Sublime Security updates
Sublime Security updates
sublimesecurity.com

Platform v0.27 (Private Rule Feeds)

 

New

  

You can now create custom rule feeds powered by private Git repositories, enabling you to:

  • Privately managed your custom detection rules in Git
  • Share custom rule feeds privately in sharing groups or with trusted individuals at other organizations
  • Privately manage exceptions to rules from the Sublime feed

Authentication is handled via private SSH keys.

image.png

Here’s how Private Rule Feeds can be used to manage feed rule exceptions confidentially:

  • Fork the Sublime Rules repo to your private Git repository
  • Make your desired Rule modifications on your Fork
  • Create a new Feed in your Sublime deployment and point it at this repo
  • Manage updates from the upstream Sublime Rules Repo via Git; merged changes will appear in your Sublime deployment via the Feed

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Automatically triage reported messages using Triage Rules
  • Dynamic VIP impersonation detection
  • Write detection rules that reference Active Directory or Google Groups
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • Ingest threat intel directly into your Sublime environment and reference that intel in detection rules

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.26 (Advanced Filters)

 

New

  

It’s now significantly easier to triage flagged or reported messages using Advanced Filters.

You can now quick-filter to see only messages flagged by a specific rule. These quick-filters are sorted by how many messages the rule has flagged, and they can be combined with other filters like message subject, sender email, attachment hash, and more. Matching messages can be remediated in bulk.

advanced_filters.gif

When filtering, the other filters available will update to reflect the messages returned by your active filter(s).

You can also search within filters with many options to quickly find what you’re looking for.

search_filters.gif

This release includes a number of smaller updates as well:

  • It’s now much easier to see new or updated Feed Rules.
  • external.spam is now being set in the MDM and can be referenced in MQL. This boolean property indicates if the message was originally sent to the Spam (Google Workspace) or Junk Email (Microsoft 365) folder by the email provider.
  • You can now run Backtests on timeframes shorter than the last 24 hours. This is helpful when testing a particularly complex rule you want to iterate on rapidly.
  • Email alerts now include which Actions were triggered by flagging Rules.
  • You can now filter your Rules by Active/Inactive status and by associated Actions.

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Dynamic VIP impersonation detection
  • Write detection rules that reference Active Directory or Google Groups
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • Automatically triage reported messages using Triage Rules
  • Ingest threat intel directly into your Sublime environment and reference that intel in detection rules

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.25 (Custom Rule Feeds and more)

 

New

  

You can now create and manage custom rule feeds via public Git repositories. This works with any public repo, including those hosted on GitHub, GitLab, or BitBucket, and enables teams to manage their email detections in the same way they manage their other detections: in Git.

custom_rule_feeds.gif

Soon you’ll be able to create and manage custom rule feeds via private Git repos as well.

This release also includes a great many small improvements, touching nearly every aspect of Sublime.

When investigating a message with an attachment it’s now much easier to see file metadata and perform one-click lookups of the attachment hash in services like VirusTotal, JoeSandbox, and Polyswarm.

attachments.gif

You can now edit rule metadata without having to first pass through the MQL editor.

metadata.gif

There’s now an API for Lists, so you can programmatically create, read, update, or delete Lists.

We’ve also added a new MDM property: body.html.inner_text. Historically it’s been difficult to look for specific strings with body.html.raw, because this also contained the HTML itself. With inner_text, you can target rule logic at the text contained within the HTML section directly.

Read more on how to efficiently Hunt or detect keywords in message bodies here.

Lastly, you can now quickly and easily Hunt with rules.

hunt_with_this_rule.gif

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • A redesigned Messages list that enables significantly faster triage and advanced filtering
  • Write detection rules that reference Active Directory or Google Groups
  • Dynamic VIP impersonation detection
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • Automatically triage flagged and reported messages using Triage Rules

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.24 (Feed rule insights, MQL sandbox, attachment hashes, and more)

 

New

  

The system now surfaces potentially helpful community rules in the Message investigation page by showing which inactive or uninstalled Feed Rules would have flagged.

silent_rules_mc.png

This release includes a number of other major updates.

You can now analyze EMLs and write MQL from a free, no-auth editor: The Sublime Sandbox. Message summaries will now appear in the editor when an EML is loaded. You can quickly get to this sandbox by visiting mql.new, and you can share your editor session with others, including the MQL you’ve written and (optionally) the message you’ve uploaded.

Here’s a Sandbox link for a new detection rule, Attachment: Archive with embedded EXE files, that we shared yesterday for a suspected Russian TTP:

https://sandbox.sublimesecurity.com/?id=d9fe7e22-64bf-4e52-a628-00d96498f03b

You can now Search, Hunt, and flag or block messages using MD5, SHA-1, and SHA-256 attachment hashes. This can be used to determine whether you were hit by a reported campaign, and to block future attachments with that hash. These hashes are now stored on new MDM properties in the Attachment object: .md5, .sha1, and .sha256.

hash_search.gif

Reviewers can now leave comments when reviewing a message to provide context to their teammates.

review_comments_.gif

It’s now possible to resize function output when using eval in the rule editor.

eval_expand_.gif

You can now add or remove Actions from multiple rules at once.

mass_actions_.gif

Lastly, trashing or restoring a message manually via the dashboard is now audit logged.

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Write detection rules that reference Active Directory or Google Groups
  • Role-Based Access Controls (RBAC)
  • A redesigned Messages list that enables significantly faster triage
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • Automatically triage flagged and reported messages using Triage Rules

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.23 (Rule Feeds)

 

New

  

You can now receive rule updates and new Sublime Rules directly in your dashboard with Git-backed Rule Feeds.

rdv_final.png

For now, a single Feed is available: “Sublime Rules Feed”, managed by the Sublime team. This replaces the “Sample Rules” page. By default, no rules from this new Feed are installed in your environment.

When a new rule or rule update is available in the Feed, you’ll see an indicator in the left nav. Before activating a new rule you can see how many messages the rule would have flagged in the last 24 hours, and quickly review those messages.

backtest_results.gif

When reviewing a rule update, you’ll see a diff of the installed and updated rule so any changes are clear. After reviewing, you can apply the update.

rdv_diff_update.gif

The Sublime Rules Feed is powered by a public Git repo managed by the Sublime team with community contributions. Soon, you’ll be able to create and manage your own custom feeds using both public and private Git repos. Those Feeds can then be kept internal, shared peer-to-peer or within private groups, or shared publicly.

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Target detection rules to specific Active Directory or Google Groups
  • Role-Based Access Control (RBAC)
  • A redesigned Messages list that enables significantly faster triage
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • Automatically triage flagged and reported messages using Triage Rules

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.22 (Message insights via automated Queries)

 

New

  

You can now quickly investigate flagged or user-reported messages with message insights and previews.

message_insights.png

We’ve completely redesigned the message detail view to include:

  • Message insights: On the right, you’ll now see the result of automated analysis performed by 50+ MQL Queries.
  • Message previews: On the left, you’ll see a preview of the message as the user saw it. You can still toggle this view to see the Message Data Model (MDM), text view, or HTML view. Soon you’ll be able to preview or download attachments as well.

You can view the default Queries on GitHub. Soon you’ll be able to write and configure custom queries, giving you complete control over the automated analysis conducted in this view.

How do I get started?

If you have an AWS deployment or Cloud account, you’ll need to perform a brief stack update by following these instructions.

If you have a Docker deployment:

  1. First, you’ll need to add two new keys to your sublime.env file.
  2. Then, complete the usual Docker update instructions.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Subscribe to rules written by others using Rule Feeds
  • Sublime Cloud: a fully hosted and managed Platform deployment
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • Ingest threat intel from any publicly accessible .csv or .txt file
  • Credential phishing link detection using computer vision

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.21 (Hunt)

 

New

  

You can now retro-hunt over historical email messages using arbitrary MQL queries.

hunt.gif

Here are just a few examples of how to leverage Hunt in your environment today:

  • Answer the question "Were we hit with this?" when reviewing threat intel and alerts, e.g. hunt for links containing a domain mentioned in this CISA alert (shown above), or hunt for instances of this Google Translate technique with: type.inbound and any(body.links, .href_url.domain.root_domain == 'translate[.]goog'). You can trash any instances of these campaigns your users received from the results.
  • Quickly and easily perform sophisticated retro-hunts as part of incident response.
  • Use Hunt to better understand your environment and close attack surface where possible. E.g. after seeing this alert you might Hunt for any instances of this Adobe redirect using type.inbound and any(body.links, .href_url.domain.domain == 't-info[.]mail[.]adobe[.]com'). Finding none from the past month, you might decide to activate a rule that quarantines future messages containing this redirect. Similarly, you might answer the question "who in my organization receives HTML attachments" by Hunting with: type.inbound and any(attachments, .file_extension in~ ('htm', 'html'))

By default, the system will retain 1 day of full email data for Hunt purposes. You can configure this up to 30 days via a new setting in Admin → Account:

message_retention.png

Soon, you'll be able to auto-hunt newly received threat intel from STIX/TAXII feeds and other sources, as well as Hunt over a full year of historical data.

How do I get started?

Click "Hunt" in the left nav to get started. Increase message retention for Hunt in Admin → Account if desired.

If you have a local Docker deployment, follow these instructions to update.

If you have an AWS deployment or Cloud account, you received this update automatically.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Detect HTML smuggling by analyzing files linked in the body of a message
  • Subscribe to rules written by others using Rule Feeds
  • Sublime Cloud: a fully hosted and managed Platform deployment
  • Ingest threat intel from any publicly accessible .csv or .txt file
  • Credential phishing link detection using computer vision

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.20 (User Reports)

 

New

  

You can now receive and manually remediate user-reported phish using Sublime. Users forward suspicious messages to a configured alias (commonly "phishing@") and Sublime retrieves the original message as well as which other users received it. After investigating, you can trash all messages in the campaign with a single click and all future instances of the campaign will be auto-trashed.

abuse_mailbox.gif

Soon you'll be able to configure a separate set of MQL rules to auto-triage these user reports via Actions, including auto-trashing the campaign, adding warning banners, neutering links or attachments, and notifying the user that their reported message was ultimately safe or a phish.

How do I get started?

Go to Admin → Account and enter the alias where users forward suspected phish.

If you have a local Docker deployment, follow these instructions to update.

If you have an AWS deployment or Cloud account, you received this update automatically.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Hunt for historical messages using MQL
  • Sublime Cloud: a fully hosted and managed Platform deployment
  • Credential phishing link detection using computer vision
  • Ingest threat intel from any publicly accessible .csv or .txt file
  • Subscribe to rules written by others using Rule Feeds

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.19 (Recursive attachment explosion and static file analysis)

 

New

  

You can now perform static analysis of attachments in Sublime detection rules using a new function: beta.binexplode (docs). This function uses a first-class Strelka integration to recursively extract binaries, images, text, URLs, and other embedded content.

Supported scanners include bzip2, docx, encrypted_doc, encrypted_zip, entropy, exiftool, gif, gzip, hash, html, javascript, jpeg, ocr, ole, pdf, qr, rar, strings, tar, url, vba, xml, zip, and zlib.

As part of this release the Sublime team is sharing 11 new detection rules that leverage this capability, including this rule which uses beta.binexplode and OCR to flag attachments soliciting the user to enable macros:

ocr_rule.png

This function runs these supported YARA signatures as part of its analysis, and soon you'll be able to add and run custom YARA sigs as well.

This release also includes the ability to evaluate function output when testing a rule in the editor, making it significantly easier to write and debug rules that use enrichment functions like beta.binexplode.

eval.gif

How do I get started?

If you have a local Docker deployment, follow these instructions to update.

If you have an AWS deployment, you'll receive a separate message on how to update for this release.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Hunt for historical messages using MQL
  • Sublime Cloud: a fully hosted and managed Platform deployment
  • Credential phishing link detection using computer vision
  • Ingest threat intel from any publicly accessible .csv or .txt file
  • Subscribe to rules written by others using Rule Feeds

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.18 (Custom Lists and new nav)

 

New

  

You can now create custom lists and reference them in your detection rules.

lists_v2.gif

Custom lists can contain any number of items and are immediately available for use in detection rules. Soon, you'll be able to import and sync lists with external files and manage lists using the Sublime Platform API.

This release includes a brand new collapsable nav, so there's now more screen real estate for rules and messages.

Lastly, as part of this release, you'll also see a new dynamic system list: $org_display_names. This list includes the display names of all mailboxes associated with your Microsoft 365 and Google Workspace message sources and is auto-synced daily. We're also sharing a new rule to demonstrate how this list might be used: Attachment with VBA macros from employee impersonation

type.inbound
and sender.display_name in $org_display_names
and any(attachments, 
    .file_extension in~ ("doc", "docm", "docx", "dot", "dotm", "pptm", "ppsm", "xlm", "xls", "xlsb", "xlsm", "xlt", "xltm")
    and beta.oletools(.).indicators.vba_macros.exists
  )
and (sender.email.domain.root_domain in $free_email_providers
  or sender.email.domain.root_domain not in $tranco_1m
)
and sender.email.email not in $recipient_emails

How do I get started?

If you have a local Docker deployment, follow these instructions to update. If you have an AWS deployment, you received this update automatically.

You can view and create Lists via the left nav.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Hunt for historical messages using MQL
  • Sublime Cloud: a fully hosted and managed Platform deployment
  • Binary explosion for attachment analysis, including YARA support
  • Credential phishing link detection
  • Ingest threat intel from any publicly accessible .csv or .txt file

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.