Initialize the O365 Beat

Prerequisites

  • System Monitor version 7.22 or higher is installed.

  • JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.

  • The following port is open:

Direction

Port

Protocol

Source

Outbound

443

HTTPS

O365 Beat

Initialize the Beat via the Web Console (Recommended)

  1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

  2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

  1. In the Open Collector, run the following command:

    ./lrctl o365beat start                                                                              
    
  2. Use the Up and Down Arrow keys to select New o365beat instance from the list, and then press Enter.

  3. Enter the unique identifier for this o365beat instance, and then press Enter.

  4. Enter the Office 365 Login Token URL (for example, login.microsoftonline.com), and then press Enter.

  5. Enter the Office 365 API URL(for example, manage.office.com), and then press Enter.

  6. Enter the Office 365 Client ID, and then press Enter.

  7. Enter the Office 365 Client Secret, and then press Enter.

  8. Enter the Office 365 Tenant ID, and then press Enter.

  9. Enter the Office 365 contentType, and then press Enter.
    The following content types are supported:

    1. Audit.AzureActiveDirectory

    2. Audit.Exchange

    3. Audit.SharePoint

    4. Audit.General

    5. DLP.All

Only one content type is supported per beat instance. To collect multiple content types, create multiple beat instances.

  1. Enter the delay time (in seconds), and then press Enter..
    This is the amount of time that should elapse between each collection.

  2. Enter the hostname or IP address of the System Monitor Agent that is on version 7.22 or higher and has been Configured for JSON Parsing, and then press Enter.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Enter the port on which the System Monitor Agent is configured to listen for JSON data (the default is 5044), and then press Enter.
    The o365beat service started message appears.

  2. Check the status of the service to confirm that it’s running:

    ./lrctl o365beat status
    
  3. (Optional) Edit the o365beat configuration to update the values set above if needed. Ensure that you have all the needed information for each step available as you will need to re-enter it:

    ./lrctl o365beat config edit