Sublime Security Logs

Connecting Sublime Security logs in your Panther Console

Overview

Panther supports ingesting Sublime Security audit logs, messages with rule matches (also known as Message Events), and all messages in the Message Data Model (MDM) format into Panther via AWS S3.

How to onboard Sublime Security logs to Panther

Step 1: Create a Sublime Security log source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Sublime Security," then click its tile.

  4. In the upper-right corner of the slide-out panel, click Start Setup.

Step 2: Export Sublime Security logs to S3

Panther-managed detections

See Panther-managed rules for Sublime Security in the panther-analysis GitHub repository.

Supported log types

Sublime.Audit

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.Audit
description: Audit logs from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-audit-logs
fields:
  - name: created_at
    required: true
    description: The time the audit log was created.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: created_by
    required: true
    description: The user that created the audit log.
    type: object
    fields:
      - name: active
        description: Whether the user is currently active.
        type: boolean
      - name: created_at
        description: When the user was created.
        type: timestamp
        timeFormats:
          - rfc3339
      - name: email_address
        description: The users email address.
        type: string
        indicators:
          - email
      - name: first_name
        description: The users first name.'
        type: string
      - name: google_oauth_user_id
        description: The users google oauth user ID.
        type: float
      - name: id
        description: The users unique Sublime ID.
        type: string
      - name: is_enrolled
        description: Whether the user is enrolled.
        type: boolean
      - name: last_name
        description: The users last name.'
        type: string
      - name: microsoft_oauth_user_id
        description: The users Microsoft oauth user ID.
        type: string
      - name: role
        description: The users assigned role.
        type: string
      - name: updated_at
        description: The last time the user was updated.
        type: timestamp
        timeFormats:
          - rfc3339
    indicators:
      - email
  - name: data
    required: true
    description: The details of the activity that occurred.
    type: object
    fields:
      - name: message
        description: A unique message ID.
        type: object
        fields:
          - name: external_id
            description: An external ID.
            type: string
          - name: id
            description: A unique message ID.
            type: string
      - name: message_group
        description: The SHA256 hash of the message group.
        type: object
        fields:
          - name: id
            description: The SHA256 hash of the message group.
            type: string
            indicators:
              - sha256
      - name: request
        required: true
        description: Specific details about the request being made.
        type: object
        fields:
          - name: query
            description: The parameters of the query being made.
            type: object
            fields:
              - name: attachment_md5
                description: Specifies MD5 hash of attachments.
                type: string
              - name: attachment_sha1
                description: Specifies SHA1 hash of attachments.
                type: string
              - name: attachment_sha256
                description: Specifies SHA256 hash of attachments.
                type: string
              - name: created_at[gte]
                description: Specifies to only return results created after this time.
                type: timestamp
                timeFormats:
                  - rfc3339
              - name: created_at[lte]
                description: Specifies to only return results created before this time.
                type: timestamp
                timeFormats:
                  - rfc3339
              - name: fetch_all_ids
                description: Specifies whether to fetch all IDs or not
                type: boolean
              - name: file_name
                description: Specifies file name of results to return.
                type: string
              - name: from
                description: Specifies the from email address to return.
                type: string
                indicators:
                  - email
              - name: limit
                description: Specifies the maximum number of results to return.
                type: bigint
              - name: mailbox
                description: Specifies which mailbox to return results from.
                type: string
              - name: message_id
                description: Specifies which message ID to return.
                type: string
              - name: offset
                description: Specifies an offset of results to return.
                type: bigint
              - name: subject
                description: Specifies email subject lines to return.
                type: string
              - name: to
                description: Specifies the to email address to return.
                type: string
              - name: limit_size
                description: Specifies whether to limit the size or not.
                type: boolean
          - name: authentication_method
            description: How the user was authenticated.
            type: string
          - name: body
            description: The body of the request.
            type: string
          - name: id
            required: true
            description: The unique ID of the request being made.
            type: string
          - name: ip
            description: The IP address the request was made from.
            type: string
            indicators:
              - ip
          - name: method
            description: The HTTP method the request of the request.
            type: string
          - name: path
            description: The URL path of the request.
            type: string
          - name: user_agent
            description: The user agent making the request.
            type: string
  - name: id
    description: The unique ID of the audit log.
    type: string
  - name: type
    description: The type of activity being recorded.
    type: string

Sublime.MessageEvent

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.MessageEvent
description: Message Events from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-message-events
fields:
  - name: created_at
    required: true
    description: The timestamp of the flagged message event.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: data
    required: true
    description: Additional information about the flagged message event.
    type: object
    fields:
      - name: flagged_rules
        required: true
        description: The list of rules that have been flagged.
        type: array
        element:
          type: object
          fields:
            - name: attack_types
              description: The type of attack detected by the rule.
              type: array
              element:
                type: string
            - name: detection_methods
              description: How the rule detected an issue.
              type: array
              element:
                type: string
            - name: id
              description: The ID of the flagged rule.
              type: string
            - name: label
              description: The label of the flagged rule.
              type: string
            - name: name
              description: The name of the flagged rule.
              type: string
            - name: severity
              description: The severity of the rule finding.
              type: string
            - name: tags
              description: The tags of the flagged rule.
              type: array
              element:
                type: string
            - name: tactics_and_techniques
              description: The tactics and techniques mapped to this rule finding.
              type: array
              element:
                type: string
      - name: message
        description: The unique identifiers of the entities involved with the flagged rules.
        type: object
        fields:
          - name: canonical_id
            description: The canonical ID, which is a SHA256 hash.
            type: string
            indicators:
              - sha256
          - name: external_id
            description: The external ID of the message.
            type: string
          - name: id
            description: The ID of the message.
            type: string
          - name: landed_in_spam
            description: Whether the message went to the spam inbox.
            type: boolean
          - name: mailbox
            description: The ID of the mailbox the message is from.
            type: object
            fields:
              - name: external_id
                description: An external ID.
                type: string
              - name: id
                description: A unique message ID.
                type: string
          - name: message_source_id
            description: The ID of the message source.
            type: string
      - name: triggered_actions
        description: The actions triggered by the flagged rules
        type: json
  - name: type
    required: true
    description: The type of messages being flagged.
    type: string

Sublime.MDM

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.MDM
description: Message data model logs from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/mdm
fields:
    - name: _errors
      type: array
      element:
        type: object
        fields:
            - name: field
              type: string
            - name: message
              type: string
            - name: type
              type: string
    - name: _meta
      required: true
      type: object
      fields:
        - name: canonical_id
          type: string
          indicators:
            - sha256
        - name: created_at
          type: timestamp
          timeFormats:
            - rfc3339
        - name: effective_at
          type: timestamp
          timeFormats:
            - rfc3339
        - name: id
          type: string
    - name: attachments
      type: array
      element:
        type: object
        fields:
            - name: content_id
              type: string
            - name: content_transfer_encoding
              type: string
            - name: content_type
              type: string
            - name: file_extension
              type: string
            - name: file_name
              type: string
            - name: file_type
              type: string
            - name: md5
              type: string
            - name: raw
              type: string
            - name: sha1
              type: string
              indicators:
                - sha1
            - name: sha256
              type: string
              indicators:
                - sha256
            - name: size
              type: bigint
    - name: body
      required: true
      type: object
      fields:
        - name: ips
          type: array
          element:
            type: object
            fields:
                - name: ip
                  type: string
                  indicators:
                    - ip
        - name: plain
          type: object
          fields:
            - name: content_transfer_encoding
              type: string
            - name: charset
              type: string
            - name: raw
              type: string
        - name: links
          type: array
          element:
            type: object
            fields:
                - name: mismatched
                  type: boolean
                - name: display_url
                  type: object
                  fields:
                    - name: password
                      type: string
                    - name: fragment
                      type: string
                    - name: username
                      type: string
                      indicators:
                        - username
                    - name: query_params
                      type: string
                    - name: path
                      type: string
                    - name: domain
                      type: object
                      fields:
                        - name: subdomain
                          type: string
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: scheme
                      type: string
                    - name: url
                      type: string
                      indicators:
                        - url
                - name: display_text
                  type: string
                - name: href_url
                  type: object
                  fields:
                    - name: password
                      type: string
                    - name: username
                      type: string
                    - name: rewrite
                      type: object
                      fields:
                        - name: encoders
                          type: array
                          element:
                            type: string
                        - name: original
                          type: string
                          indicators:
                            - url
                    - name: fragment
                      type: string
                    - name: query_params
                      type: string
                    - name: path
                      type: string
                    - name: domain
                      type: object
                      fields:
                        - name: subdomain
                          type: string
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: scheme
                      type: string
                    - name: url
                      type: string
                      indicators:
                        - url
        - name: html
          type: object
          fields:
            - name: content_transfer_encoding
              type: string
            - name: charset
              type: string
            - name: display_text
              type: string
            - name: inner_text
              type: string
            - name: raw
              type: string
        - name: current_thread
          type: object
          fields:
            - name: text
              type: string
    - name: external
      required: true
      type: object
      fields:
        - name: created_at
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: message_id
          type: bigint
        - name: route_type
          type: string
        - name: spam
          type: boolean
    - name: headers
      required: true
      type: object
      fields:
        - name: x_sender
          type: object
          fields:
            - name: domain
              type: object
              fields:
                - name: domain
                  type: string
                - name: root_domain
                  type: string
                - name: sld
                  type: string
                - name: tld
                  type: string
                - name: valid
                  type: boolean
            - name: email
              type: string
              indicators:
                - email
            - name: local_part
              type: string
        - name: in_reply_to
          type: string
          indicators:
            - email
        - name: references
          type: array
          element:
            type: string
            indicators:
                - email
        - name: reply_to
          type: array
          element:
            type: object
            fields:
                - name: display_name
                  type: string
                - name: email
                  type: object
                  fields:
                    - name: domain
                      type: object
                      fields:
                        - name: subdomain
                          type: string
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: email
                      type: string
                      indicators:
                        - email
                    - name: local_part
                      type: string
                      indicators:
                        - sha256
        - name: mailer
          type: string
        - name: ips
          type: array
          element:
            type: object
            fields:
                - name: ip
                  type: string
                  indicators:
                    - ip
        - name: auth_summary
          type: object
          fields:
            - name: dmarc
              type: object
              fields:
                - name: pass
                  type: boolean
                - name: details
                  type: object
                  fields:
                    - name: action
                      type: string
                    - name: disposition
                      type: string
                    - name: policy
                      type: string
                    - name: sub_policy
                      type: string
                    - name: from
                      type: object
                      fields:
                        - name: subdomain
                          type: string
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: verdict
                      type: string
                - name: received_hop
                  type: bigint
            - name: spf
              type: object
              fields:
                - name: error
                  type: boolean
                - name: pass
                  type: boolean
                - name: details
                  type: object
                  fields:
                    - name: client_ip
                      type: object
                      fields:
                        - name: ip
                          type: string
                          indicators:
                            - ip
                    - name: server
                      type: object
                      fields:
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: description
                      type: string
                    - name: designator
                      type: string
                    - name: verdict
                      type: string
                - name: received_hop
                  type: bigint
        - name: delivered_to
          type: object
          fields:
            - name: domain
              type: object
              fields:
                - name: domain
                  type: string
                - name: root_domain
                  type: string
                - name: sld
                  type: string
                - name: tld
                  type: string
                - name: valid
                  type: boolean
            - name: email
              type: string
              indicators:
                - email
            - name: local_part
              type: string
        - name: domains
          type: array
          element:
            type: object
            fields:
                - name: subdomain
                  type: string
                - name: domain
                  type: string
                - name: root_domain
                  type: string
                - name: sld
                  type: string
                - name: tld
                  type: string
                - name: valid
                  type: boolean
        - name: return_path
          type: object
          fields:
            - name: domain
              type: object
              fields:
                - name: subdomain
                  type: string
                - name: domain
                  type: string
                - name: root_domain
                  type: string
                - name: sld
                  type: string
                - name: tld
                  type: string
                - name: valid
                  type: boolean
            - name: email
              type: string
              indicators:
                - email
            - name: local_part
              type: string
        - name: date
          type: timestamp
          timeFormats:
            - rfc3339
        - name: date_original_offset
          type: bigint
        - name: hops
          type: array
          element:
            type: object
            fields:
                - name: received_spf
                  type: object
                  fields:
                    - name: client_ip
                      type: object
                      fields:
                        - name: ip
                          type: string
                          indicators:
                            - ip
                    - name: description
                      type: string
                    - name: designator
                      type: string
                    - name: server
                      type: object
                      fields:
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: verdict
                      type: string
                - name: authentication_results
                  type: object
                  fields:
                    - name: dmarc
                      type: string
                    - name: dmarc_details
                      type: object
                      fields:
                        - name: action
                          type: string
                        - name: disposition
                          type: string
                        - name: policy
                          type: string
                        - name: sub_policy
                          type: string
                        - name: from
                          type: object
                          fields:
                            - name: subdomain
                              type: string
                            - name: domain
                              type: string
                            - name: root_domain
                              type: string
                            - name: sld
                              type: string
                            - name: tld
                              type: string
                            - name: valid
                              type: boolean
                        - name: verdict
                          type: string
                    - name: dkim
                      type: string
                    - name: dkim_details
                      type: array
                      element:
                        type: object
                        fields:
                            - name: domain
                              type: string
                            - name: instance
                              type: string
                            - name: selector
                              type: string
                            - name: signature
                              type: string
                            - name: type
                              type: string
                    - name: instance
                      type: bigint
                    - name: server
                      type: object
                      fields:
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: subdomain
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: spf
                      type: string
                    - name: spf_details
                      type: object
                      fields:
                        - name: client_ip
                          type: object
                          fields:
                            - name: ip
                              type: string
                              indicators:
                                - ip
                        - name: description
                          type: string
                        - name: designator
                          type: string
                          indicators:
                            - email
                        - name: server
                          type: object
                          fields:
                            - name: domain
                              type: string
                            - name: root_domain
                              type: string
                            - name: sld
                              type: string
                            - name: tld
                              type: string
                            - name: valid
                              type: boolean
                        - name: verdict
                          type: string
                    - name: type
                      type: string
                - name: received
                  type: object
                  fields:
                    - name: link
                      type: object
                      fields:
                        - name: raw
                          type: string
                    - name: mailbox
                      type: object
                      fields:
                        - name: raw
                          type: string
                          indicators:
                            - email
                    - name: additional
                      type: object
                      fields:
                        - name: raw
                          type: string
                          indicators:
                            - email
                    - name: source
                      type: object
                      fields:
                        - name: raw
                          type: string
                          indicators:
                            - ip
                    - name: id
                      type: object
                      fields:
                        - name: raw
                          type: string
                          indicators:
                            - email
                    - name: protocol
                      type: object
                      fields:
                        - name: raw
                          type: string
                    - name: server
                      type: object
                      fields:
                        - name: raw
                          type: string
                          indicators:
                            - ip
                    - name: time
                      type: timestamp
                      timeFormats:
                        - rfc3339
                    - name: zone_offset
                      type: bigint
                - name: signature
                  type: object
                  fields:
                    - name: version
                      type: bigint
                    - name: instance
                      type: string
                    - name: algorithm
                      type: string
                    - name: body_hash
                      type: string
                    - name: domain
                      type: string
                    - name: headers
                      type: string
                    - name: selector
                      type: string
                    - name: signature
                      type: string
                    - name: type
                      type: string
                - name: fields
                  type: array
                  element:
                    type: object
                    fields:
                        - name: name
                          type: string
                        - name: position
                          type: bigint
                        - name: value
                          type: string
                          indicators:
                            - email
                            - ip
                - name: index
                  type: bigint
        - name: message_id
          type: string
          indicators:
            - email
    - name: mailbox
      required: true
      type: object
      fields:
        - name: email
          type: object
          fields:
            - name: domain
              type: object
              fields:
                - name: domain
                  type: string
                - name: root_domain
                  type: string
                - name: sld
                  type: string
                - name: tld
                  type: string
                - name: valid
                  type: boolean
            - name: email
              type: string
              indicators:
                - email
            - name: local_part
              type: string
    - name: recipients
      required: true
      type: object
      fields:
        - name: bcc
          type: array
          element:
            type: object
            fields:
                - name: email
                  type: object
                  fields:
                    - name: domain
                      type: object
                      fields:
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: email
                      type: string
                      indicators:
                        - email
                    - name: local_part
                      type: string
        - name: cc
          type: array
          element:
            type: object
            fields:
                - name: display_name
                  type: string
                  indicators:
                    - email
                - name: email
                  type: object
                  fields:
                    - name: domain
                      type: object
                      fields:
                        - name: domain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: valid
                          type: boolean
                    - name: email
                      type: string
                      indicators:
                        - email
                    - name: local_part
                      type: string
        - name: to
          type: array
          element:
            type: object
            fields:
                - name: display_name
                  type: string
                  indicators:
                    - email
                - name: email
                  type: object
                  fields:
                    - name: domain
                      type: object
                      fields:
                        - name: subdomain
                          type: string
                        - name: root_domain
                          type: string
                        - name: sld
                          type: string
                        - name: tld
                          type: string
                        - name: domain
                          type: string
                        - name: valid
                          type: boolean
                    - name: email
                      type: string
                      indicators:
                        - email
                    - name: local_part
                      type: string
                      indicators:
                        - sha256
    - name: sender
      required: true
      type: object
      fields:
        - name: display_name
          type: string
          indicators:
            - email
        - name: email
          type: object
          fields:
            - name: domain
              type: object
              fields:
                - name: subdomain
                  type: string
                - name: domain
                  type: string
                - name: root_domain
                  type: string
                - name: sld
                  type: string
                - name: tld
                  type: string
                - name: valid
                  type: boolean
            - name: email
              type: string
              indicators:
                - email
            - name: local_part
              type: string
    - name: subject
      required: true
      type: object
      fields:
        - name: subject
          type: string
    - name: type
      required: true
      type: object
      fields:
        - name: inbound
          type: boolean

Last updated

Was this helpful?

#2402: Closed beta: AI Event Summaries

Change request updated