Initialize the O365 Beat

Prerequisites

• System Monitor version 7.22 or higher is installed.

• JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.

• The following port is open:

Initialize the Beat

1. To confirm the Open Collector is running, run the following command:

   CODE

   ./lrctl status

   You should see the metrics as shown in the following graphic:

   

2. In the Open Collector, run the following command:

   CODE

   ./lrctl 0365beat start                                                                              

3. Enter the Office 365 Login Token URL (for example, login.microsoftonline.com).

   

4. Enter the Office 365 API URL(for example, manage.office.com).

   

5. Enter the Office 365 Client ID obtained during the steps outlined in Configure the O365 Beat.

   

6. Enter the Office 365 Client Secret obtained during the steps outlined in Configure the O365 Beat.

   

7. Enter the Office 365 Tenant ID.

   

8. Enter the Office 365 contentType.
   The following content types are supported:

   1. Audit.AzureActiveDirectory

   2. Audit.Exchange

   3. Audit.SharePoint

   4. Audit.General

   5. DLP.All

      

Only one content type is supported per beat instance. To collect multiple content types, create multiple beat instances.

9. Enter the delay time in seconds.
   This is the amount of time that should elapse between each collection.

   

10. Enter the hostname or IP address of the machine where version Sysmon JSON Parser version 7.22 or greater is installed.

    

11. Enter the port for data transmission.
    The default is pre-populated as 5044.

12. Press Enter.
    The beat starts successfully.