Skip to content

Vade M365

Overview

Vade for M365 offers AI-based protection against dynamic, email-borne cyberattacks targeting Microsoft 365. It improves user experience and catches 10x more advanced threats than Microsoft.

In this documentation we will explain how to collect and send Vade for M365 logs to Sekoia.io.

  • Vendor: Vade
  • Supported environment: Cloud
  • Detection based on: Telemetry
  • Supported application or feature: Email gateway, Anti-virus

Configure

Info

Consuming logs from Vade now requires the Vade Threat Intel & Investigation (TII) module. MSSP partners can benefit from this module from their Partner's Portal. Final customers are invited to contact their Vade commercial contact to setup this module.

First you need to reach the Playbooks page in order to initiate your playbook using the dedicated button.

You can directly choose the Get M365 Email Events trigger if you are creating a playbook from scratch otherwise you will have to find it within the Actions library panel under the Vade secure menu to drag and drop the trigger on the graph.

To start configuring the selected trigger, you'll need to bring Vade's documentation which can be found here. This documentation will allow you to get the following information: your client_id and your client_secret. You can also get the api_host and oauth2_authorization_url, if necessary. In most common cases, the api_host is https://m365.eu.vadesecure.com and the oauth2_authorization_url is https://api.vadesecure.com/oauth2/v2/token

Then you just have to configure the trigger itself by filling its name, by setting its frequency in seconds and by adding your Office 365 tenant identifier (tenant_id)

Lastly, you must add the Sekoia's action Push Events to intake to the graph and configure it using :

  • the Sekoia.io api_key generated within the user center
  • the base_url (https://intake.sekoia.io)
  • the events_path to push on Intake (your logs, you will probably fill it with {{ node.0['emails_path'] }})
  • the intake_key of the intake you have previously created (documentation can be found here)

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "id": "abcdefgh",
    "date": "2024-01-31T10:11:13.974Z",
    "sender_ip": "1.2.3.4",
    "from": "user@test.fr",
    "from_header": "user user@test.fr",
    "to": "destuser@test.fr",
    "to_header": "header stuff",
    "subject": "subject",
    "message_id": "ABCDEF",
    "urls": [
        {
            "url": "https://www.test.com/"
        },
        {
            "url": "http://www.test.fr"
        },
        {
            "url": "https://www.test.io"
        }
    ],
    "attachments": [
        {
            "id": "abcdef",
            "filename": "image006.png",
            "extension": "png",
            "size": 477,
            "hashes": {
                "md5": "abcdef",
                "sha1": "abcdef",
                "sha256": "abcdef",
                "sha512": "abcdef"
            }
        },
        {
            "id": "abcdef",
            "filename": "sample.pdf",
            "extension": "pdf",
            "size": 237284,
            "hashes": {
                "md5": "abcdef",
                "sha1": "abcdef",
                "sha256": "abcdef",
                "sha512": "abcdef"
            }
        }
    ],
    "status": "LOW_SPAM",
    "substatus": "",
    "last_report": "none",
    "last_report_date": "0001-01-01T00:00:00Z",
    "remediation_type": "none",
    "remediation_ids": [],
    "action": "NOTHING",
    "folder": "",
    "size": 460793,
    "current_events": [],
    "whitelisted": true,
    "direction": "incoming",
    "remediation_message_read": false,
    "geo": {
        "country_name": "Ireland",
        "country_iso_code": "IE",
        "city_name": "Dublin"
    },
    "malware_bypass": false,
    "reply_to_header": "",
    "overdict": "clean",
    "auth_results_details": ""
}
{
    "id": "zekfnzejnf576rge8768",
    "date": "2022-02-10T13:00:05.454Z",
    "sender_ip": "192.168.1.1",
    "from": "test@sekoia.io",
    "from_header": "<test@sekoia.io>",
    "to": "test@vadesecure.com",
    "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
    "subject": "Lorem ipsum dolor",
    "message_id": "<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>",
    "urls": [
        {
            "url": "https://sekoia.io"
        }
    ],
    "attachments": [
        {
            "id": "ca9ph2ostndl7735uht0",
            "filename": "image001.png",
            "extension": "png",
            "size": 12894
        },
        {
            "id": "ca9okt0kn1e8usdf633g",
            "filename": "archive.zip",
            "extension": "zip",
            "size": 10558
        }
    ],
    "status": "LEGIT",
    "substatus": "",
    "remediation_type": "none",
    "remediation_ids": [],
    "action": "NOTHING",
    "folder": "",
    "size": 113475,
    "current_events": [],
    "whitelisted": false
}
{
    "id": "cs72a9b6r0glddhdfh7g",
    "date": "2024-10-15T08:17:41.776Z",
    "sender_ip": "1.2.3.4",
    "from": "jd@doe.fr",
    "from_header": "John Doe<jd@doe.fr>",
    "to": "alan.smithee@doe.fr",
    "to_header": "Alan.smithee@doe.fr",
    "subject": "Informations",
    "message_id": "<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
    "urls": [],
    "attachments": [],
    "status": "LEGIT",
    "substatus": "",
    "last_report": "none",
    "last_report_date": "0001-01-01T00:00:00Z",
    "remediation_type": "none",
    "remediation_ids": [],
    "action": "NOTHING",
    "folder": "",
    "size": 26875,
    "current_events": [],
    "whitelisted": false,
    "direction": "incoming",
    "remediation_message_read": false,
    "geo": {
        "country_name": "United States",
        "country_iso_code": "US",
        "city_name": ""
    },
    "malware_bypass": false,
    "reply_to_header": "user@company.com",
    "overdict": "clean",
    "auth_results_details": {
        "dkim": "none",
        "spf": "temperror",
        "dmarc": "fail"
    }
}
{
    "id": "ch34aoqub3glupige13g",
    "date": "2023-04-24T09:01:23.666Z",
    "sender_ip": "163.172.240.104",
    "from": "test@sekoia.io",
    "from_header": "Test SEKOIA.IO <test@sekoia.io>",
    "to": "test@vadesecure.com",
    "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
    "subject": "OneDrive- Document No.: 1928578 - VadeSecure",
    "message_id": "<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>",
    "urls": [
        {
            "url": "https://www.facebo\u1ecdk.com/login.php"
        },
        {
            "url": "https://www.facelbo?k.com/login.php"
        },
        {
            "url": "https://www.vadesecure.com/"
        },
        {
            "url": "https://sites.google.com/view/gine-office/home"
        }
    ],
    "attachments": [
        {
            "id": "ch34aoqub3glupige170",
            "filename": "",
            "extension": "",
            "size": 10558,
            "hashes": {
                "md5": "7bc2b146a309acbff2da55e6b4124a82",
                "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b",
                "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368",
                "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423"
            }
        },
        {
            "id": "ch34aoqub3glupige17g",
            "filename": "",
            "extension": "",
            "size": 12894,
            "hashes": {
                "md5": "0eb4a83f99c2cd38d9d4decf809d1701",
                "sha1": "4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f",
                "sha256": "f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae",
                "sha512": "c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156"
            }
        }
    ],
    "status": "PHISHING",
    "substatus": "",
    "last_report": "none",
    "last_report_date": "0001-01-01T00:00:00Z",
    "remediation_type": "none",
    "remediation_ids": [],
    "action": "MOVE",
    "folder": "JunkEmail",
    "size": 186849,
    "current_events": [],
    "whitelisted": false,
    "geo": {
        "country_name": "France",
        "country_iso_code": "FR",
        "city_name": ""
    },
    "malware_bypass": false
}
{
    "id": "cgrqlp83v5prkopmecf0",
    "date": "2023-04-13T07:10:29.191Z",
    "sender_ip": "163.172.240.104",
    "from": "test@sekoia.io",
    "from_header": "Test SEKOIA.IO <test@sekoia.io>",
    "to": "test@vadesecure.com",
    "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
    "subject": "Lorem ipsum dolor",
    "message_id": "<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
    "urls": [],
    "attachments": [
        {
            "id": "cgrqlp83v5prkopmecfg",
            "filename": "commande.docm",
            "extension": "docm",
            "size": 96009,
            "hashes": {
                "md5": "c1ea14accbb4f5ac66beac2d3f8de531",
                "sha1": "bfd1de0e780a3d7f047f6de00f44eaa1868e05e2",
                "sha256": "6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424",
                "sha512": "77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d"
            }
        }
    ],
    "status": "LEGIT",
    "substatus": "",
    "last_report": "none",
    "last_report_date": "0001-01-01T00:00:00Z",
    "remediation_type": "none",
    "remediation_ids": [],
    "action": "NOTHING",
    "folder": "",
    "size": 179355,
    "current_events": [],
    "whitelisted": true,
    "geo": {
        "country_name": "France",
        "country_iso_code": "FR",
        "city_name": ""
    },
    "malware_bypass": true
}
{
    "id": "csb6q1pgfisg9knp1l5g",
    "date": "2024-10-21T15:02:31.64Z",
    "sender_ip": "1.2.3.4",
    "from": "john.doe@mail.fr",
    "from_header": "John DOE <john.doe@mail.fr>",
    "to": "alan.smithee@company.fr",
    "to_header": "Alan Smithee <alan.smithee@company.fr>",
    "subject": "Re: Your mail",
    "message_id": "<D0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
    "urls": [
        {
            "url": "http://www.company.fr/"
        }
    ],
    "attachments": [
        {
            "id": "12345678901234567890",
            "filename": "image001.jpg",
            "extension": "jpg",
            "size": 5130,
            "hashes": {
                "md5": "7bc2b146a309acbff2da55e6b4124a82",
                "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b",
                "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368",
                "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423"
            }
        }
    ],
    "status": "LEGIT",
    "substatus": "",
    "last_report": "none",
    "last_report_date": "0001-01-01T00:00:00Z",
    "remediation_type": "none",
    "remediation_ids": [],
    "action": "NOTHING",
    "folder": "",
    "size": 93072,
    "current_events": [],
    "whitelisted": false,
    "direction": "incoming",
    "remediation_message_read": false,
    "geo": {
        "country_name": "United States",
        "country_iso_code": "US",
        "city_name": ""
    },
    "malware_bypass": false,
    "reply_to_header": "",
    "overdict": "clean",
    "auth_results_details": {
        "dkim": "fail",
        "spf": "temperror",
        "dmarc": "none"
    }
}
{
    "id": "zekfnzejnf576rge8768",
    "date": "2022-02-01T23:30:33.982Z",
    "reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence",
    "status": {
        "status": "PHISHING"
    },
    "actions": [
        {
            "action": "MOVE"
        }
    ],
    "nb_messages_remediated": 1,
    "nb_messages_remediated_read": 0,
    "nb_messages_remediated_unread": 1
}
{
    "id": "zekfnzejnf576rge8768",
    "date": "2021-11-18T15:59:39.368Z",
    "reason": "",
    "actions": [
        {
            "action": "DELETE"
        },
        {
            "action": "FAILED"
        }
    ],
    "nb_messages_remediated": 76,
    "nb_messages_remediated_read": 0,
    "nb_messages_remediated_unread": 76
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

The following Sekoia.io built-in rules match the intake Vade for M365. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Vade for M365 on ATT&CK Navigator

Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
Malware Detected By Vade For M365

Vade Secure product Vade for M365 has detected a malware contained in the message.

  • Effort: master
Malware Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365 has detected a malware contained in the message and didn't delete it.

  • Effort: advanced
Phishing Detected By Vade For M365

Vade Secure product Vade for M365 has detected a phishing attempt.

  • Effort: master
Phishing Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365 has detected a phishing attempt and didn't move it to junk folder.

  • Effort: advanced
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Scam Detected By Vade For M365

Vade Secure product Vade for M365, has detected a scam e-mail.

  • Effort: master
Scam Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365, has detected a scam e-mail and didn't block it.

  • Effort: advanced
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
Spam Detected By Vade For M365

Vade Secure product Vade for M365, has detected a spam e-mail.

  • Effort: master
Spam Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365, has detected a spam e-mail and didn't block it.

  • Effort: advanced
Spearphishing (CEO Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with CEO fraud thematic. Impersonation of CEO or senior management members requesting urgent money transfer, usually on an unknown RIB.

  • Effort: master
Spearphishing (Gift Cards Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spear-phishing attempt with gift-cards fraud thematic. Executive impersonation requesting a money transfer to set up gift-cards for employees. Confidentiality and discretion are usually implied.

  • Effort: master
Spearphishing (Initial Contact Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with initial contact fraud thematic. Do not contains any malicious content or specific actions other than a request to reply to the email. “Are you available?”. The main goal is to incite a reply that could register the sending address as a known and legitimate address.

  • Effort: master
Spearphishing (Lawyer Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with lawyer fraud thematic. Impersonation of lawyers and lawyers' firms. The main goal is to make sure the victims will not raise awareness around them. Confidentiality restrictions are implied.

  • Effort: master
Spearphishing (W2 Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with W2 fraud thematic. Executive or HR impersonation phishing for social security numbers or tax identification numbers. Collected data are generally used for identity theft schemes.

  • Effort: master
Suspicious Email Attachment Received

Detects email containing a suspicious file as an attachment, based on its extension.

  • Effort: advanced
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Anti-virus Vade performs behavioral-Based Anti-Malware
Email gateway Vade for M365 blocks attacks from the first email thanks to machine learning models that perform real-time behavioral analysis of the entire email, including any URLs and attachments.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category email
Type change, deletion, denied, info

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{ \"id\": \"abcdefgh\", \"date\": \"2024-01-31T10:11:13.974Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"user@test.fr\", \"from_header\": \"user user@test.fr\", \"to\": \"destuser@test.fr\", \"to_header\": \"header stuff\", \"subject\": \"subject\", \"message_id\": \"ABCDEF\", \"urls\": [ { \"url\": \"https://www.test.com/\" }, { \"url\": \"http://www.test.fr\" }, { \"url\": \"https://www.test.io\" } ], \"attachments\": [ { \"id\": \"abcdef\", \"filename\": \"image006.png\", \"extension\": \"png\", \"size\": 477, \"hashes\": { \"md5\": \"abcdef\", \"sha1\": \"abcdef\", \"sha256\": \"abcdef\", \"sha512\": \"abcdef\" } }, { \"id\": \"abcdef\", \"filename\": \"sample.pdf\", \"extension\": \"pdf\", \"size\": 237284, \"hashes\": { \"md5\": \"abcdef\", \"sha1\": \"abcdef\", \"sha256\": \"abcdef\", \"sha512\": \"abcdef\" } } ], \"status\": \"LOW_SPAM\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 460793, \"current_events\": [], \"whitelisted\": true, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": { \"country_name\": \"Ireland\", \"country_iso_code\": \"IE\", \"city_name\": \"Dublin\" }, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": \"\" }",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "png",
                    "hash": {
                        "md5": "abcdef",
                        "sha1": "abcdef",
                        "sha256": "abcdef",
                        "sha512": "abcdef"
                    },
                    "name": "image006.png",
                    "size": 477
                }
            },
            {
                "file": {
                    "extension": "pdf",
                    "hash": {
                        "md5": "abcdef",
                        "sha1": "abcdef",
                        "sha256": "abcdef",
                        "sha512": "abcdef"
                    },
                    "name": "sample.pdf",
                    "size": 237284
                }
            }
        ],
        "from": {
            "address": "user@test.fr"
        },
        "local_id": "abcdefgh",
        "message_id": "ABCDEF",
        "subject": "subject",
        "to": {
            "address": "destuser@test.fr"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "image006.png",
                "id": "abcdef"
            },
            {
                "filename": "sample.pdf",
                "id": "abcdef"
            }
        ],
        "from_header": "user user@test.fr",
        "last_report_date": "0001-01-01T00:00:00Z",
        "overdict": "clean",
        "status": "LOW_SPAM",
        "to_header": "header stuff",
        "whitelist": "true"
    }
}
{
    "message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-10T13:00:05.454Z\", \"sender_ip\": \"192.168.1.1\", \"from\": \"test@sekoia.io\", \"from_header\": \"<test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>\", \"urls\": [{\"url\": \"https://sekoia.io\"}], \"attachments\": [{\"id\": \"ca9ph2ostndl7735uht0\", \"filename\": \"image001.png\", \"extension\": \"png\", \"size\": 12894},{\"id\": \"ca9okt0kn1e8usdf633g\", \"filename\": \"archive.zip\", \"extension\": \"zip\", \"size\": 10558}], \"status\": \"LEGIT\", \"substatus\": \"\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 113475, \"current_events\": [], \"whitelisted\": false}",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "png",
                    "name": "image001.png",
                    "size": 12894
                }
            },
            {
                "file": {
                    "extension": "zip",
                    "name": "archive.zip",
                    "size": 10558
                }
            }
        ],
        "from": {
            "address": "test@sekoia.io"
        },
        "local_id": "zekfnzejnf576rge8768",
        "message_id": "<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>",
        "subject": "Lorem ipsum dolor",
        "to": {
            "address": "test@vadesecure.com"
        }
    },
    "related": {
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "192.168.1.1",
        "ip": "192.168.1.1"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "image001.png",
                "id": "ca9ph2ostndl7735uht0"
            },
            {
                "filename": "archive.zip",
                "id": "ca9okt0kn1e8usdf633g"
            }
        ],
        "from_header": "<test@sekoia.io>",
        "status": "LEGIT",
        "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
        "whitelist": "false"
    }
}
{
    "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe<jd@doe.fr>\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [],
        "from": {
            "address": "jd@doe.fr"
        },
        "local_id": "cs72a9b6r0glddhdfh7g",
        "message_id": "<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
        "reply_to": {
            "address": "user@company.com"
        },
        "subject": "Informations",
        "to": {
            "address": "alan.smithee@doe.fr"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "vadesecure": {
        "attachments": [],
        "auth_results_details": {
            "dkim": "none",
            "dmarc": "fail",
            "spf": "temperror"
        },
        "from_header": "John Doe<jd@doe.fr>",
        "last_report_date": "0001-01-01T00:00:00Z",
        "overdict": "clean",
        "status": "LEGIT",
        "to_header": "Alan.smithee@doe.fr",
        "whitelist": "false"
    }
}
{
    "message": "{\"id\": \"ch34aoqub3glupige13g\", \"date\": \"2023-04-24T09:01:23.666Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO <test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"OneDrive- Document No.: 1928578 - VadeSecure\", \"message_id\": \"<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>\", \"urls\": [{\"url\": \"https://www.facebo\\u1ecdk.com/login.php\"}, {\"url\": \"https://www.facelbo?k.com/login.php\"}, {\"url\": \"https://www.vadesecure.com/\"}, {\"url\": \"https://sites.google.com/view/gine-office/home\"}], \"attachments\": [{\"id\": \"ch34aoqub3glupige170\", \"filename\": \"\", \"extension\": \"\", \"size\": 10558, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}, {\"id\": \"ch34aoqub3glupige17g\", \"filename\": \"\", \"extension\": \"\", \"size\": 12894, \"hashes\": {\"md5\": \"0eb4a83f99c2cd38d9d4decf809d1701\", \"sha1\": \"4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f\", \"sha256\": \"f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae\", \"sha512\": \"c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156\"}}], \"status\": \"PHISHING\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"MOVE\", \"folder\": \"JunkEmail\", \"size\": 186849, \"current_events\": [], \"whitelisted\": false, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": false}",
    "event": {
        "action": "move",
        "category": [
            "email"
        ],
        "type": [
            "change"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "",
                    "hash": {
                        "md5": "7bc2b146a309acbff2da55e6b4124a82",
                        "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b",
                        "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368",
                        "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423"
                    },
                    "name": "",
                    "size": 10558
                }
            },
            {
                "file": {
                    "extension": "",
                    "hash": {
                        "md5": "0eb4a83f99c2cd38d9d4decf809d1701",
                        "sha1": "4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f",
                        "sha256": "f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae",
                        "sha512": "c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156"
                    },
                    "name": "",
                    "size": 12894
                }
            }
        ],
        "from": {
            "address": "test@sekoia.io"
        },
        "local_id": "ch34aoqub3glupige13g",
        "message_id": "<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>",
        "subject": "OneDrive- Document No.: 1928578 - VadeSecure",
        "to": {
            "address": "test@vadesecure.com"
        }
    },
    "related": {
        "ip": [
            "163.172.240.104"
        ]
    },
    "source": {
        "address": "163.172.240.104",
        "ip": "163.172.240.104"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "",
                "id": "ch34aoqub3glupige170"
            },
            {
                "filename": "",
                "id": "ch34aoqub3glupige17g"
            }
        ],
        "folder": "JunkEmail",
        "from_header": "Test SEKOIA.IO <test@sekoia.io>",
        "last_report_date": "0001-01-01T00:00:00Z",
        "status": "PHISHING",
        "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
        "whitelist": "false"
    }
}
{
    "message": "{\"id\": \"cgrqlp83v5prkopmecf0\", \"date\": \"2023-04-13T07:10:29.191Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO <test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [], \"attachments\": [{\"id\": \"cgrqlp83v5prkopmecfg\", \"filename\": \"commande.docm\", \"extension\": \"docm\", \"size\": 96009, \"hashes\": {\"md5\": \"c1ea14accbb4f5ac66beac2d3f8de531\", \"sha1\": \"bfd1de0e780a3d7f047f6de00f44eaa1868e05e2\", \"sha256\": \"6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424\", \"sha512\": \"77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 179355, \"current_events\": [], \"whitelisted\": true, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": true}",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "docm",
                    "hash": {
                        "md5": "c1ea14accbb4f5ac66beac2d3f8de531",
                        "sha1": "bfd1de0e780a3d7f047f6de00f44eaa1868e05e2",
                        "sha256": "6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424",
                        "sha512": "77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d"
                    },
                    "name": "commande.docm",
                    "size": 96009
                }
            }
        ],
        "from": {
            "address": "test@sekoia.io"
        },
        "local_id": "cgrqlp83v5prkopmecf0",
        "message_id": "<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
        "subject": "Lorem ipsum dolor",
        "to": {
            "address": "test@vadesecure.com"
        }
    },
    "related": {
        "ip": [
            "163.172.240.104"
        ]
    },
    "source": {
        "address": "163.172.240.104",
        "ip": "163.172.240.104"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "commande.docm",
                "id": "cgrqlp83v5prkopmecfg"
            }
        ],
        "from_header": "Test SEKOIA.IO <test@sekoia.io>",
        "last_report_date": "0001-01-01T00:00:00Z",
        "status": "LEGIT",
        "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
        "whitelist": "true"
    }
}
{
    "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE <john.doe@mail.fr>\", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee <alan.smithee@company.fr>\", \"subject\": \"Re: Your mail\", \"message_id\": \"<D0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "jpg",
                    "hash": {
                        "md5": "7bc2b146a309acbff2da55e6b4124a82",
                        "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b",
                        "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368",
                        "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423"
                    },
                    "name": "image001.jpg",
                    "size": 5130
                }
            }
        ],
        "from": {
            "address": "john.doe@mail.fr"
        },
        "local_id": "csb6q1pgfisg9knp1l5g",
        "message_id": "<D0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
        "subject": "Re: Your mail",
        "to": {
            "address": "alan.smithee@company.fr"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "image001.jpg",
                "id": "12345678901234567890"
            }
        ],
        "auth_results_details": {
            "dkim": "fail",
            "dmarc": "none",
            "spf": "temperror"
        },
        "from_header": "John DOE <john.doe@mail.fr>",
        "last_report_date": "0001-01-01T00:00:00Z",
        "overdict": "clean",
        "status": "LEGIT",
        "to_header": "Alan Smithee <alan.smithee@company.fr>",
        "whitelist": "false"
    }
}
{
    "message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-01T23:30:33.982Z\", \"reason\": \"The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence\", \"status\": {\"status\": \"PHISHING\"}, \"actions\": [{\"action\": \"MOVE\"}], \"nb_messages_remediated\": 1, \"nb_messages_remediated_read\": 0, \"nb_messages_remediated_unread\": 1}",
    "event": {
        "action": "move",
        "category": [
            "email"
        ],
        "reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence",
        "type": [
            "info"
        ]
    },
    "vadesecure": {
        "campaign": {
            "actions": [
                {
                    "action": "MOVE"
                }
            ],
            "actions_labels": [
                "MOVE"
            ],
            "id": "zekfnzejnf576rge8768",
            "nb_messages_remediated": 1,
            "nb_messages_remediated_read": 0,
            "nb_messages_remediated_unread": 1
        },
        "status": "PHISHING"
    }
}
{
    "message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2021-11-18T15:59:39.368Z\", \"reason\": \"\", \"actions\": [{\"action\": \"DELETE\"}, {\"action\": \"FAILED\"}], \"nb_messages_remediated\": 76, \"nb_messages_remediated_read\": 0, \"nb_messages_remediated_unread\": 76}",
    "event": {
        "action": "delete",
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "vadesecure": {
        "campaign": {
            "actions": [
                {
                    "action": "DELETE"
                },
                {
                    "action": "FAILED"
                }
            ],
            "actions_labels": [
                "DELETE",
                "FAILED"
            ],
            "id": "zekfnzejnf576rge8768",
            "nb_messages_remediated": 76,
            "nb_messages_remediated_read": 0,
            "nb_messages_remediated_unread": 76
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
email.attachments array email.attachments
email.from.address keyword email.from.address
email.local_id keyword email.local_id
email.message_id keyword email.message_id
email.reply_to.address keyword Address replies should be delivered to.
email.subject keyword email.subject
email.to.address keyword email.to.address
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
source.ip ip IP address of the source.
vadesecure.attachments array vadesecure.to_header
vadesecure.campaign.actions array The actions carried out for the remediation campaign.
vadesecure.campaign.actions_labels keyword
vadesecure.campaign.id keyword The ID of the campaign
vadesecure.campaign.nb_messages_remediated long The total number of messages involved in the remediation.
vadesecure.campaign.nb_messages_remediated_read long The number of total read messages involved in the remediation.
vadesecure.campaign.nb_messages_remediated_unread long The number of total unread messages involved in the remediation.
vadesecure.folder keyword vadesecure.folder
vadesecure.from_header keyword vadesecure.from_header
vadesecure.last_report keyword
vadesecure.last_report_date datetime
vadesecure.overdict keyword vadesecure.overdict
vadesecure.status keyword vadesecure.status
vadesecure.substatus keyword vadesecure.substatus
vadesecure.to_header keyword vadesecure.to_header
vadesecure.whitelist keyword vadesecure.whitelist

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.