TenLens
Jan 22, 2026

Audit log search at 10k events per second: what we learned indexing Entra at scale.

SJStefan & Jediah· 11 min read
Audit log search at 10k events per second: what we learned indexing Entra at scale.
When a privileged role changes at 2 a.m., nobody opens a dashboard for ambiance. They open audit logs. The problem is not finding events. It is finding the right events before the bridge call ends.

Portal filters and one-off PowerShell exports break down when sign-in volume spikes. We built TenLens audit search for operators who need "who changed this policy in the last hour?" without downloading half a tenant to CSV first.

What 10k events per second means in Entra

Peak second rates are rare in a single tenant, but busy enterprises routinely ingest millions of sign-in and directory audit events per day. The operator experience is not defined by the average. It is defined by the hour where everything happens at once: password spray, CA rollout, break-glass activation.

At that scale, latency compounds. Export to Excel. Wait. Filter again. Miss the window.

Desktop, local creds, no middleman cache

We could have shipped a SaaS log lake. That would make benchmarks easy and subpoenas easier. TenLens is a desktop console: events land in a local index, encrypted with keys your OS manages, queryable without a round trip to our infrastructure.

  • IngestAudit events stream in from Entra as they happen.
  • StoreIndexed on your machine and encrypted with credentials only your device can unlock.
  • QueryFull-text search in under 50 ms on a 30-day window for typical policy investigations.

How we index your audit stream

The pipeline is deliberately boring. Boring pipelines are operable at 3 a.m.

Diagram: Entra audit stream to local index to Command-K query to operator
How TenLens indexes your audit stream · data flow v3.2

Events sync in real time. We normalize actor, target, and correlation once, then keep a searchable local index tuned for time ranges and policy investigations.

When you search for a policy change, you are not waiting on a remote service. The index already lives beside the console.

A day's audit log, queried in 400 ms. That is the bar we hold ourselves to on a laptop, not in a slide deck.

Live tail, pinned queries, export to SIEM

The audit view supports three modes operators asked for repeatedly:

  • Live tail for incidents, with anomaly markers on the timeline.
  • Pinned queries for recurring compliance checks (privileged role changes, CA updates).
  • Immutable export to your SIEM format when the investigation leaves the laptop.

Drill-down keeps context: from a spike on the 24-hour waveform to the single policy change that caused it.

What we still cannot promise

Local indexing means retention is bounded by disk and policy, not an infinite cloud retention tier. Very long cold-archive search may still belong in your SIEM. We are honest about that trade.

We are benchmarking with a few design partners who run heavy hybrid sign-in volume. If that is you, reach out at support@tenlens.com.

SJ
Stefan & Jediah
Reliability · TenLens
Follow
Keep reading
May 27, 2026 · Product

Multi-tenant search, end to end: one ⌘K bar for every directory you run.

6 min read
Mar 19, 2026 · Product

Bugbot for IT: guardrails before you ship a Conditional Access change.

7 min read
Nov 18, 2025 · Ideas

Why we built TenLens: the case for an identity instrument.

6 min read