Initialize the Microsoft Graph API Beat
Prerequisites
The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
A Client Secret ID and Client Secret Value is generated to provide the configuration keys.
Configure your firewall to allow all traffic from: login.microsoftonline.com
The following port is open:
Direction | Port | Protocol | Source |
|---|---|---|---|
Outbound | 443 | HTTPS | msgraphbeat |
In April 2026, Microsoft deprecated the reportingwebservice/reporting.svc/MessageTrace endpoint, which was used by LogRhythm System Monitor Agents to collect Office 365 Message Tracking logs using the API. Starting with Open Collector version 2026.05, released in April 2026, the Microsoft Graph API Beat can be used to collect these Microsoft Office 365 Message Tracking logs.
If you intend to use the Microsoft Graph API Beat to collect Exchange Message Trace logs, users must download this Json policy file and place it in the following location of the System Monitor Agent performing the JSON Parsing:
C:\Program Files\LogRhythm\LogRhythm System Monitor\policies
(If the file does not download automatically, and instead the .json file opens in your browser, right-click within the window and then click Save as… This will save the file to your machine as a .json file.)
Initialize the Beat
Enter this command, use the Up and Down arrow keys to select New msgraphbbeat instance, then press Enter.
BASH./lrctl msgraphbeat startEnter a unique identifier for the beat instance and press Enter.
Enter one of the following Microsoft Graph API URLs, depending on the endpoint being configured, and then press Enter:
graph.microsoft.com/v1.0/auditLogs/directoryAudits
graph.microsoft.com/v1.0/auditLogs/signIns
graph.microsoft.com/v1.0/security/alerts
graph.microsoft.com/v1.0/security/alerts_v2
graph.microsoft.com/beta/admin/exchange/tracing/messageTraces
GCC High customers should use .us instead of .com in their URLs.
For example, graph.microsoft.us/v1.0/security/alerts.
Enter the Microsoft Graph API Client ID, which was obtained as the Application ID in Configure Microsoft Graph API, and then press Enter.
Enter the Microsoft Graph API Client Secret, which was obtained as the Secret Value when creating a Client Secret in Configure Microsoft Graph API, and then press Enter.
Enter the Microsoft Graph API Tenant ID, and then press Enter.
Enter the hostname or IP address of the System Monitor Agent that will be performing the JSON parsing, and then Press Enter.
Enter the port of the System Monitor Agent JSON listener (default port is 5044), and then Press Enter.
At this point, the Beat config should be saved and will display a message saying msgraphbeat service started.
(Optional.) To check the status of the service, enter the following command:
BASH./lrctl msgraphbeat status
Default Config Values for the Microsoft Graph API Beat
S. No. | Field Name | Default Value |
|---|---|---|
client_id | User-provided | |
client_secret | User-provided | |
msgraphURL | User-provided | |
tenant_id | User-provided | |
top (number of records to fetch) | User-provided | |
heartbeatdisabled | false | |
heartbeatinterval | 60 | |
limit | 1000 | |
numbackdaysData | 7 | |
10. | period | 2s |
11. | top | 100 |
12. | delayTimeSec | 600 |