Connecting Sublime Security logs in your Panther Console
Overview
Panther supports ingesting Sublime Security audit logs, messages with rule matches (also known as Message Events), and all messages in the Message Data Model (MDM) format into Panther via AWS S3.
How to onboard Sublime Security logs to Panther
Step 1: Create a Sublime Security log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Sublime Security," then click its tile.
In the upper-right corner of the slide-out panel, click Start Setup.
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.Audit
description: Audit logs from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-audit-logs
fields:
- name: created_at
required: true
description: The time the audit log was created.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: created_by
required: true
description: The user that created the audit log.
type: object
fields:
- name: active
description: Whether the user is currently active.
type: boolean
- name: created_at
description: When the user was created.
type: timestamp
timeFormats:
- rfc3339
- name: email_address
description: The users email address.
type: string
indicators:
- email
- name: first_name
description: The users first name.'
type: string
- name: google_oauth_user_id
description: The users google oauth user ID.
type: float
- name: id
description: The users unique Sublime ID.
type: string
- name: is_enrolled
description: Whether the user is enrolled.
type: boolean
- name: last_name
description: The users last name.'
type: string
- name: microsoft_oauth_user_id
description: The users Microsoft oauth user ID.
type: string
- name: role
description: The users assigned role.
type: string
- name: updated_at
description: The last time the user was updated.
type: timestamp
timeFormats:
- rfc3339
indicators:
- email
- name: data
required: true
description: The details of the activity that occurred.
type: object
fields:
- name: message
description: A unique message ID.
type: object
fields:
- name: external_id
description: An external ID.
type: string
- name: id
description: A unique message ID.
type: string
- name: message_group
description: The SHA256 hash of the message group.
type: object
fields:
- name: id
description: The SHA256 hash of the message group.
type: string
indicators:
- sha256
- name: request
required: true
description: Specific details about the request being made.
type: object
fields:
- name: query
description: The parameters of the query being made.
type: object
fields:
- name: attachment_md5
description: Specifies MD5 hash of attachments.
type: string
- name: attachment_sha1
description: Specifies SHA1 hash of attachments.
type: string
- name: attachment_sha256
description: Specifies SHA256 hash of attachments.
type: string
- name: created_at[gte]
description: Specifies to only return results created after this time.
type: timestamp
timeFormats:
- rfc3339
- name: created_at[lte]
description: Specifies to only return results created before this time.
type: timestamp
timeFormats:
- rfc3339
- name: fetch_all_ids
description: Specifies whether to fetch all IDs or not
type: boolean
- name: file_name
description: Specifies file name of results to return.
type: string
- name: from
description: Specifies the from email address to return.
type: string
indicators:
- email
- name: limit
description: Specifies the maximum number of results to return.
type: bigint
- name: mailbox
description: Specifies which mailbox to return results from.
type: string
- name: message_id
description: Specifies which message ID to return.
type: string
- name: offset
description: Specifies an offset of results to return.
type: bigint
- name: subject
description: Specifies email subject lines to return.
type: string
- name: to
description: Specifies the to email address to return.
type: string
- name: limit_size
description: Specifies whether to limit the size or not.
type: boolean
- name: authentication_method
description: How the user was authenticated.
type: string
- name: body
description: The body of the request.
type: string
- name: id
required: true
description: The unique ID of the request being made.
type: string
- name: ip
description: The IP address the request was made from.
type: string
indicators:
- ip
- name: method
description: The HTTP method the request of the request.
type: string
- name: path
description: The URL path of the request.
type: string
- name: user_agent
description: The user agent making the request.
type: string
- name: id
description: The unique ID of the audit log.
type: string
- name: type
description: The type of activity being recorded.
type: string
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Sublime.MessageEvent
description: Message Events from Sublime
referenceURL: https://docs.sublimesecurity.com/docs/export-audit-logs-and-message-events#example-message-events
fields:
- name: created_at
required: true
description: The timestamp of the flagged message event.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: data
required: true
description: Additional information about the flagged message event.
type: object
fields:
- name: flagged_rules
required: true
description: The list of rules that have been flagged.
type: array
element:
type: object
fields:
- name: attack_types
description: The type of attack detected by the rule.
type: array
element:
type: string
- name: detection_methods
description: How the rule detected an issue.
type: array
element:
type: string
- name: id
description: The ID of the flagged rule.
type: string
- name: label
description: The label of the flagged rule.
type: string
- name: name
description: The name of the flagged rule.
type: string
- name: severity
description: The severity of the rule finding.
type: string
- name: tags
description: The tags of the flagged rule.
type: array
element:
type: string
- name: tactics_and_techniques
description: The tactics and techniques mapped to this rule finding.
type: array
element:
type: string
- name: message
description: The unique identifiers of the entities involved with the flagged rules.
type: object
fields:
- name: canonical_id
description: The canonical ID, which is a SHA256 hash.
type: string
indicators:
- sha256
- name: external_id
description: The external ID of the message.
type: string
- name: id
description: The ID of the message.
type: string
- name: landed_in_spam
description: Whether the message went to the spam inbox.
type: boolean
- name: mailbox
description: The ID of the mailbox the message is from.
type: object
fields:
- name: external_id
description: An external ID.
type: string
- name: id
description: A unique message ID.
type: string
- name: message_source_id
description: The ID of the message source.
type: string
- name: triggered_actions
description: The actions triggered by the flagged rules
type: json
- name: type
required: true
description: The type of messages being flagged.
type: string
