This is a simple script which was written to run on a Linux server and be executed as a cron job, to pull events from the Windows Advanced Threat Protection API.
The events are parsed as json and can then be ingested or stored in the manner of your choice.