Hello community, because of issues with Microsoft 0365 Connector not processing messages anymore we are demanded to develop a monitoring to be informed about this situation in the future.
Current solution is to do a remote PowerShell session to o365 on a windows host and run a command. While this is technically possible and could be used in an agent plugin it has some organizational and technical disadvantages and we would prefer to direct connect via a Datasource Agent to 0365 to get the status of the connectors.
Is there anyone out there who may had the same issue and probably already a solution or one who may share some knowledge how to connect to 0365 from checkmk.
There is an API for o365 available but we didnt found the information how to gather the status of the connectors.
Checkmk does not have anything like that OOB. You can however write active checks in whatever language you want as long as you have that installed on your checkmk server - So you can write a Powershell check for this.
If i read the documentation correctly the easiest way is to use the login portion and also the request part from the normal Azure agent. Then you can switch the URLs from Azure to MS security center.
With this you get an special agent directly usable from your monitoring server.
The “Hello world” example is a good and easy start Hello World for Microsoft Defender for Endpoint API | Microsoft Learn
What I meant, and perhaps I didn’t explain that, is that you can run powershell code on your Linux Checkmk server, Microsoft is working hard to port all their Powershell libs to run on Powershell core (Not sure if O365 is there)
I dont know what you want to achieve with such a post.
The goal is not having any ‘extra box’ regardless if Windows or Linux. Our intention is to write a DataSource Agent (AKA Special Agent) and as check_mk is available only on Linux it has to be Linux
The reason is not having indirect monitoring. We wont to avoid that we go through a Windows Host which is not related to the intended monitoring and could be decommissioned which would remove this monitoring silently.
I hope you feel better with that information. Any helpful posts are always welcome.