Command Overview
beacon scan runs active threat-detection rules over the local Beacon runtime log and reports findings. The scan is read-only and never touches the network.
Command syntax
How scanning works
Beacon loads rules from the local rule store when present. If no store is installed, Beacon uses the built-in baseline rules. You can also point a scan at an explicit rule directory with--rules.
Rules are YAML documents with CEL expressions over the Beacon Endpoint Event Schema. Rules can match one event or correlate multiple ordered events within one session window.
Workflows
Run local scans
Choose runtime logs, rule directories, sessions, and output formats.
Use scan gates
Filter findings and fail automation on severity thresholds.
Examples
Run the active rules over the default per-user endpoint log:Run a local scan
Print JSON findings
Filter by severity
Fail on high-severity findings
Scan an explicit log and rules directory
Scan one session
Flags
| Flag | Description |
|---|---|
--user | Use per-user endpoint paths. Enabled by default |
--system | Use system endpoint paths |
--log-path <path> | Runtime JSONL log path. Defaults to the path resolved from endpoint config |
--rules <dir> | Rule directory to scan with. Defaults to the local store, then the built-in baseline |
--json | Output findings as JSON |
--min-severity <level> | Only report findings at or above info, low, medium, high, or critical |
--session <id> | Only scan events whose session id contains this value |
--fail-on <level> | Exit non-zero if any finding is at or above info, low, medium, high, or critical |
Related
beacon rules
Manage, pull, and author threat-detection rules.
Detections
Learn how detection rules, fixtures, and findings work.
Endpoint dashboard
Inspect the same runtime logs locally before or after scanning.