Sublime Security updates
Sublime Security updates sublimesecurity.com

Platform v0.37.9 (Mailbox opens for Microsoft 365 and Google Workspace)

 

New

  

You can now view which mailbox users opened a message as well as when they opened it for messages ingested from Microsoft 365 or Google Workspace. You’ll see an open envelope icon in both the triage and investigation experiences, and you can hover over this icon for more details.

mailbox_opens.gif

Soon, we’ll support opens on IMAP message sources and add API support. We’re also working on surfacing message replies and forwards!

Grab us on Slack or via email to support@sublimesecurity.com with any questions or feedback.

Platform v0.37.5 (Auto-update feed rules, new user reports API parameter, new default Lists)

 

New

  

Recently we released a number of features designed to improve your Sublime experience:

  • For users with the role admin or engineer, there’s now an option to automatically apply updates to installed feed rules. You can head to your Sublime Rules Feed page in the Dashboard to turn on the toggle!
  • We’ve added 2 new default Lists to make rule writing easier: $file_extensions_common_archives and $file_extensions_macros. Rules in the Sublime Rules Feed have been updated to use these new Lists.
  • We’ve improved the zip binexplode scanner, which now includes the file names within encrypted zips.

zip binexplode.png

  • LinkAnalysis now has improved detection of credential phishing pages via OCR, as well as better logic for identifying captchas and login input boxes.

link_analysis_update.png

Grab us on Slack or via email with any support questions or feedback!

Platform v0.37 (Rule severities)

 

New

  

Today we’re introducing Rule severities - critical, high, medium, and low - to help you prioritize alerts during the triage and investigation process.

  • critical is used to identify rules related to CVEs, malware families, and threat actors. critical alerts that were not auto-remediated should be reviewed immediately. critical can also be used for high-confidence, high-impact alerts that you want prioritized over everything else that is high.
  • high alerts that were not auto-remediated should be reviewed quickly.
  • medium alerts that were not auto-remediated should be reviewed frequently.
  • low alerts that were not auto-remediated should be reviewed regularly.

severities_list.png

You can think of severity as confidence-weighted impact, where confidence is how likely an alert is a true positive, and impact is the damage the attack the rule is designed to detect could cause.

Severities will now be visible in the dashboard anywhere you see a rule listed. As part of this release, we’ve set severities on all rules in the Sublime Rules Feed. For now, you can only add to or modify severities on any non-Feed rule. In the future, you’ll be able to set your own severities on Feed rules.

severities_messages.gif

More information on Rule Severities is also available in our documentation.

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you’re on the waitlist and want to get started with Sublime, please reply to this email and let us know. We’re currently onboarding folks as quickly as we can.

What's next?

Here are some of the other releases our team is actively working on:

  • Detect HTML smuggling by analyzing files linked in the body of a message
  • URL classifier for identifying suspicious links
  • Easily manage exclusions to feed rules
  • Flag messages that communicate “urgency”, “financial requests”, and more using Natural Language Understanding (NLU)
  • Ingest and process historical messages in new Sublime deployments or newly added Message Sources

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.36 (MQL function modules and new string functions)

 

New

  

This release improves the way MQL functions are organized by grouping them into modules. Now, when you’re searching for MQL functions, you’ll find that your favorite string functions are grouped under strings. or regex.. In the future, we plan to add function modules for NLU, base64 parsing, HTTP requests, and more!

As part of this release, your custom rules are automatically migrated to the new function names, and the MQL editor will help you use the new names going forward. The old names will continue to work, but with a deprecation warning and a Quick Fix suggestion in the editor, so you can easily use the new names.

Rules in the Sublime Rules Feed have also been updated to use the new function names!

This release also includes a few new functions:

  • strings.concat: Concatenate multiple strings on the fly.
  • strings.contains: Check if one string contains another.
  • strings.ends_with: Check if one string ends with another.
  • strings.starts_with: Check if one string starts with another.

auto_complete.gif

Unlike like, which uses a wildcard pattern that has to be known ahead of time, these new substring functions can flexibly support fields or other dynamic values for both arguments. For example, you can now do strings.icontains(subject.subject, mailbox.display_name).

The MQL editor is aware of this change, and will help you use the new names as you type.

aware.gif

When you use the old function names, the editor will suggest updates to automatically use the new name, and you can apply that update with a single click.

update.gif

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you’re on the waitlist and want to get started with Sublime, please reply to this email and let us know. We’re currently onboarding folks as quickly as we can.

What's next?

Here are some of the other releases our team is actively working on:

  • Detect HTML smuggling by analyzing files linked in the body of a message
  • URL classifier for identifying suspicious links
  • Easily manage exclusions to feed rules
  • Flag messages that communicate “urgency”, “financial requests”, and more using Natural Language Understanding (NLU)
  • Use Rule severities to prioritize message triage and trigger distinct investigation workflows

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.35.2 (Manually trigger Custom Actions, “First reported at”, and more)

 

New

  

We released a number of smaller updates this week to make it easier to investigate and remediate flagged and user reported messages.

You can now trigger Custom Actions manually as part of your investigation or remediation workflows. Previously you could only add Custom Actions to your Rules.

custom_actions.gif

When triaging and investigating User Reported phish you’ll now see messages sorted by “First reported”.

first_reported_at.png

We’ve added advanced filters to Hunt and Backtest results.

hunt_filters.gif

Lastly, you’ll now see a count of active mailboxes in Admin > Mailboxes and a breakdown by Message Source in Admin > Message Sources.

Platform v0.35 (Herd immunity via user reports)

 

New

  

You can now auto-remediate phishing campaigns org-wide based on two or more user reports using a new MDM property: user_reports.count. Here’s a simple Triage Rule that can be set to auto-trash any campaigns with 2 or more user reports.

user_reports_count.png

In this example, we see three users receiving the same phish. The first two report it, and as a result it’s auto-trashed from the inbox of the 3rd before they’ve seen it.

herd_immunity.gif

As with any Triage Rule, you can combine this with arbitrary MQL to auto-remediate campaigns based on any aspect of the message. Soon, we’ll add Feeds support for Triage Rules, so you can easily collaborate with others in the community on automatically handling user reports.

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you’re on the waitlist and want to get started with Sublime, please reply to this email and let us know. We’re currently onboarding folks as quickly as we can.

What's next?

Here are some of the other releases our team is actively working on:

  • Detect HTML smuggling by analyzing files linked in the body of a message
  • URL classifier for identifying suspicious links
  • Easily manage exclusions to feed rules
  • Write detection rules that reference any number of arbitrary Azure AD or Google Groups
  • Flag messages that communicate “urgency”, “financial requests”, and more using Natural Language Understanding (NLU)

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.34 (Credential phishing detection)

 

New

  

Sublime can now identify credential phishing pages using the new linkanalysis function and ML-powered credphish scanner. Here’s a sample rule that will flag messages with a credential phishing link in the body:

credphish.png

The credphish scanner sends suspicious URLs to a headless browser which resolves the effective URL and collects a screenshot, which is then sent to an object detection model to detect brand logos, buttons, and input forms. Our model is based heavily on Phishpedia, an Open Source object detection project.

As part of this release we’re sharing 2 new detection rules via the Sublime Rules Feed:

Soon, you’ll be able to:

  • Retrieve files downloaded via links and pass those files to binexplode
  • Run linkanalysis on links retrieved from binexplode

View the LinkAnalysis documentation to learn more about this new function and how to use it. If you don’t already have an API key, email hello@sublimesecurity.com to request one.

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you’re on the waitlist and want to get started with Sublime, please reply to this email and let us know. We’re currently onboarding folks as quickly as we can.

What's next?

Here are some of the other releases our team is actively working on:

  • Detect HTML smuggling by analyzing files linked in the body of a message
  • URL classifier for identifying suspicious links
  • Easily manage exclusions to feed rules
  • Write detection rules that reference any number of arbitrary Azure AD or Google Groups
  • Flag messages that communicate “urgency”, “financial requests”, and more using Natural Language Understanding (NLU)

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.33 (Machine Learning in MQL: VBA Macro Classifier)

 

New

  

Today we’re releasing a key piece of our vision for Sublime: our first machine learning (ML) model available directly in MQL. beta.ml_macro_classifier analyzes documents for malicious VBA macros and can be combined with arbitrary detection logic, such as organizational context or other suspicious indicators, to build powerful new rules and hunting queries. 

With this release, it’s now possible to take advantage of the benefits of ML with the transparency and customizability of MQL. This is the first of many new models we’ll be releasing over the coming months. You can read more about this new function here.

Today we’re also sharing two new detection rules via the Sublime Rules Feed that leverage this function:

We’re also sharing a new rule for threat discovery via Hunt:

Soon you’ll be able to pass any files found via recursive binary explosion (using beta.binexplode) to this new beta.ml_macro_classifier function.

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you’re on the waitlist and want to get started with Sublime, please reply to this email and let us know. We’re currently onboarding folks as quickly as we can.

What's next?

Here are some of the other releases our team is actively working on:

  • Detect credential phishing by analyzing link destinations
  • Write detection rules that reference any number of arbitrary Azure AD or Google Groups
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • URL classifier for identifying suspicious links
  • Easily manage exclusions to feed rules

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.32 (Hunt Management and improved Editor context)

 

New

  

You can now view completed and in-progress Hunts, and share Hunt results with your teammates. Hunts can be named, and you can quickly see who ran the Hunt and how many messages were found.

hunt_management.gif

Soon, you’ll be able to view % remaining for in-progress Hunts and receive a notification when a Hunt completes.

As part of this release, we’ve brought the Analysis and “User View” sections of the investigation tool into the editor experience, so you’re always looking at the same context no matter where you’re viewing a message. You’ll also see these new tabs in the public playground!

better_editor_context.png

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Detect credential phishing by analyzing link destinations
  • Write detection rules that reference any number of arbitrary Azure AD or Google Groups
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • URL classifier for identifying suspicious links
  • Easily manage exclusions to feed rules

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.

Platform v0.31 (RBAC)

 

New

  

Sublime now supports Role-Based Access Control (RBAC), allowing you to assign roles with limited permissions to different Sublime users. We’ve added detailed new documentation breaking down the permissions of these three roles here.

rbac_2.png

Set user roles by visiting Admin > Account, selecting a user, then clicking “Edit” in the Actions menu. By default, all current dashboard users will remain Admins.

rbac_1.png

Soon, you’ll be able to create new roles with custom permissions!

How do I get started?

If you have an AWS deployment or Cloud account, you received this update automatically.

If you have a local Docker deployment, follow these instructions to update.

If you don't have early access to Sublime, you can request it here.

What's next?

Here are some of the other releases our team is actively working on:

  • Run long-term Hunts, cancel running Hunts, and view prior Hunt results
  • Detect credential phishing by analyzing link destinations
  • Write detection rules that reference any number of arbitrary Azure AD or Google Groups
  • Detect HTML smuggling by analyzing files linked in the body of a message
  • URL classifier for identifying suspicious links

Grab us on Slack or via email with any support questions or feedback! You can also grab a feedback or catch-up session with us at any time here.