New Solution: Vaikora for O365 Brings CTASD-Powered Phishing Quarantine Telemetry into Microsoft Sentinel

Data Source

Vaikora for O365 is a Data443 Risk Mitigation product that deploys a black-box Azure VM in the customer tenant. The VM scans Microsoft 365 mailboxes via the Microsoft Graph API, classifies messages using the CTASD inference engine, and writes quarantine events to the VaikoraO365_Quarantine_CL custom Log Analytics table.

Log types / event categories available:

• Per-message quarantine decisions (ActionId 4 = Suspected, 5 = Phishing) with confidence score, risk score, sub-category, and reasoning
• Per-tenant heartbeat rows (absence = engine offline)

Ingestion Mechanism

Custom Log Analytics table (VaikoraO365_Quarantine_CL) written by the customer-deployed Vaikora Azure VM – not a native Sentinel connector or CCF. There is no bundled data connector definition; the VM writes directly to the workspace.

Detection Surface Unlocked

Analytic Rules (3 added)

Vaikora - High score quarantine (Severity: High, Frequency: 15m) Queries VaikoraO365_Quarantine_CL for ActionId_d in (4, 5) and Confidence_d >= 0.8. Maps MailMessage (Recipient, NetworkMessageId), Account (SenderAddress, RecipientAddress), and DNS (SenderDomain) entities. Covers T1566, T1566.001, T1566.002 (Phishing, Spearphishing Attachment, Spearphishing Link).

Vaikora - Quarantine rate spike (Severity: Medium, Frequency: 1h) Computes per-tenant 7-day rolling baseline (avg hourly count) and fires when the current hour exceeds 3x baseline with a minimum of 10 events. Designed to catch targeted campaigns or classifier surge events.

Vaikora - Engine offline (Severity: Medium, Frequency: 30m) Detects absence of quarantine telemetry: tenants active in the last 24h that have sent no rows in the last 2h. Maps CloudApplication entity (TenantId). Covers T1562 (Impair Defenses) – an attacker disabling the Vaikora VM would trigger this rule.

Playbook (1 added)

VaikoraO365ToQuarantine: Sentinel-incident-triggered Logic App (system-assigned managed identity) that extracts quarantine row metadata from incident custom details, posts a structured notification to a SOC Microsoft Teams channel via Incoming Webhook, and adds a comment to the Sentinel incident. Requires Sentinel Responder role on the workspace.

Workbook (1 added)

VaikoraO365QuarantineDashboard: tenant overview, action breakdown, confidence distribution, top sender domains, top targeted recipients, and recent high-risk quarantines.

MITRE Coverage

• T1566 / T1566.001 / T1566.002 – Phishing (Initial Access)
• T1562 – Impair Defenses (Defense Evasion; engine-offline rule)

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/VaikoraO365_Quarantine_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/Vaikora-O365/Analytic Rules/Vaikora - Engine offline.yaml
Solutions/Vaikora-O365/Analytic Rules/Vaikora - High score quarantine.yaml
Solutions/Vaikora-O365/Analytic Rules/Vaikora - Quarantine rate spike.yaml
Solutions/Vaikora-O365/Package/testParameters.json
Solutions/Vaikora-O365/Playbooks/VaikoraO365ToQuarantine/azuredeploy.json
Solutions/Vaikora-O365/Workbooks/Images/Preview/VaikoraO365QuarantineDashboardBlack.png
Solutions/Vaikora-O365/Workbooks/Images/Preview/VaikoraO365QuarantineDashboardWhite.png
Solutions/Vaikora-O365/Workbooks/VaikoraO365QuarantineDashboard.json
Workbooks/Images/Preview/VaikoraO365QuarantineDashboardBlack.png
Workbooks/Images/Preview/VaikoraO365QuarantineDashboardWhite.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraO365.json, createUiDefinition.json, mainTemplate.json)