Overview
Beacon is an Azure Functions app that polls Microsoft 365 APIs for security events, evaluates them against configurable rules, and writes alerts to Azure Log Analytics. Designed for MSPs managing multiple Microsoft 365 tenants.
This is a self-hosted solution that lives in your own tenant. Every tenant you wish to monitor must consent to the app registration that is created.
Tech Stack
- Azure Functions and Entra ID app with federated authentication
- Azure Log Analytics with Data Collection Rules
- Azure Table Storage for state management
- Microsoft Graph API
- Office 365 Management Activity API
Data Flow
- Timer Trigger - Azure Function runs every 5 minutes
- Multi-Tenant Polling - Fetches events from Microsoft APIs for all tenants added to the clients table
- Rule Evaluation - Each event is evaluated against rules in
/rules/ - Alert Deduplication - 10-minute window prevents duplicate alerts for same user/rule/tenant
- Alert Ingestion - Matched events written to Azure Log Analytics custom table
Data Sources
| Source | API | Description |
|---|---|---|
| Sign-in Logs | Microsoft Graph | Authentication events, risk detections, conditional access results |
| Security Alerts | Microsoft Graph | Defender for Endpoint/Identity/O365, Entra ID Protection |
| Directory Audits | Microsoft Graph | Entra ID operations: role assignments, CA policy changes, app registrations |
| Audit Logs | O365 Management API | Admin activity, mailbox access, SharePoint/OneDrive events |
Rule Engine
Rules are JSON files stored in /rules/. Each rule specifies:
- Source - Which API to evaluate (
SignIn,SecurityAlert,AuditLog) - Conditions - Field/operator/value matching with
alloranylogic - Exceptions - Conditions that suppress the rule
- Severity -
Critical,High,Medium,Low - MITRE ATT&CK - Optional tactic/technique mapping
See all rules here.
Alert Deduplication
Beacon uses Azure Table Storage to track alert state across invocations:
| Window | Purpose |
|---|---|
| 10 minutes | Suppress duplicate Log Analytics entries for same tenant + rule + user |
Multi-Tenant Support
Beacon uses a single multi-tenant Entra ID app registration in your home tenant. Client tenants grant admin consent to this app, allowing Beacon to poll their Microsoft APIs.
- Sequential Processing - Tenants processed one at a time to respect API rate limits
- Fault Isolation - Failures in one tenant don't affect others