Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HugoPinto
Contributor

Office365 - Message Trace

Hi,

We share a solution to every one you whant to push Message Trace (email headers) to FortiSIEM.

1. Create an Azure Account with a very strong password because will not use OUTH2 (no license need to be applied)
2. Open Exchange Online and go to Permissiona -> Administrator Base Funcions
3. Create a role named "FortiSIEM Message Trace"
4. add funcions:
        . Message Tracking
        . View-Only Audit Logs
        . View-Only Configuration
        . View-Only Recipents
5. add user@contoso.onmicrosoft.com to the funcion
6. test from the collector using this command

curl -v --user <User@domain.com>:<Password> -H 'Accept: application/json' "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter=StartDate%20eq%20datetime'2020-08-05T01:23:00Z'%20and%20EndDate%20eq%20datetime'2020-08-21T01:23:01Z'"

7. Apply the Attachment Script Office365_Push_MailHeaders.pt to /opt/scripts
8. Edit the script and change phcustid from 1 (Super/Local) to the organization that you want to Map the Events (for MultiTenant)

        for message in messages:
        message["phCustId"] = 2001
        message=("[OFFICE365_TRACE_MESSAGE] = " + json.dumps(message))

9. run the command:
    chown admin:admin Office365_Push_MailHeaders.py
    chmod +x Office365_Push_MailHeaders.py
    su - admin

10. add a crontab to run from 10/10 minutes (the default from script):

          */10 * * * * /opt/scripts/Office365_Push_MailHeaders.py 

    Note: if you want to change the pulling time change the script:

              timedelta = datetime.timedelta(minutes=10)

11. add the attachment parser and apply
12. Wait 10 minutes or run the script, then open Analytics and search for OFFICE365_TRACE_MESSAGE

Then create the cases that you want to trigger.

If any issue pulling data comment this lines:

if 'odata.nextLink' in response_json:
next_trace_url = get_url(response_json['odata.nextLink'])
get_messages(next_trace_url, username, password, messages)


Regards

------------------------------
Hugo Pinto
Claranet CyberSecurity
------------------------------
0 REPLIES 0