Vade for M365
Overview
Vade for M365 offers AI-based protection against dynamic, email-borne cyberattacks targeting Microsoft 365. It improves user experience and catches 10x more advanced threats than Microsoft.
In this documenation we will explain how to collect and send Vade for M365 logs to SEKOIA.IO.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Anti-virus |
Vade performs behavioral-Based Anti-Malware |
Email gateway |
Vade for M365 blocks attacks from the first email thanks to machine learning models that perform real-time behavioral analysis of the entire email, including any URLs and attachments. |
In details, the following Table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | email |
| Type | change, deletion, denied, info |
Event Samples
Find below few samples of events and how they are normalized by SEKOIA.IO.
{
"event": {
"outcome": "success",
"category": "email",
"kind": "event",
"type": "info"
},
"message": " {\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-10T13:00:05.454Z\", \"sender_ip\": \"192.168.1.1\", \"from\": \"test@sekoia.io\", \"from_header\": \"<test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>\", \"urls\": [{\"url\": \"https://sekoia.io\"}], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 113475, \"current_events\": [], \"whitelisted\": false} ",
"sekoiaio": {
"intake": {
"parsing_status": "success"
}
},
"email": {
"from": {
"address": "test@sekoia.io"
},
"local_id": "zekfnzejnf576rge8768",
"message_id": "<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>",
"subject": "Lorem ipsum dolor",
"to": {
"address": "test@vadesecure.com"
}
},
"source": {
"address": "192.168.1.1",
"ip": "192.168.1.1"
},
"vadesecure": {
"from_header": "<test@sekoia.io>",
"status": "LEGIT",
"to_header": "\"test@vadesecure.com\" <test@vadesecure.com>"
}
}
{
"event": {
"outcome": "success",
"category": "email",
"kind": "event",
"type": "info",
"reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence"
},
"vadesecure": {
"status": "PHISHING",
"campaign": {
"actions": [
{
"action": "MOVE"
}
],
"id": "zekfnzejnf576rge8768",
"nb_messages_remediated": 1,
"nb_messages_remediated_read": 0,
"nb_messages_remediated_unread": 1
}
}
}
{
"event": {
"outcome": "success",
"category": "email",
"kind": "event",
"type": "info"
},
"vadesecure": {
"campaign": {
"actions": [
{
"action": "DELETE"
},
{
"action": "FAILED"
}
],
"id": "zekfnzejnf576rge8768",
"nb_messages_remediated": 76,
"nb_messages_remediated_read": 0,
"nb_messages_remediated_unread": 76
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
email.from.address |
keyword |
email.from.address |
email.local_id |
keyword |
email.local_id |
email.message_id |
keyword |
email.message_id |
email.subject |
keyword |
email.subject |
email.to.address |
keyword |
email.to.address |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
source.ip |
ip |
IP address of the source. |
vadesecure.campaign.actions |
keyword |
None |
vadesecure.campaign.id |
keyword |
None |
vadesecure.campaign.nb_messages_remediated |
long |
None |
vadesecure.campaign.nb_messages_remediated_read |
long |
None |
vadesecure.campaign.nb_messages_remediated_unread |
long |
None |
vadesecure.folder |
keyword |
vadesecure.folder |
vadesecure.from_header |
keyword |
vadesecure.from_header |
vadesecure.status |
keyword |
vadesecure.status |
vadesecure.substatus |
keyword |
vadesecure.substatus |
vadesecure.to_header |
keyword |
vadesecure.to_header |
Configure
First you need to reach the Playbooks page in order to initiate your playbook using the dedicated button.
You can directly choose the Get M365 Email Events trigger if you are creating a playbook from scratch otherwise you will have to find it
within the Actions library panel under the Vade secure menu to drag and drop the trigger on the graph.
To start configuring the selected trigger, you'll need to bring Vade's documentation which can be found here.
This documentation will allow you to get the following information: your client_id and your client_secret. You can also get the api_host and oauth2_authorization_url, if necessary.
Then you just have to configure the trigger itself by filling its name, by setting its frequency in seconds and by adding your 365 tenant identifier (tenant_id)
Lastly, you must add the Sekoia's action Push Events to intake to the graph and configure it using :
- the
api_keygenerated within the user center - the
base_url - the
eventsto push on Intake (your logs) - the
intake_keyof the intake you have previously created (documentation can be found here)