Vade for M365
Overview
Vade for M365 offers AI-based protection against dynamic, email-borne cyberattacks targeting Microsoft 365. It improves user experience and catches 10x more advanced threats than Microsoft.
In this documenation we will explain how to collect and send Vade for M365 logs to Sekoia.io.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Vade for M365. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Vade for M365 on ATT&CK Navigator
Malware Detected By Vade For M365
Vade Secure product Vade for M365 has detected a malware contained in the message.
- Effort: master
Malware Detected By Vade For M365 And Not Blocked
Vade Secure product Vade for M365 has detected a malware contained in the message and didn't delete it.
- Effort: advanced
Phishing Detected By Vade For M365
Vade Secure product Vade for M365 has detected a phishing attempt.
- Effort: master
Phishing Detected By Vade For M365 And Not Blocked
Vade Secure product Vade for M365 has detected a phishing attempt and didn't move it to junk folder.
- Effort: advanced
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Scam Detected By Vade For M365
Vade Secure product Vade for M365, has detected a scam e-mail.
- Effort: master
Scam Detected By Vade For M365 And Not Blocked
Vade Secure product Vade for M365, has detected a scam e-mail and didn't block it.
- Effort: advanced
Spam Detected By Vade For M365
Vade Secure product Vade for M365, has detected a spam e-mail.
- Effort: master
Spam Detected By Vade For M365 And Not Blocked
Vade Secure product Vade for M365, has detected a spam e-mail and didn't block it.
- Effort: advanced
Spearphishing (CEO Fraud) Detected By Vade For M365
Vade Secure product Vade for M365 has detected a spearphishing attempt with CEO fraud thematic. Impersonation of CEO or senior management members requesting urgent money transfer, usually on an unknown RIB.
- Effort: master
Spearphishing (Gift Cards Fraud) Detected By Vade For M365
Vade Secure product Vade for M365 has detected a spear-phishing attempt with gift-cards fraud thematic. Executive impersonation requesting a money transfer to set up gift-cards for employees. Confidentiality and discretion are usually implied.
- Effort: master
Spearphishing (Initial Contact Fraud) Detected By Vade For M365
Vade Secure product Vade for M365 has detected a spearphishing attempt with initial contact fraud thematic. Do not contains any malicious content or specific actions other than a request to reply to the email. “Are you available?”. The main goal is to incite a reply that could register the sending address as a known and legitimate address.
- Effort: master
Spearphishing (Lawyer Fraud) Detected By Vade For M365
Vade Secure product Vade for M365 has detected a spearphishing attempt with lawyer fraud thematic. Impersonation of lawyers and lawyers' firms. The main goal is to make sure the victims will not raise awareness around them. Confidentiality restrictions are implied.
- Effort: master
Spearphishing (W2 Fraud) Detected By Vade For M365
Vade Secure product Vade for M365 has detected a spearphishing attempt with W2 fraud thematic. Executive or HR impersonation phishing for social security numbers or tax identification numbers. Collected data are generally used for identity theft schemes.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Anti-virus |
Vade performs behavioral-Based Anti-Malware |
Email gateway |
Vade for M365 blocks attacks from the first email thanks to machine learning models that perform real-time behavioral analysis of the entire email, including any URLs and attachments. |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | email |
| Type | change, deletion, denied, info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-10T13:00:05.454Z\", \"sender_ip\": \"192.168.1.1\", \"from\": \"test@sekoia.io\", \"from_header\": \"<test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>\", \"urls\": [{\"url\": \"https://sekoia.io\"}], \"attachments\": [{\"id\": \"ca9ph2ostndl7735uht0\", \"filename\": \"image001.png\", \"extension\": \"png\", \"size\": 12894},{\"id\": \"ca9okt0kn1e8usdf633g\", \"filename\": \"archive.zip\", \"extension\": \"zip\", \"size\": 10558}], \"status\": \"LEGIT\", \"substatus\": \"\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 113475, \"current_events\": [], \"whitelisted\": false}",
"event": {
"action": "nothing",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"attachments": [
{
"file": {
"extension": "png",
"name": "image001.png",
"size": 12894
}
},
{
"file": {
"extension": "zip",
"name": "archive.zip",
"size": 10558
}
}
],
"from": {
"address": "test@sekoia.io"
},
"local_id": "zekfnzejnf576rge8768",
"message_id": "<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>",
"subject": "Lorem ipsum dolor",
"to": {
"address": "test@vadesecure.com"
}
},
"related": {
"ip": [
"192.168.1.1"
]
},
"source": {
"address": "192.168.1.1",
"ip": "192.168.1.1"
},
"vadesecure": {
"attachments": [
{
"filename": "image001.png",
"id": "ca9ph2ostndl7735uht0"
},
{
"filename": "archive.zip",
"id": "ca9okt0kn1e8usdf633g"
}
],
"from_header": "<test@sekoia.io>",
"status": "LEGIT",
"to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
"whitelist": "false"
}
}
{
"message": "{\"id\": \"ch34aoqub3glupige13g\", \"date\": \"2023-04-24T09:01:23.666Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO <test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"OneDrive- Document No.: 1928578 - VadeSecure\", \"message_id\": \"<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>\", \"urls\": [{\"url\": \"https://www.facebo\\u1ecdk.com/login.php\"}, {\"url\": \"https://www.facelbo?k.com/login.php\"}, {\"url\": \"https://www.vadesecure.com/\"}, {\"url\": \"https://sites.google.com/view/gine-office/home\"}], \"attachments\": [{\"id\": \"ch34aoqub3glupige170\", \"filename\": \"\", \"extension\": \"\", \"size\": 10558, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}, {\"id\": \"ch34aoqub3glupige17g\", \"filename\": \"\", \"extension\": \"\", \"size\": 12894, \"hashes\": {\"md5\": \"0eb4a83f99c2cd38d9d4decf809d1701\", \"sha1\": \"4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f\", \"sha256\": \"f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae\", \"sha512\": \"c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156\"}}], \"status\": \"PHISHING\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"MOVE\", \"folder\": \"JunkEmail\", \"size\": 186849, \"current_events\": [], \"whitelisted\": false, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": false}",
"event": {
"action": "move",
"category": [
"email"
],
"kind": "event",
"type": [
"change"
]
},
"email": {
"attachments": [
{
"file": {
"extension": "",
"hash": {
"md5": "7bc2b146a309acbff2da55e6b4124a82",
"sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b",
"sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368",
"sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423"
},
"name": "",
"size": 10558
}
},
{
"file": {
"extension": "",
"hash": {
"md5": "0eb4a83f99c2cd38d9d4decf809d1701",
"sha1": "4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f",
"sha256": "f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae",
"sha512": "c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156"
},
"name": "",
"size": 12894
}
}
],
"from": {
"address": "test@sekoia.io"
},
"local_id": "ch34aoqub3glupige13g",
"message_id": "<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>",
"subject": "OneDrive- Document No.: 1928578 - VadeSecure",
"to": {
"address": "test@vadesecure.com"
}
},
"related": {
"ip": [
"163.172.240.104"
]
},
"source": {
"address": "163.172.240.104",
"ip": "163.172.240.104"
},
"vadesecure": {
"attachments": [
{
"filename": "",
"id": "ch34aoqub3glupige170"
},
{
"filename": "",
"id": "ch34aoqub3glupige17g"
}
],
"folder": "JunkEmail",
"from_header": "Test SEKOIA.IO <test@sekoia.io>",
"status": "PHISHING",
"to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
"whitelist": "false"
}
}
{
"message": "{\"id\": \"cgrqlp83v5prkopmecf0\", \"date\": \"2023-04-13T07:10:29.191Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO <test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [], \"attachments\": [{\"id\": \"cgrqlp83v5prkopmecfg\", \"filename\": \"commande.docm\", \"extension\": \"docm\", \"size\": 96009, \"hashes\": {\"md5\": \"c1ea14accbb4f5ac66beac2d3f8de531\", \"sha1\": \"bfd1de0e780a3d7f047f6de00f44eaa1868e05e2\", \"sha256\": \"6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424\", \"sha512\": \"77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 179355, \"current_events\": [], \"whitelisted\": true, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": true}",
"event": {
"action": "nothing",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"attachments": [
{
"file": {
"extension": "docm",
"hash": {
"md5": "c1ea14accbb4f5ac66beac2d3f8de531",
"sha1": "bfd1de0e780a3d7f047f6de00f44eaa1868e05e2",
"sha256": "6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424",
"sha512": "77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d"
},
"name": "commande.docm",
"size": 96009
}
}
],
"from": {
"address": "test@sekoia.io"
},
"local_id": "cgrqlp83v5prkopmecf0",
"message_id": "<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
"subject": "Lorem ipsum dolor",
"to": {
"address": "test@vadesecure.com"
}
},
"related": {
"ip": [
"163.172.240.104"
]
},
"source": {
"address": "163.172.240.104",
"ip": "163.172.240.104"
},
"vadesecure": {
"attachments": [
{
"filename": "commande.docm",
"id": "cgrqlp83v5prkopmecfg"
}
],
"from_header": "Test SEKOIA.IO <test@sekoia.io>",
"status": "LEGIT",
"to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
"whitelist": "true"
}
}
{
"message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-01T23:30:33.982Z\", \"reason\": \"The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence\", \"status\": {\"status\": \"PHISHING\"}, \"actions\": [{\"action\": \"MOVE\"}], \"nb_messages_remediated\": 1, \"nb_messages_remediated_read\": 0, \"nb_messages_remediated_unread\": 1}",
"event": {
"action": "move",
"category": [
"email"
],
"kind": "event",
"reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence",
"type": [
"info"
]
},
"vadesecure": {
"campaign": {
"actions": [
{
"action": "MOVE"
}
],
"id": "zekfnzejnf576rge8768",
"nb_messages_remediated": 1,
"nb_messages_remediated_read": 0,
"nb_messages_remediated_unread": 1
},
"status": "PHISHING"
}
}
{
"message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2021-11-18T15:59:39.368Z\", \"reason\": \"\", \"actions\": [{\"action\": \"DELETE\"}, {\"action\": \"FAILED\"}], \"nb_messages_remediated\": 76, \"nb_messages_remediated_read\": 0, \"nb_messages_remediated_unread\": 76}",
"event": {
"action": "delete",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"vadesecure": {
"campaign": {
"actions": [
{
"action": "DELETE"
},
{
"action": "FAILED"
}
],
"id": "zekfnzejnf576rge8768",
"nb_messages_remediated": 76,
"nb_messages_remediated_read": 0,
"nb_messages_remediated_unread": 76
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
email.attachments |
array |
email.attachments |
email.from.address |
keyword |
email.from.address |
email.local_id |
keyword |
email.local_id |
email.message_id |
keyword |
email.message_id |
email.subject |
keyword |
email.subject |
email.to.address |
keyword |
email.to.address |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
source.ip |
ip |
IP address of the source. |
vadesecure.attachments |
array |
vadesecure.to_header |
vadesecure.campaign.actions |
array |
The actions carried out for the remediation campaign. |
vadesecure.campaign.id |
keyword |
The ID of the campaign |
vadesecure.campaign.nb_messages_remediated |
long |
The total number of messages involved in the remediation. |
vadesecure.campaign.nb_messages_remediated_read |
long |
The number of total read messages involved in the remediation. |
vadesecure.campaign.nb_messages_remediated_unread |
long |
The number of total unread messages involved in the remediation. |
vadesecure.folder |
keyword |
vadesecure.folder |
vadesecure.from_header |
keyword |
vadesecure.from_header |
vadesecure.status |
keyword |
vadesecure.status |
vadesecure.substatus |
keyword |
vadesecure.substatus |
vadesecure.to_header |
keyword |
vadesecure.to_header |
vadesecure.whitelist |
keyword |
vadesecure.whitelist |
Configure
Info
Consuming logs from Vade now requires the Vade Threat Intel & Investigation (TII) module. MSSP partners can benefit from this module from their Partner's Portal. Final customers are invited to contact their Vade commercial contact to setup this module.
First you need to reach the Playbooks page in order to initiate your playbook using the dedicated button.
You can directly choose the Get M365 Email Events trigger if you are creating a playbook from scratch otherwise you will have to find it
within the Actions library panel under the Vade secure menu to drag and drop the trigger on the graph.
To start configuring the selected trigger, you'll need to bring Vade's documentation which can be found here.
This documentation will allow you to get the following information: your client_id and your client_secret. You can also get the api_host and oauth2_authorization_url, if necessary.
In most common cases, the api_host is https://m365.eu.vadesecure.com and the oauth2_authorization_url is https://api.vadesecure.com/oauth2/v2/token
Then you just have to configure the trigger itself by filling its name, by setting its frequency in seconds and by adding your Office 365 tenant identifier (tenant_id)
Lastly, you must add the Sekoia's action Push Events to intake to the graph and configure it using :
- the Sekoia.io
api_keygenerated within the user center - the
base_url(https://intake.sekoia.io) - the
events_pathto push on Intake (your logs, you will probably fill it with{{ node.0['emails_path'] }}) - the
intake_keyof the intake you have previously created (documentation can be found here)