Microsoft Exchange Online has an API available to return Message Details of an email. There's currently an app in Splunkbase that indexes the Exchange Online emails (indexed data includes Sender, Recipient, Subject, MessageTraceId, etc.). I want to develop something that utilizes Microsoft's MessageTraceDetail API and returns the detail when used as an Event Action. The MessageTraceDetail API requires two inputs, Recipient and MessageTraceId, which each Message event contains. What I'm trying to create is an Event Action for each of those events, so when there's a suspicious message that we want to inspect in Splunk, we expand the event, click Event Action, and have an option to query the message against the MessageTraceDetail API (button could read something like "Get-MessageTraceDetail".
Here's what the MessageTraceDetail API looks like:
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTraceDetail?$format=json&... eq '$_EMAIL_FIELD_FROM_SPLUNK_$' and MessageTraceId eq guid'$_ID_FIELD_FROM_SPLUNK_$'
What's the best way to develop something that would return the results from that API? Is there a way to display it as a popup window that parses it in json format?
