# Sublime Security Logs ## Overview Panther supports ingesting [Sublime Security](https://sublime.security/) audit logs, messages with rule matches (also known as Message Events), and all messages in the Message Data Model (MDM) format into Panther via AWS S3. ## How to onboard Sublime Security logs to Panther ### Step 1: Create a Sublime Security log source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for "Sublime Security," then click its tile. 4. In the upper-right corner of the slide-out panel, click **Start Setup**.\ ![A page titled "Sublime Security" is shown. An arrow is drawn to the upper-right corner, to a button labeled "Start Setup."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-4e47bf9af5c3cdcfcd5cd0ce0d0944d497c1f977%2FScreenshot%202024-08-22%20at%204.19.46%20PM.png?alt=media) 5. Follow [Panther’s documentation for configuring an S3 Source](https://docs.panther.com/data-onboarding/data-transports/aws/s3). ### Step 2: Export Sublime Security logs to S3 * Follow the instructions in the Sublime documentation on how to export logs to an S3 bucket: * [Export Message MDMs](https://docs.sublime.security/docs/export-message-mdms) * [Export Audit Logs and Message Events](https://docs.sublime.security/docs/export-audit-logs-and-message-events) * When configuring the **Audit Log and Message Events Export** settings, ensure you have not checked the **Use JSON Lines text formatting** checkbox. * Panther expects logs to be in the format shown in the [Example Audit Logs](https://docs.sublime.security/docs/export-audit-logs-and-message-events#example-audit-logs) section: ```json { "events": ..., "count": 0, "start": "2023-05-03T23:55:01.06552Z", "end": "2023-05-04T00:05:00.309749667Z", "key": "sublime_platform_audit_log/2023/05/04/000500Z-LPPJKV.json" } ``` ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Sublime Security in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/sublime_rules). ## Supported log types ### Sublime.Audit ```yaml # Code generated by Panther; DO NOT EDIT. (@generated) schema: Sublime.Audit description: Audit logs from Sublime referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-audit-logs fields: - name: created_at required: true description: The time the audit log was created. type: timestamp timeFormats: - rfc3339 isEventTime: true - name: created_by required: true description: The user that created the audit log. type: object fields: - name: active description: Whether the user is currently active. type: boolean - name: created_at description: When the user was created. type: timestamp timeFormats: - rfc3339 - name: email_address description: The users email address. type: string indicators: - email - name: first_name description: The users first name.' type: string - name: google_oauth_user_id description: The users google oauth user ID. type: float - name: id description: The users unique Sublime ID. type: string - name: is_enrolled description: Whether the user is enrolled. type: boolean - name: last_name description: The users last name.' type: string - name: microsoft_oauth_user_id description: The users Microsoft oauth user ID. type: string - name: role description: The users assigned role. type: string - name: updated_at description: The last time the user was updated. type: timestamp timeFormats: - rfc3339 indicators: - email - name: data required: true description: The details of the activity that occurred. type: object fields: - name: message description: A unique message ID. type: object fields: - name: external_id description: An external ID. type: string - name: id description: A unique message ID. type: string - name: message_group description: The SHA256 hash of the message group. type: object fields: - name: id description: The SHA256 hash of the message group. type: string indicators: - sha256 - name: request required: true description: Specific details about the request being made. type: object fields: - name: query description: The parameters of the query being made. type: object fields: - name: attachment_md5 description: Specifies MD5 hash of attachments. type: string - name: attachment_sha1 description: Specifies SHA1 hash of attachments. type: string - name: attachment_sha256 description: Specifies SHA256 hash of attachments. type: string - name: created_at[gte] description: Specifies to only return results created after this time. type: timestamp timeFormats: - rfc3339 - name: created_at[lte] description: Specifies to only return results created before this time. type: timestamp timeFormats: - rfc3339 - name: fetch_all_ids description: Specifies whether to fetch all IDs or not type: boolean - name: file_name description: Specifies file name of results to return. type: string - name: from description: Specifies the from email address to return. type: string indicators: - email - name: limit description: Specifies the maximum number of results to return. type: bigint - name: mailbox description: Specifies which mailbox to return results from. type: string - name: message_id description: Specifies which message ID to return. type: string - name: offset description: Specifies an offset of results to return. type: bigint - name: subject description: Specifies email subject lines to return. type: string - name: to description: Specifies the to email address to return. type: string - name: limit_size description: Specifies whether to limit the size or not. type: boolean - name: authentication_method description: How the user was authenticated. type: string - name: body description: The body of the request. type: string - name: id required: true description: The unique ID of the request being made. type: string - name: ip description: The IP address the request was made from. type: string indicators: - ip - name: method description: The HTTP method the request of the request. type: string - name: path description: The URL path of the request. type: string - name: user_agent description: The user agent making the request. type: string - name: id description: The unique ID of the audit log. type: string - name: type description: The type of activity being recorded. type: string ``` ### Sublime.MessageEvent ```yaml # Code generated by Panther; DO NOT EDIT. (@generated) schema: Sublime.MessageEvent description: Message Events from Sublime referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-message-events fields: - name: created_at required: true description: The timestamp of the flagged message event. type: timestamp timeFormats: - rfc3339 isEventTime: true - name: data required: true description: Additional information about the flagged message event. type: object fields: - name: flagged_rules required: true description: The list of rules that have been flagged. type: array element: type: object fields: - name: attack_types description: The type of attack detected by the rule. type: array element: type: string - name: detection_methods description: How the rule detected an issue. type: array element: type: string - name: id description: The ID of the flagged rule. type: string - name: label description: The label of the flagged rule. type: string - name: name description: The name of the flagged rule. type: string - name: severity description: The severity of the rule finding. type: string - name: tags description: The tags of the flagged rule. type: array element: type: string - name: tactics_and_techniques description: The tactics and techniques mapped to this rule finding. type: array element: type: string - name: message description: The unique identifiers of the entities involved with the flagged rules. type: object fields: - name: canonical_id description: The canonical ID, which is a SHA256 hash. type: string indicators: - sha256 - name: external_id description: The external ID of the message. type: string - name: id description: The ID of the message. type: string - name: landed_in_spam description: Whether the message went to the spam inbox. type: boolean - name: mailbox description: The ID of the mailbox the message is from. type: object fields: - name: external_id description: An external ID. type: string - name: id description: A unique message ID. type: string - name: message_source_id description: The ID of the message source. type: string - name: triggered_actions description: The actions triggered by the flagged rules type: json - name: type required: true description: The type of messages being flagged. type: string ``` ### Sublime.MDM ```yaml # Code generated by Panther; DO NOT EDIT. (@generated) schema: Sublime.MDM description: Message data model logs from Sublime referenceURL: https://docs.sublimesecurity.com/docs/mdm fields: - name: _errors type: array element: type: object fields: - name: field type: string - name: message type: string - name: type type: string - name: _meta required: true type: object fields: - name: canonical_id type: string indicators: - sha256 - name: created_at type: timestamp timeFormats: - rfc3339 - name: effective_at type: timestamp timeFormats: - rfc3339 - name: id type: string - name: attachments type: array element: type: object fields: - name: content_id type: string - name: content_transfer_encoding type: string - name: content_type type: string - name: file_extension type: string - name: file_name type: string - name: file_type type: string - name: md5 type: string - name: raw type: string - name: sha1 type: string indicators: - sha1 - name: sha256 type: string indicators: - sha256 - name: size type: bigint - name: body type: object fields: - name: ips type: array element: type: object fields: - name: ip type: string indicators: - ip - name: plain type: object fields: - name: content_transfer_encoding type: string - name: charset type: string - name: raw type: string - name: links type: array element: type: object fields: - name: mismatched type: boolean - name: display_url type: object fields: - name: password type: string - name: fragment type: string - name: username type: string indicators: - username - name: query_params type: string - name: path type: string - name: domain type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: scheme type: string - name: url type: string indicators: - url - name: display_text type: string - name: href_url type: object fields: - name: password type: string - name: username type: string - name: rewrite type: object fields: - name: encoders type: array element: type: string - name: original type: string indicators: - url - name: fragment type: string - name: query_params type: string - name: path type: string - name: domain type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: scheme type: string - name: url type: string indicators: - url - name: html type: object fields: - name: content_transfer_encoding type: string - name: charset type: string - name: display_text type: string - name: inner_text type: string - name: raw type: string - name: current_thread type: object fields: - name: text type: string - name: external required: true type: object fields: - name: created_at type: timestamp timeFormats: - rfc3339 isEventTime: true - name: message_id type: string - name: route_type type: string - name: spam type: boolean - name: headers required: true type: object fields: - name: x_sender type: object fields: - name: domain type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string - name: in_reply_to type: string indicators: - email - name: references type: array element: type: string indicators: - email - name: reply_to type: array element: type: object fields: - name: display_name type: string - name: email type: object fields: - name: domain type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string indicators: - sha256 - name: mailer type: string - name: ips type: array element: type: object fields: - name: ip type: string indicators: - ip - name: auth_summary type: object fields: - name: dmarc type: object fields: - name: pass type: boolean - name: details type: object fields: - name: action type: string - name: disposition type: string - name: policy type: string - name: sub_policy type: string - name: from type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: verdict type: string - name: received_hop type: bigint - name: spf type: object fields: - name: error type: boolean - name: pass type: boolean - name: details type: object fields: - name: client_ip type: object fields: - name: ip type: string indicators: - ip - name: server type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: description type: string - name: designator type: string - name: verdict type: string - name: received_hop type: bigint - name: delivered_to type: object fields: - name: domain type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string - name: domains type: array element: type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: return_path type: object fields: - name: domain type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string - name: date type: timestamp timeFormats: - rfc3339 - name: date_original_offset type: bigint - name: hops type: array element: type: object fields: - name: received_spf type: object fields: - name: client_ip type: object fields: - name: ip type: string indicators: - ip - name: description type: string - name: designator type: string - name: server type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: verdict type: string - name: authentication_results type: object fields: - name: dmarc type: string - name: dmarc_details type: object fields: - name: action type: string - name: disposition type: string - name: policy type: string - name: sub_policy type: string - name: from type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: verdict type: string - name: dkim type: string - name: dkim_details type: array element: type: object fields: - name: domain type: string - name: instance type: string - name: selector type: string - name: signature type: string - name: type type: string - name: instance type: bigint - name: server type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: subdomain type: string - name: tld type: string - name: valid type: boolean - name: spf type: string - name: spf_details type: object fields: - name: client_ip type: object fields: - name: ip type: string indicators: - ip - name: description type: string - name: designator type: string indicators: - email - name: server type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: verdict type: string - name: type type: string - name: received type: object fields: - name: link type: object fields: - name: raw type: string - name: mailbox type: object fields: - name: raw type: string indicators: - email - name: additional type: object fields: - name: raw type: string indicators: - email - name: source type: object fields: - name: raw type: string indicators: - ip - name: id type: object fields: - name: raw type: string indicators: - email - name: protocol type: object fields: - name: raw type: string - name: server type: object fields: - name: raw type: string indicators: - ip - name: time type: timestamp timeFormats: - rfc3339 - name: zone_offset type: bigint - name: signature type: object fields: - name: version type: bigint - name: instance type: string - name: algorithm type: string - name: body_hash type: string - name: domain type: string - name: headers type: string - name: selector type: string - name: signature type: string - name: type type: string - name: fields type: array element: type: object fields: - name: name type: string - name: position type: bigint - name: value type: string indicators: - email - ip - name: index type: bigint - name: message_id type: string indicators: - email - name: mailbox required: true type: object fields: - name: email type: object fields: - name: domain type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string - name: recipients required: true type: object fields: - name: bcc type: array element: type: object fields: - name: email type: object fields: - name: domain type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string - name: cc type: array element: type: object fields: - name: display_name type: string indicators: - email - name: email type: object fields: - name: domain type: object fields: - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string - name: to type: array element: type: object fields: - name: display_name type: string indicators: - email - name: email type: object fields: - name: domain type: object fields: - name: subdomain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: domain type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string indicators: - sha256 - name: sender required: true type: object fields: - name: display_name type: string indicators: - email - name: email type: object fields: - name: domain type: object fields: - name: subdomain type: string - name: domain type: string - name: root_domain type: string - name: sld type: string - name: tld type: string - name: valid type: boolean - name: email type: string indicators: - email - name: local_part type: string - name: subject type: object fields: - name: subject type: string - name: type required: true type: object fields: - name: inbound type: boolean ```