Schema Overview
Beacon endpoint events are JSONL records with a stable schema contract. The schema is designed for local inspection, Wazuh localfile ingestion, Elastic/Filebeat, Datadog Agent custom log collection, Sumo Logic HTTP Source forwarding, Rapid7 InsightIDR Custom Logs forwarding, Splunk HEC forwarding, Falcon LogScale HEC forwarding, and customer-managed forwarding pipelines.Required fields
| Field | Meaning |
|---|---|
timestamp | UTC event time |
vendor | Always beacon |
product | Always endpoint-agent |
schema_version | Current public schema version, 1.0 |
event.kind | Event family, currently agent_runtime |
event.action | Normalized action such as command.executed or tool.invoked |
event.category | Event category, provided by the runtime or inferred from event.action when possible |
severity | info, low, medium, high, or critical |
endpoint | Host and operating system context |
harness | Runtime that produced the signal |
Entity model
Beacon models each endpoint event as an action plus a set of typed entities. Theevent object and surrounding entities describe what happened and who or what participated in that action.
Every event has required context such as event, endpoint, and harness. Optional entities add user, origin, run, session, tool, command, MCP-like tool, approval, policy, content, file, destination, health, and OpenTelemetry gen_ai context when a runtime provides it.
Read next
Schema normalization
See how OTLP attributes and hook payloads map into Beacon fields and actions.
Schema fields
Review entities, optional context, and shared top-level fields.
Schema examples
Inspect example endpoint events and content handling behavior.
Data inventory
Review runtime coverage and the event fields Beacon can write when a source provides them.
Related
Glossary
Review the glossary behind endpoint events and entities.
Beacon architecture
See how runtime telemetry becomes normalized JSONL.
Wazuh
Configure Wazuh ingestion for Beacon endpoint events.
Datadog
Configure Datadog Agent custom log collection for Beacon endpoint events.
Sumo Logic
Configure Sumo Logic HTTP Source forwarding for Beacon endpoint events.