Sublime Security Logs
Connecting Sublime Security logs in your Panther Console
Overview
Panther supports ingesting Sublime Security audit logs, messages with rule matches (also known as Message Events), and all messages in the Message Data Model (MDM) format into Panther via AWS S3.
How to onboard Sublime Security logs to Panther
Step 1: Create a Sublime Security log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Sublime Security," then click its tile.
In the upper-right corner of the slide-out panel, click Start Setup.
Step 2: Export Sublime Security logs to S3
Panther-managed detections
See Panther-managed rules for Sublime Security in the panther-analysis GitHub repository.
Supported log types
Sublime.Audit
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.Audit
description: Audit logs from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-audit-logs
fields:
- name: created_at
required: true
description: The time the audit log was created.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: created_by
required: true
description: The user that created the audit log.
type: object
fields:
- name: active
description: Whether the user is currently active.
type: boolean
- name: created_at
description: When the user was created.
type: timestamp
timeFormats:
- rfc3339
- name: email_address
description: The users email address.
type: string
indicators:
- email
- name: first_name
description: The users first name.'
type: string
- name: google_oauth_user_id
description: The users google oauth user ID.
type: float
- name: id
description: The users unique Sublime ID.
type: string
- name: is_enrolled
description: Whether the user is enrolled.
type: boolean
- name: last_name
description: The users last name.'
type: string
- name: microsoft_oauth_user_id
description: The users Microsoft oauth user ID.
type: string
- name: role
description: The users assigned role.
type: string
- name: updated_at
description: The last time the user was updated.
type: timestamp
timeFormats:
- rfc3339
indicators:
- email
- name: data
required: true
description: The details of the activity that occurred.
type: object
fields:
- name: message
description: A unique message ID.
type: object
fields:
- name: external_id
description: An external ID.
type: string
- name: id
description: A unique message ID.
type: string
- name: message_group
description: The SHA256 hash of the message group.
type: object
fields:
- name: id
description: The SHA256 hash of the message group.
type: string
indicators:
- sha256
- name: request
required: true
description: Specific details about the request being made.
type: object
fields:
- name: query
description: The parameters of the query being made.
type: object
fields:
- name: attachment_md5
description: Specifies MD5 hash of attachments.
type: string
- name: attachment_sha1
description: Specifies SHA1 hash of attachments.
type: string
- name: attachment_sha256
description: Specifies SHA256 hash of attachments.
type: string
- name: created_at[gte]
description: Specifies to only return results created after this time.
type: timestamp
timeFormats:
- rfc3339
- name: created_at[lte]
description: Specifies to only return results created before this time.
type: timestamp
timeFormats:
- rfc3339
- name: fetch_all_ids
description: Specifies whether to fetch all IDs or not
type: boolean
- name: file_name
description: Specifies file name of results to return.
type: string
- name: from
description: Specifies the from email address to return.
type: string
indicators:
- email
- name: limit
description: Specifies the maximum number of results to return.
type: bigint
- name: mailbox
description: Specifies which mailbox to return results from.
type: string
- name: message_id
description: Specifies which message ID to return.
type: string
- name: offset
description: Specifies an offset of results to return.
type: bigint
- name: subject
description: Specifies email subject lines to return.
type: string
- name: to
description: Specifies the to email address to return.
type: string
- name: limit_size
description: Specifies whether to limit the size or not.
type: boolean
- name: authentication_method
description: How the user was authenticated.
type: string
- name: body
description: The body of the request.
type: string
- name: id
required: true
description: The unique ID of the request being made.
type: string
- name: ip
description: The IP address the request was made from.
type: string
indicators:
- ip
- name: method
description: The HTTP method the request of the request.
type: string
- name: path
description: The URL path of the request.
type: string
- name: user_agent
description: The user agent making the request.
type: string
- name: id
description: The unique ID of the audit log.
type: string
- name: type
description: The type of activity being recorded.
type: stringSublime.MessageEvent
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.MessageEvent
description: Message Events from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-message-events
fields:
- name: created_at
required: true
description: The timestamp of the flagged message event.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: data
required: true
description: Additional information about the flagged message event.
type: object
fields:
- name: flagged_rules
required: true
description: The list of rules that have been flagged.
type: array
element:
type: object
fields:
- name: attack_types
description: The type of attack detected by the rule.
type: array
element:
type: string
- name: detection_methods
description: How the rule detected an issue.
type: array
element:
type: string
- name: id
description: The ID of the flagged rule.
type: string
- name: label
description: The label of the flagged rule.
type: string
- name: name
description: The name of the flagged rule.
type: string
- name: severity
description: The severity of the rule finding.
type: string
- name: tags
description: The tags of the flagged rule.
type: array
element:
type: string
- name: tactics_and_techniques
description: The tactics and techniques mapped to this rule finding.
type: array
element:
type: string
- name: message
description: The unique identifiers of the entities involved with the flagged rules.
type: object
fields:
- name: canonical_id
description: The canonical ID, which is a SHA256 hash.
type: string
indicators:
- sha256
- name: external_id
description: The external ID of the message.
type: string
- name: id
description: The ID of the message.
type: string
- name: landed_in_spam
description: Whether the message went to the spam inbox.
type: boolean
- name: mailbox
description: The ID of the mailbox the message is from.
type: object
fields:
- name: external_id
description: An external ID.
type: string
- name: id
description: A unique message ID.
type: string
- name: message_source_id
description: The ID of the message source.
type: string
- name: triggered_actions
description: The actions triggered by the flagged rules
type: json
- name: type
required: true
description: The type of messages being flagged.
type: stringSublime.MDM
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.MDM
description: Message data model logs from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/mdm
fields:
- name: _errors
type: array
element:
type: object
fields:
- name: field
type: string
- name: message
type: string
- name: type
type: string
- name: _meta
required: true
type: object
fields:
- name: canonical_id
type: string
indicators:
- sha256
- name: created_at
type: timestamp
timeFormats:
- rfc3339
- name: effective_at
type: timestamp
timeFormats:
- rfc3339
- name: id
type: string
- name: attachments
type: array
element:
type: object
fields:
- name: content_id
type: string
- name: content_transfer_encoding
type: string
- name: content_type
type: string
- name: file_extension
type: string
- name: file_name
type: string
- name: file_type
type: string
- name: md5
type: string
- name: raw
type: string
- name: sha1
type: string
indicators:
- sha1
- name: sha256
type: string
indicators:
- sha256
- name: size
type: bigint
- name: body
required: true
type: object
fields:
- name: ips
type: array
element:
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: plain
type: object
fields:
- name: content_transfer_encoding
type: string
- name: charset
type: string
- name: raw
type: string
- name: links
type: array
element:
type: object
fields:
- name: mismatched
type: boolean
- name: display_url
type: object
fields:
- name: password
type: string
- name: fragment
type: string
- name: username
type: string
indicators:
- username
- name: query_params
type: string
- name: path
type: string
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: scheme
type: string
- name: url
type: string
indicators:
- url
- name: display_text
type: string
- name: href_url
type: object
fields:
- name: password
type: string
- name: username
type: string
- name: rewrite
type: object
fields:
- name: encoders
type: array
element:
type: string
- name: original
type: string
indicators:
- url
- name: fragment
type: string
- name: query_params
type: string
- name: path
type: string
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: scheme
type: string
- name: url
type: string
indicators:
- url
- name: html
type: object
fields:
- name: content_transfer_encoding
type: string
- name: charset
type: string
- name: display_text
type: string
- name: inner_text
type: string
- name: raw
type: string
- name: current_thread
type: object
fields:
- name: text
type: string
- name: external
required: true
type: object
fields:
- name: created_at
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: message_id
type: bigint
- name: route_type
type: string
- name: spam
type: boolean
- name: headers
required: true
type: object
fields:
- name: x_sender
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: in_reply_to
type: string
indicators:
- email
- name: references
type: array
element:
type: string
indicators:
- email
- name: reply_to
type: array
element:
type: object
fields:
- name: display_name
type: string
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
indicators:
- sha256
- name: mailer
type: string
- name: ips
type: array
element:
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: auth_summary
type: object
fields:
- name: dmarc
type: object
fields:
- name: pass
type: boolean
- name: details
type: object
fields:
- name: action
type: string
- name: disposition
type: string
- name: policy
type: string
- name: sub_policy
type: string
- name: from
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: received_hop
type: bigint
- name: spf
type: object
fields:
- name: error
type: boolean
- name: pass
type: boolean
- name: details
type: object
fields:
- name: client_ip
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: description
type: string
- name: designator
type: string
- name: verdict
type: string
- name: received_hop
type: bigint
- name: delivered_to
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: domains
type: array
element:
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: return_path
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: date
type: timestamp
timeFormats:
- rfc3339
- name: date_original_offset
type: bigint
- name: hops
type: array
element:
type: object
fields:
- name: received_spf
type: object
fields:
- name: client_ip
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: description
type: string
- name: designator
type: string
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: authentication_results
type: object
fields:
- name: dmarc
type: string
- name: dmarc_details
type: object
fields:
- name: action
type: string
- name: disposition
type: string
- name: policy
type: string
- name: sub_policy
type: string
- name: from
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: dkim
type: string
- name: dkim_details
type: array
element:
type: object
fields:
- name: domain
type: string
- name: instance
type: string
- name: selector
type: string
- name: signature
type: string
- name: type
type: string
- name: instance
type: bigint
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: subdomain
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: spf
type: string
- name: spf_details
type: object
fields:
- name: client_ip
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: description
type: string
- name: designator
type: string
indicators:
- email
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: type
type: string
- name: received
type: object
fields:
- name: link
type: object
fields:
- name: raw
type: string
- name: mailbox
type: object
fields:
- name: raw
type: string
indicators:
- email
- name: additional
type: object
fields:
- name: raw
type: string
indicators:
- email
- name: source
type: object
fields:
- name: raw
type: string
indicators:
- ip
- name: id
type: object
fields:
- name: raw
type: string
indicators:
- email
- name: protocol
type: object
fields:
- name: raw
type: string
- name: server
type: object
fields:
- name: raw
type: string
indicators:
- ip
- name: time
type: timestamp
timeFormats:
- rfc3339
- name: zone_offset
type: bigint
- name: signature
type: object
fields:
- name: version
type: bigint
- name: instance
type: string
- name: algorithm
type: string
- name: body_hash
type: string
- name: domain
type: string
- name: headers
type: string
- name: selector
type: string
- name: signature
type: string
- name: type
type: string
- name: fields
type: array
element:
type: object
fields:
- name: name
type: string
- name: position
type: bigint
- name: value
type: string
indicators:
- email
- ip
- name: index
type: bigint
- name: message_id
type: string
indicators:
- email
- name: mailbox
required: true
type: object
fields:
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: recipients
required: true
type: object
fields:
- name: bcc
type: array
element:
type: object
fields:
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: cc
type: array
element:
type: object
fields:
- name: display_name
type: string
indicators:
- email
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: to
type: array
element:
type: object
fields:
- name: display_name
type: string
indicators:
- email
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: domain
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
indicators:
- sha256
- name: sender
required: true
type: object
fields:
- name: display_name
type: string
indicators:
- email
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: subject
required: true
type: object
fields:
- name: subject
type: string
- name: type
required: true
type: object
fields:
- name: inbound
type: booleanLast updated
Was this helpful?