Initialize the O365 Beat

Prerequisites

• System Monitor version 7.22 or higher is installed.

• JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.

• The following port is open:

Initialize the Beat via the Web Console (Recommended)

1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

3. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

1. To confirm the Open Collector is running, run the following command:

   ./lrctl status
   

   You should see the Open Collector and metrics versions.

2. In the Open Collector, run the following command:

   ./lrctl 0365beat start                                                                              
   

3. Enter the Office 365 Login Token URL (for example, login.microsoftonline.com).

4. Enter the Office 365 API URL(for example, manage.office.com).

5. Enter the Office 365 Client ID obtained during the steps outlined in Configure the O365 Beat.

6. Enter the Office 365 Client Secret obtained during the steps outlined in Configure the O365 Beat.

7. Enter the Office 365 Tenant ID.

8. Enter the Office 365 contentType.
   The following content types are supported:

   1. Audit.AzureActiveDirectory

   2. Audit.Exchange

   3. Audit.SharePoint

   4. Audit.General

   5. DLP.All

9. Enter the delay time in seconds.
   This is the amount of time that should elapse between each collection.

10. Enter the hostname or IP address of the machine where version Sysmon JSON Parser version 7.22 or greater is installed.

11. Enter the port for data transmission.
    The default is pre-populated as 5044.

12. Press Enter.
    The beat starts successfully.