beacon endpoint sentinel
Usebeacon endpoint sentinel to generate Microsoft Sentinel forwarding content for Beacon endpoint events. The generated pack keeps Beacon as a local JSONL producer and helps Azure Monitor Agent tail runtime.jsonl into a Log Analytics custom table through a Data Collection Rule.
Beacon does not store Azure tenant IDs, client secrets, workspace IDs, DCR identifiers, ingestion endpoints, or Azure Monitor Agent configuration. Keep those values in Azure, endpoint-management policy, or deployment tooling.
Commands
beacon endpoint sentinel print-config
Print the Sentinel DCR transform for Beacon endpoint events.
beacon endpoint sentinel install-pack
Write Microsoft Sentinel forwarding content to a directory.
beacon endpoint sentinel validate
Write and describe a Beacon Microsoft Sentinel validation event.
Runtime log paths
| Mode | Path |
|---|---|
| User mode | ~/.beacon/endpoint/logs/runtime.jsonl |
| System mode | /var/log/beacon-agent/runtime.jsonl |
beacon endpoint sentinel print-config
beacon endpoint sentinel print-config prints the KQL transform used by the Microsoft Sentinel Data Collection Rule. The output starts with the Azure Monitor Agent file pattern selected from the active Beacon runtime log path.
Examples
Print the DCR transform for the default per-user Beacon install:Flags
| Flag | Description |
|---|---|
--user | Use per-user endpoint paths. Enabled by default |
--system | Use system endpoint paths and launch daemon |
--log-path <path> | Runtime JSONL log path |
beacon endpoint sentinel install-pack
beacon endpoint sentinel install-pack writes Microsoft Sentinel forwarding content to a directory.
BeaconRuntime_CL table schema, a DCR template, the DCR transform, starter hunting queries, example detection logic, and sample Beacon endpoint events.
Examples
Generate a content pack for the default per-user install:Flags
| Flag | Description |
|---|---|
--output <dir> | Output directory for the Microsoft Sentinel content pack. Defaults to beacon-sentinel-pack |
--user | Use per-user endpoint paths. Enabled by default |
--system | Use system endpoint paths and launch daemon |
--log-path <path> | Runtime JSONL log path |
beacon endpoint sentinel validate
beacon endpoint sentinel validate writes a Beacon validation event to the runtime JSONL log and prints the expected Microsoft Sentinel table and validation query.
Examples
Write a validation event for the default per-user install:Flags
| Flag | Description |
|---|---|
--user | Use per-user endpoint paths. Enabled by default |
--system | Use system endpoint paths and launch daemon |
--log-path <path> | Runtime JSONL log path |
Related
Microsoft Sentinel forwarding
Configure Azure Monitor Agent and Data Collection Rules for Beacon events.
SIEM forwarding
Review forwarding patterns and validation steps.
Endpoint agent
Install and inspect the local endpoint agent.
Endpoint event schema
Review normalized Beacon JSONL fields and example events.