {
        "data": {
          "type": "object",
          "properties": {
            "id": { "type": "string" },
            "version": { "type": "number" },
            "type": { "type": "string" },
            "eventName": { "type": "string" },
            "message": { "type": "string" },
            "subName": { "type": "string" },
            "eventLoggedBy": { "type": "string" },
            "eventTimeInUTC": { "type": "number" },
            "loggedTimeInUTC": { "type": "number" },
            "tenantId": { "type": "string" },
            "remoteIP": { "type": "string" },
            "userAgent": { "type": "string" },
            "traceId": { "type": "string" },
            "additionalDetails": { "type": "object" },
            "deviceType": { "type": "string" },
            "rpAppId": { "type": "string" },
            "machineId": { "type": "string" },
            "sessionId": { "type": "string" },
            "machineUserName": { "type": "string" },
            "deviceOS": { "type": "string" },
            "serverRelVersion": { "type": "string" },
            "origin": { "type": "string" },
            "eventTags": { "type": "string" },
            "isSuccessful": { "type": "boolean" }
          },
          "required": ["eventName", "isSuccessful", "machineUserName"]
        },
        "dataSource": { "type": "string" },
        "date": { "type": "string" },
        "hour": { "type": "string" },
        "customerUuid": { "type": "string" },
        "tenantUuid": { "type": "string" },
        "eventTags": {
          "type": "array",
          "items": { "type": "string" }
        }
      }
    }
  },
  "required": ["version", "id", "detail-type", "source", "time", "detail"]
}

After saving, copy the trigger's generated HTTP POST URL. This is the value you will give HYPR as the invocationEndpoint.

Step 3 — Add a Compose action to project the payload

Add a Compose action after the trigger to project the HYPR event into the shape your Sentinel custom log table expects. The reference projection extracts the most-queried fields:

{
  "eventId": "@{triggerBody()?['detail']?['data']?['id']}",
  "eventType": "@{triggerBody()?['detail']?['data']?['eventName']}",
  "user": "@{triggerBody()?['detail']?['data']?['machineUserName']}",
  "timestamp": "@{triggerBody()?['detail']?['data']?['eventTimeInUTC']}",
  "device": "@{triggerBody()?['detail']?['data']?['deviceType']}",
  "success": "@{triggerBody()?['detail']?['data']?['isSuccessful']}",
  "message": "@{triggerBody()?['detail']?['data']?['message']}",
  "ipAddress": "@{triggerBody()?['detail']?['data']?['remoteIP']}",
  "tenantId": "@{triggerBody()?['detail']?['data']?['tenantId']}"
}

Adapt the projection to include any additional fields from the schema your detection logic needs (for example, traceId, rpAppId, sessionId, additionalDetails).

Step 4 — Send the data to Sentinel

Add the final action to write the composed event to your Sentinel workspace. Microsoft provides multiple supported patterns — choose the one that fits your workspace configuration:

Microsoft Sentinel — "Send Data" connector (Logic Apps managed connector) for direct ingestion into a custom log table. See the Microsoft Sentinel Logic Apps connector reference.
Azure Monitor Logs Ingestion API via the HTTP action when your workspace uses a Data Collection Rule / Data Collection Endpoint configured for custom logs.

Pass the Compose action's output as the body of the Sentinel write action.

Step 5 — Register the HYPR Event Hook

Register an Event Hook in HYPR Control Center that POSTs events to the Logic App's invocation endpoint with OAuth client credentials authentication. The configuration body:

{
  "eventType": "ALL",
  "invocationEndpoint": "<logic-app-invocation-url>",
  "httpMethod": "POST",
  "authType": "OAUTH_CLIENT_CREDENTIALS",
  "authParams": {
    "oauthParameters": {
      "clientParameters": {
        "clientId": "<app-registration-client-id>",
        "clientSecret": "<app-registration-client-secret>"
      },
      "authorizationEndpoint": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token",
      "httpMethod": "POST",
      "oauthHttpParameters": {
        "bodyParameters": [
          { "key": "scope", "value": "https://logic.azure.com/.default", "isValueSecret": false },
          { "key": "grant_type", "value": "client_credentials", "isValueSecret": false }
        ]
      }
    },
    "invocationHttpParameters": {
      "headerParameters": [
        { "key": "Content-Type", "value": "application/json", "isValueSecret": false }
      ]
    }
  }
}

Substitutions:

Placeholder	Value
`<logic-app-invocation-url>`	The HTTP POST URL from Step 2
`<app-registration-client-id>`	Application (client) ID from Step 1
`<app-registration-client-secret>`	Client secret value from Step 1
`<tenant-id>`	Directory (tenant) ID from Step 1

Set eventType to "ALL" to forward every audit event, or scope to a subset by listing specific event names per the Audit Trail Event Descriptions.

Validate end-to-end

Trigger an event in HYPR Control Center (for example, sign in, register a device, or initiate a verification).
In the Logic App's Run history, confirm the trigger fired and the Compose / Send Data actions completed successfully.
In your Sentinel workspace, query the destination table for the new record. Custom log table names typically end in _CL. For example:
```
HYPR_Events_CL
| where TimeGenerated > ago(15m)
| project TimeGenerated, eventType_s, user_s, success_b, message_s
```
Confirm the projected fields match the HYPR payload (eventName, machineUserName, isSuccessful, etc.).

Troubleshooting

HYPR Event Hook never invokes the Logic App — confirm the Event Hook is enabled and its invocationEndpoint matches the Logic App trigger URL. Use HYPR Audit Trail to verify the hook fires; the hook lifecycle events appear there alongside the verification events.
Logic App returns 401 / 403 to HYPR — the OAuth client credentials in the Event Hook configuration are wrong, expired, or the App Registration is missing the API permission to call the Logic App. Confirm Step 1 IDs and Step 5 substitutions.
Trigger fires but Compose fails — the payload shape differs from the schema. Inspect the raw triggerBody() in the Run history and adjust the schema or the triggerBody()?['detail']?['data']?[...] paths in the Compose action.
Data reaches Sentinel but custom-log fields are typed unexpectedly — Sentinel custom-log columns are typed from the first ingested record. Drop and recreate the custom table if the schema needs to change after initial population.

Playbooks overview
Audit Trail Event Descriptions — full event reference for scoping eventType in the Event Hook
Microsoft Sentinel — Logic Apps playbook triggers and actions (external)
Azure Monitor Logs Ingestion API (external)
Microsoft Entra ID App Registrations — client credentials flow (external)

Purpose​

Architecture​

Prerequisites​

Procedure​

Step 1 — Create the App Registration for OAuth​

Step 2 — Create the Logic App​

Request body JSON schema​

Step 3 — Add a Compose action to project the payload​

Step 4 — Send the data to Sentinel​

Step 5 — Register the HYPR Event Hook​

Validate end-to-end​

Troubleshooting​

Related​