Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.


Office365 - Message Trace


We share a solution to every one you whant to push Message Trace (email headers) to FortiSIEM.

1. Create an Azure Account with a very strong password because will not use OUTH2 (no license need to be applied)
2. Open Exchange Online and go to Permissiona -> Administrator Base Funcions
3. Create a role named "FortiSIEM Message Trace"
4. add funcions:
        . Message Tracking
        . View-Only Audit Logs
        . View-Only Configuration
        . View-Only Recipents
5. add to the funcion
6. test from the collector using this command

curl -v --user <>:<Password> -H 'Accept: application/json' "\$filter=StartDate%20eq%20datetime'2020-08-05T01:23:00Z'%20and%20EndDate%20eq%20datetime'2020-08-21T01:23:01Z'"

7. Apply the Attachment Script to /opt/scripts
8. Edit the script and change phcustid from 1 (Super/Local) to the organization that you want to Map the Events (for MultiTenant)

        for message in messages:
        message["phCustId"] = 2001
        message=("[OFFICE365_TRACE_MESSAGE] = " + json.dumps(message))

9. run the command:
    chown admin:admin
    chmod +x
    su - admin

10. add a crontab to run from 10/10 minutes (the default from script):

          */10 * * * * /opt/scripts/ 

    Note: if you want to change the pulling time change the script:

              timedelta = datetime.timedelta(minutes=10)

11. add the attachment parser and apply
12. Wait 10 minutes or run the script, then open Analytics and search for OFFICE365_TRACE_MESSAGE

Then create the cases that you want to trigger.

If any issue pulling data comment this lines:

if 'odata.nextLink' in response_json:
next_trace_url = get_url(response_json['odata.nextLink'])
get_messages(next_trace_url, username, password, messages)


Hugo Pinto
Claranet CyberSecurity