beacon rules fields

Command Overview

beacon rules fields prints the endpoint event fields that threat-rule CEL expressions can match on.

Command syntax

beacon rules fields [flags]

Use this command while authoring rules to confirm field paths and value types.

Threat-rule expressions bind each Beacon event as e. Field paths mirror the event JSON shape, such as:

Field path	Example use
`e.event.action`	Match event type, such as `command.executed` or `file.read`
`e.command.command`	Match executed command text
`e.file.path`	Match a file path
`e.prompt.text`	Match prompt text when retained
`e.gen_ai.usage.input_tokens`	Match normalized token usage fields

Print the field list:

List rule fields

beacon rules fields

Render the field reference as markdown:

Render fields as markdown

beacon rules fields --markdown

Flag	Description
`--markdown`	Render as a markdown reference table

Validate CEL expressions and embedded fixtures.

Review normalized Beacon endpoint events.

⌘I