Skip to main content

Forwarding Command

Use beacon endpoint sentinel to generate Microsoft Sentinel forwarding content for Beacon endpoint events. The generated pack keeps Beacon as a local JSONL producer and helps Azure Monitor Agent tail runtime.jsonl into a Log Analytics custom table through a Data Collection Rule. Beacon does not store Azure tenant IDs, client secrets, workspace IDs, DCR identifiers, ingestion endpoints, or Azure Monitor Agent configuration. Keep those values in Azure, endpoint-management policy, or deployment tooling.
Command syntax

Commands

beacon endpoint sentinel print-config

Print the Sentinel DCR transform for Beacon endpoint events.

beacon endpoint sentinel install-pack

Write Microsoft Sentinel forwarding content to a directory.

beacon endpoint sentinel validate

Write and describe a Beacon Microsoft Sentinel validation event.

Runtime log paths

beacon endpoint sentinel print-config

beacon endpoint sentinel print-config prints the KQL transform used by the Microsoft Sentinel Data Collection Rule. The output starts with the Azure Monitor Agent file pattern selected from the active Beacon runtime log path.
Print the configuration
Use this command when you want to inspect or copy the transform into an existing DCR workflow.

Examples

Print the DCR transform for the default per-user Beacon install:
Print the DCR transform for the default per-user Beacon install
Print the DCR transform for a system-mode MDM deployment:
Print the DCR transform for a system-mode MDM deployment
Print the DCR transform for a custom runtime log:
Print the DCR transform for a custom runtime log

Flags

beacon endpoint sentinel install-pack

beacon endpoint sentinel install-pack writes Microsoft Sentinel forwarding content to a directory.
Generate the integration pack
The pack includes setup instructions, the BeaconRuntime_CL table schema, a DCR template, the DCR transform, starter hunting queries, example detection logic, and sample Beacon endpoint events.

Examples

Generate a content pack for the default per-user install:
Generate a content pack for the default per-user install
Generate a content pack for a system-mode deployment:
Generate a content pack for a system-mode deployment
Generate a content pack for a custom runtime log:
Generate a content pack for a custom runtime log

Flags

beacon endpoint sentinel validate

beacon endpoint sentinel validate writes a Beacon validation event to the runtime JSONL log and prints the expected Microsoft Sentinel table and validation query.
Run the validation check

Examples

Write a validation event for the default per-user install:
Write a validation event for the default per-user install
Write a validation event for a system-mode deployment:
Write a validation event for a system-mode deployment
Write a validation event to a custom runtime log:
Write a validation event to a custom runtime log
The validation command prints the expected Sentinel table and query:

Flags

Microsoft Sentinel forwarding

Configure Azure Monitor Agent and Data Collection Rules for Beacon events.

Log forwarding

Review forwarding patterns and validation steps.

Endpoint agent

Install and inspect the local endpoint agent.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.