#!/usr/bin/python3 # Script de recuperation des traces exchange online vers FortiSIEM # Developed By Claranet CyberSecurity #curl -v --user user@email.com:password -H 'Accept: application/json' "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter=StartDate%20eq%20datetime'2020-08-05T01:23:00Z'%20and%20EndDate%20eq%20datetime'2020-08-21T01:23:01Z'" import os import sys import socket import json import requests import datetime microsoft_username = "user@contoso.onmicrosoft.com" microsoft_password = "Password" FSM_Collector_ip = '' FSM_Collector_port = 514 timedelta = datetime.timedelta(minutes=10) now = datetime.datetime.utcnow() start = now - timedelta microsoft_trace_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter=StartDate eq datetime'%sZ' and EndDate eq datetime'%sZ'" % (start.isoformat(), now.isoformat()) def get_url(path): url_base = 'https://reports.office365.com/ecp' if '../../' in path: path = path.replace('../../', '') return url_base + '/' + path def get_messages(url, username, password, messages=[]): r = requests.get(url,auth=requests.auth.HTTPBasicAuth(username, password), headers={'Accept':'application/json'}) try: r.raise_for_status() response_json = json.loads(r.content) messages += response_json['value'] if 'odata.nextLink' in response_json: next_trace_url = get_url(response_json['odata.nextLink']) get_messages(next_trace_url, username, password, messages) except Exception as e: message = "HTTP Request error: %s" % str(e) sys.exit(message) return messages def getNodeText(node): nodelist = node.childNodes result = [] for node in nodelist: if node.nodeType == node.TEXT_NODE: result.append(node.data) return ''.join(result) messages = get_messages(microsoft_trace_url, microsoft_username, microsoft_password) # Debug #data=json.dumps(messages) #print(json.dumps(json.loads(data), indent=2)) for message in messages: message["phCustId"] = 2001 message=("[OFFICE365_TRACE_MESSAGE] = " + json.dumps(message)) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.connect((FSM_Collector_ip, FSM_Collector_port)) sock.send(message.encode("utf-8")) sock.close() # Debug print (message) """ # MessageTraceDetail API for i in range(len(messages)): print('#######################') for (k, v) in messages[i].items(): print("Key: " + k + "| Value: " + str(v)) microsoft_trace_detail_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTraceDetail?$filter=MessageTraceId eq guid'%s' and RecipientAddress eq '%s' and SenderAddress eq '%s' and StartDate eq datetime'%s' and EndDate eq datetime'%s'&$format=Atom" % (messages[i]['MessageTraceId'], messages[i]['RecipientAddress'], messages[i]['SenderAddress'], messages[i]['StartDate'], messages[i]['EndDate']) print(microsoft_trace_detail_url) r = requests.get(microsoft_trace_detail_url, auth=requests.auth.HTTPBasicAuth(microsoft_username, microsoft_password), headers={'Accept':'application/json'}) xmldoc = minidom.parseString(r.text) pretty_xml_as_string = xmldoc.toprettyxml() print(pretty_xml_as_string) """