Initialize the O365 Beat
Prerequisites
System Monitor version 7.22 or higher is installed.
JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.
The following port is open:
Direction | Port | Protocol | Source |
---|---|---|---|
Outbound | 443 | HTTPS | O365 Beat |
Initialize the Beat
To confirm the Open Collector is running, run the following command:
CODE./lrctl status
You should see the metrics as shown in the following graphic:
In the Open Collector, run the following command:
CODE./lrctl 0365beat start
Enter the Office 365 Login Token URL (for example, login.microsoftonline.com).
Enter the Office 365 API URL(for example, manage.office.com).
Enter the Office 365 Client ID obtained during the steps outlined in Configure the O365 Beat.
Enter the Office 365 Client Secret obtained during the steps outlined in Configure the O365 Beat.
Enter the Office 365 Tenant ID.
Enter the Office 365 contentType.
The following content types are supported:Audit.AzureActiveDirectory
Audit.Exchange
Audit.SharePoint
Audit.General
DLP.All
Only one content type is supported per beat instance. To collect multiple content types, create multiple beat instances.
Enter the delay time in seconds.
This is the amount of time that should elapse between each collection.Enter the hostname or IP address of the machine where version Sysmon JSON Parser version 7.22 or greater is installed.
Enter the port for data transmission.
The default is pre-populated as 5044.Press Enter.
The beat starts successfully.