Prerequisites
-
The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
-
A Client Secret ID and Client Secret Value is generated to provide the configuration keys.
-
Configure your firewall to allow all traffic from: login.microsoftonline.com
-
The following port is open:
Direction
Port
Protocol
Source
Outbound
443
HTTPS
msgraphbeat
In April 2026, Microsoft deprecated the reportingwebservice/reporting.svc/MessageTrace endpoint, which was used by LogRhythm System Monitor Agents to collect Office 365 Message Tracking logs using the API. Starting with Open Collector version 2026.05, released in April 2026, the Microsoft Graph API Beat can be used to collect these Microsoft Office 365 Message Tracking logs.
If you intend to use the Microsoft Graph API Beat to collect Exchange Message Trace logs, users must download this Json policy file and place it in the following location of the System Monitor Agent performing the JSON Parsing:
C:\Program Files\LogRhythm\LogRhythm System Monitor\policies
(If the file does not download automatically, and instead the .json file opens in your browser, right-click within the window and then click Save as… This will save the file to your machine as a .json file.)
Initialize the Beat via the Web Console (Recommended)
-
Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.
-
Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.
Initialize the Beat via Command Line (Legacy)
-
Enter this command, use the Up and Down arrow keys to select New msgraphbbeat instance, then press Enter.
Bash./lrctl msgraphbeat start -
Enter a unique identifier for the beat instance and press Enter.
-
Enter one of the following Microsoft Graph API URLs, depending on the endpoint being configured, and then press Enter:
-
graph.microsoft.com/v1.0/auditLogs/directoryAudits
-
graph.microsoft.com/v1.0/auditLogs/signIns
-
graph.microsoft.com/v1.0/security/alerts
-
graph.microsoft.com/v1.0/security/alerts_v2
-
graph.microsoft.com/beta/admin/exchange/tracing/messageTraces
-
GCC High customers should use .us instead of .com in their URLs.
For example, graph.microsoft.us/v1.0/security/alerts.
-
Enter the Microsoft Graph API Client ID, which was obtained as the Application ID in Configure Microsoft Graph API, and then press Enter.
-
Enter the Microsoft Graph API Client Secret, which was obtained as the Secret Value when creating a Client Secret in Configure Microsoft Graph API, and then press Enter.
-
Enter the Microsoft Graph API Tenant ID, and then press Enter.
-
Enter the hostname or IP address of the System Monitor Agent that will be performing the JSON parsing, and then Press Enter.
-
Enter the port of the System Monitor Agent JSON listener (default port is 5044), and then Press Enter.
The Beat config is saved and displays a message saying msgraphbeat service started -
(Optional.) To check the status of the service, enter the following command:
Bash./lrctl msgraphbeat status
Default Config Values for the Microsoft Graph API Beat
|
S. No. |
Field Name |
Default Value |
|---|---|---|
|
1. |
client_id |
User-provided |
|
2. |
client_secret |
User-provided |
|
3. |
msgraphURL |
User-provided |
|
4. |
tenant_id |
User-provided |
|
5. |
top (number of records to fetch) |
User-provided |
|
6. |
heartbeatdisabled |
false |
|
7. |
heartbeatinterval |
60 |
|
8. |
limit |
1000 |
|
9. |
numbackdaysData |
7 |
|
10. |
period |
2s |
|
11. |
top |
100 |
|
12. |
delayTimeSec |
600 |