SMTP configuration (QUX)

Introduction

Sending email based alert notifications from your Vectra Brain allows admins to be alerted via email for several reasons. Categories include: Host, Account, Detection, System, etc. In order to send any alerts via email, you must first configure the required SMTP settings. For more information about alert notification emails, please see the Vectra Platform Getting Started Guide. This article discusses setting the SMTP configuration to allow your Brain appliance to send emails.

This article only applies to deployments that use the Quadrant UX where the UI is served from a Vectra Brain appliance. For customers using the Respond UX, their UI is served from the Vectra cloud and SMTP settings do not need to be configured because Vectra uses common settings for the sending of email. If you are unsure of which UX you are using, please see Vectra Analyst User Experiences (Respond vs Quadrant).

Supported Providers

Vectra supports both "Custom SMTP" and "Exchange Online / O365" email providers. To configure either, please navigate in your UI to Settings > Notifications > SMTP.

• Microsoft has deprecated the use of Basic authentication for Exchange Online and now requires OAuth 2.0 token-based authorization.

  • As of version 7.9, Vectra supports OAuth 2.0 for use with Microsoft.

• Custom SMTP allows for Basic authentication while still allowing for ESMPTS or STARTTLS.

To configure either provider, simply choose your email provider and then fill in the appropriate details:

Please Note!!

• Regardless of selection, your Brain will stop trying and delete any mail that can't be delivered within 24 hours.

Custom SMTP Configuration

In the corresponding data fields enter the following information:

• Server - IP Address or DNS hostname of your mail server with TCP port.

• Protocol - SMTP, STARTTLS, or ESMTPS

• Username and Password of an account that is authorized to relay mail through the chosen server.

• Send as - Desired address to send the mail as. Please keep in mind that the Vectra Brain will not receive email or deal with bounces.

Click "Save". Once the information is saved, click "Test" to test connectivity to the mail server.

Please Note!!

• You must ensure that your Brain appliance can reach the server using the protocol and port selected. This may mean working with your IT/Security team to update firewall rules to allow for this communication.

Exchange Online / O365 Configuration

Sending email via Exchange Online requires two components to be created in your Microsoft tenant: 1) an O365 user with a mailbox, and 2) an app registration in Azure AD with required permissions.

1. Note the URL of your Vectra appliance's UI, e.g. https://vectra-detect.example.com .

2. Note your Microsoft tenant ID (UUID).

3. Create an O365 user with a mailbox. We recommend a dedicated username, e.g. vectra-alerts@example.com , so that it is easy to identify and apply rules to your inbox when you receive notifications.

   1. The mailbox user must have its "Authenticated SMTP" setting enabled: from the M365 admin center, in the user’s profile, under the “Mail” tab, click “Manage email apps” and make sure “Authenticated SMTP” is checked.

   2. Note the mailbox user's username (email address) and password.

   3. To simplify the initial setup flow, you may wish to check that this user is excluded from MFA or similar Conditional Access policies.

4. In the same tenant as your mailbox user, create an app registration in Azure AD.

   1. Note the application ID (UUID).

   2. On the "API Permissions" view of your app registration, assign it the delegated permissions SMTP.Send and offline_access .

   3. Click "Grant admin consent for < your company name >".

   4. (optional) For additional security, you may set the app registration to require user assignment, and then assign your mailbox user to it.

   5. To the app registration, add a "Web" redirect URI (_not _"SPA") of {your-appliance-url}/oauth/callback using the appliance UI URL that you noted earlier.

   6. Under "client credentials", create a new "client secret". Save the value of the secret for later use in the Vectra UI. If you loose the client secret value, you can simply create a new one.

5. Add the new credentials to your Vectra appliance:

   1. In the Vectra UI, sign in as a user that has permissions to edit settings.

   2. In the left-hand nav menu, click "Settings" to go to the settings page, then click "Notifications" in the top nav bar. Find the section labeled "SMTP" and click the pencil icon to edit.

   3. For "Provider", choose "Exchange Online / O365". Into the appropriate fields, put the Microsoft Tenant ID, Application ID, and Application Secret that you noted earlier. Put your mailbox user's username into the Sender Address field. Click Save.

   4. Once saved, the new settings should appear in the same view. The status should show "Pending Authorization". To complete the OAuth flow, click on "Sign In". This will redirect you to Microsoft's login page.

   5. Use the mailbox user's username and password to sign in. You should be redirected back to the Vectra UI settings page and see an SMTP status of "Connected".

   6. You can use the "Test" button and specify a recipient to test deliverability.

Additionally, Microsoft has some instructions for using OAuth here: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

Please Note!!

• Any client secret that you create will expire at some point. It is up to the customer to keep track of when this client secret will expire and create a new one for use with Vectra.

  • After creating a new client secret on the app registration, you can edit the settings in the Vectra UI and re-save the configuration with the new secret. This should not require another sign-in by the mailbox user as long as the new client secret is saved before the old one has expired.

  • It is recommended to set a calendar reminder when creating secrets to update the mail configuration for Vectra a few days before the secret expires.

• You must ensure that your Brain appliance can reach the required Microsoft endpoint(s) used for your organization. This may mean working with your IT/Security team to update firewall rules to allow for this communication. Please see the following chart for specifics endpoints and ports required by Vectra when using Exchange Online / O365: