Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HugoPinto
Contributor

Created on ‎08-07-2020 05:53 AM

Office365 - Message Trace

Hi,

We share a solution to every one you whant to push Message Trace (email headers) to FortiSIEM.

1. Create an Azure Account with a very strong password because will not use OUTH2 (no license need to be applied)
2. Open Exchange Online and go to Permissiona -> Administrator Base Funcions
3. Create a role named "FortiSIEM Message Trace"
4. add funcions:
        . Message Tracking
        . View-Only Audit Logs
        . View-Only Configuration
        . View-Only Recipents
5. add user@contoso.onmicrosoft.com to the funcion
6. test from the collector using this command

curl -v --user <User@domain.com>:<Password> -H 'Accept: application/json' "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter=StartDate%20eq%20datetime'2020-08-05T01:23:00Z'%20and%20EndDate%20eq%20datetime'2020-08-21T01:23:01Z'"

7. Apply the Attachment Script Office365_Push_MailHeaders.pt to /opt/scripts
8. Edit the script and change phcustid from 1 (Super/Local) to the organization that you want to Map the Events (for MultiTenant)

        for message in messages:
        message["phCustId"] = 2001
        message=("[OFFICE365_TRACE_MESSAGE] = " + json.dumps(message))

9. run the command:
    chown admin:admin Office365_Push_MailHeaders.py
    chmod +x Office365_Push_MailHeaders.py
    su - admin

10. add a crontab to run from 10/10 minutes (the default from script):

          */10 * * * * /opt/scripts/Office365_Push_MailHeaders.py 

    Note: if you want to change the pulling time change the script:

              timedelta = datetime.timedelta(minutes=10)

11. add the attachment parser and apply
12. Wait 10 minutes or run the script, then open Analytics and search for OFFICE365_TRACE_MESSAGE

Then create the cases that you want to trigger.

If any issue pulling data comment this lines:

if 'odata.nextLink' in response_json:
next_trace_url = get_url(response_json['odata.nextLink'])
get_messages(next_trace_url, username, password, messages)


Regards

------------------------------
Hugo Pinto
Claranet CyberSecurity
------------------------------
Preview file
4 KB
Preview file
4 KB
Labels:
1036
0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.