### Install Sublime CLI Source: https://docs.sublime.security/reference/analysis-api-quickstart Installs the Sublime CLI tool using pip. This is a prerequisite for using the command-line interface to analyze email messages. ```console pip3 install sublime-cli ``` -------------------------------- ### Clone Sublime Rules Repository Source: https://docs.sublime.security/reference/analysis-api-quickstart Clones the official Sublime Security rules repository from GitHub. This repository contains example detection rules and email files for testing. ```console git clone https://github.com/sublime-security/sublime-rules.git ``` -------------------------------- ### Sublime Python Module Analysis Response Example Source: https://docs.sublime.security/reference/analysis-api-quickstart An example JSON structure representing the response from the Sublime Python module after analyzing an email. It includes details about rule execution and any identified issues. ```json { 'message_id': '6c5aa82e-c352-4719-8bfa-68dbe3a242b2', 'raw_message_id': 'e6665d0e-36d9-49af-b60d-5b4a651f2c7a', 'query_results': [], 'rule_results': [{ 'source': "type.inbound\nand headers.return_path.domain.domain == 'sendgrid.net'\nand ilike(subject.subject, '*voicemail*', '*voice message*')\n", 'name': 'Sendgrid voicemail phish', 'result': False, 'success': True, 'error': '', 'execution_time': 0.000343902 }] } ``` -------------------------------- ### Example cURL Request for Fetching Message Metadata Source: https://docs.sublime.security/reference/authentication An example cURL command demonstrating how to fetch message metadata using API key authentication. It includes the necessary Authorization header and the target API endpoint. ```bash curl \ -H "Authorization: Bearer st4o9hnkltjxpz1dcjo1guga8304hjq8ingb6sx3ldyj96isg8k0xg5749jlusiy" \ https://example.sublime.security/v0/messages/3391c0e4-2d7e-4eaa-841c-2d5f7146759e ``` -------------------------------- ### Install Sublime CLI Source: https://docs.sublime.security/reference/analysis-api-python-module Command to install or upgrade the Sublime Security Command Line Interface (CLI) using pip. ```console pip3 install sublime-cli --upgrade ``` -------------------------------- ### GET /v0/rules Source: https://docs.sublime.security/reference/listrules-1 Retrieves a list of rules, with options for filtering, pagination, and searching. ```APIDOC ## GET /v0/rules ### Description Retrieves a list of rules, with options for filtering, pagination, and searching. ### Method GET ### Endpoint /v0/rules ### Parameters #### Query Parameters - **in_feed** (boolean) - Optional - Restrict to rules that are explicitly in or not in a feed - **limit** (integer) - Optional - The maximum number of entries to return. Maximum value is 500. (default: 50) - **offset** (integer) - Optional - The (zero-based) offset of the first rule to return (default: 0) - **search** (string) - Optional - Search for matching case-insensitive substring across rule name, description, and MQL source ### Response #### Success Response (200) - **count** (integer) - Count of results for this page - **rules** (array) - List of rules - **active** (boolean) - Indicates whether or not the rule is active and will flag matching messages - **created_at** (string) - Rule creation time (date-time) - **description** (string) - Description of rule - **id** (string) - Rule ID (uuid) - **name** (string) - Rule name - **references** (array) - URLs of reference resources for this rule - (string) - **severity** (string) - Rule severity (enum: informational, low, medium, high, critical) - **source** (string) - Rule MQL (Message Query Language) source - **tags** (array) - Freeform tags for this rule (for example, "Executive Impersonation") - (string) - **updated_at** (string) - Rule last updated time (date-time) - **total** (integer) - Total number of results available #### Response Example ```json { "count": 10, "rules": [ { "id": "a1b2c3d4-e5f6-7890-1234-567890abcdef", "name": "Suspicious Login Activity", "description": "Detects logins from unusual geographic locations or at unusual times.", "source": "event.type = 'login' and event.geo.country != 'US'", "severity": "medium", "active": true, "created_at": "2023-10-27T10:00:00Z", "updated_at": "2023-10-27T10:00:00Z", "tags": ["Security", "Monitoring"], "references": ["https://example.com/docs/suspicious-logins"] } ], "total": 100 } ``` ``` -------------------------------- ### GET /{email} Source: https://docs.sublime.security/reference/get_-email Queries a specific email address to retrieve its reputation, suspiciousness, and other details based on various data sources. ```APIDOC ## GET /{email} ### Description Queries a specific email address to retrieve its reputation, suspiciousness, and other details based on various data sources. ### Method GET ### Endpoint `/{email}` ### Parameters #### Path Parameters - **email** (string) - Required - Email address being queried #### Query Parameters - **summary** (boolean) - Optional - Return human-readable summary ### Request Example ```json { "example": "" } ``` ### Response #### Success Response (200) - **email** (string) - email address queried - **reputation** (string) - high/medium/low/none - **suspicious** (boolean) - whether the email address should be treated as suspicious or risky - **references** (integer) - total number of positive and negative sources of reputation. note that these may not all be direct references to the email address, but can include reputation sources for the domain or other related information - **details** (object) - object containing detailed reputation information - **blacklisted** (boolean) - the email is believed to be malicious or spammy - **malicious_activity** (boolean) - the email has exhibited malicious behavior (e.g. phishing or fraud) - **malicious_activity_recent** (boolean) - malicious behavior in the last 90 days (e.g. in the case of temporal account takeovers) - **credentials_leaked** (boolean) - credentials were leaked at some point in time (e.g. a data breach, pastebin, dark web, etc.) - **credentials_leaked_recent** (boolean) - credentials were leaked in the last 90 days - **data_breach** (boolean) - the email was in a data breach at some point in time - **first_seen** (string) - the first date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior ('never' if never seen) - **last_seen** (string) - the last date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior ('never' if never seen) #### Response Example ```json { "email": "bill@microsoft.com", "reputation": "high", "suspicious": false, "references": 59, "details": { "blacklisted": false, "malicious_activity": false, "malicious_activity_recent": false, "credentials_leaked": true, "credentials_leaked_recent": false, "data_breach": true, "first_seen": "07/01/2008", "last_seen": "02/25/2019" } } ``` #### Error Responses - **400**: Invalid email - **401**: Invalid api key (for authenticated requests) - **429**: Too many requests. Contact us for an api key ``` -------------------------------- ### Sublime CLI Version Check Source: https://docs.sublime.security/reference/analysis-api-python-module Command to display the currently installed version of the Sublime Security CLI. ```console sublime version ``` -------------------------------- ### Create MDM Command Help (Console) Source: https://docs.sublime.security/reference/analysis-api-cli Displays the help message for the 'create' subcommand, outlining options for input files, message types, output file naming, and format. ```bash Usage: sublime create [OPTIONS] Generate a Message Data Model from an EML or MSG. Options: -k, --api-key TEXT Key to include in API requests -i, --input FILENAME Input EML file [required] -t, --type [inbound|internal|outbound] Set the message type [default: inbound] -o, --output FILENAME Output file. Defaults to the input_file name in the current directory with a .mdm extension if none is specified -f, --format [json|txt] Output format [default: json] -m, --mailbox TEXT Mailbox email address that received the message -v, --verbose Verbose output -h, --help Show this message and exit. ``` -------------------------------- ### POST /v0/lists Source: https://docs.sublime.security/reference/createlist-1 Creates a new list with a specified name and description. ```APIDOC ## POST /v0/lists ### Description Create a list with a specified name and description. ### Method POST ### Endpoint /v0/lists ### Parameters #### Request Body - **name** (string) - Optional - Unique name used to reference the list in MQL - **description** (string) - Required - Description of list ### Request Example ```json { "name": "example_list", "description": "This is an example list." } ``` ### Response #### Success Response (200) - **created_at** (string) - List creation time - **description** (string) - Description of list - **editable** (boolean) - If the list may be edited. False for system lists. - **entry_type** (string) - Type of entry. Currently supported values are 'string', 'user_group' - **id** (string) - List ID - **name** (string) - Unique name used to reference the list in MQL - **updated_at** (string) - List last updated time #### Response Example ```json { "created_at": "2023-10-27T10:00:00Z", "description": "This is an example list.", "editable": true, "entry_type": "string", "id": "a1b2c3d4-e5f6-7890-1234-567890abcdef", "name": "example_list", "updated_at": "2023-10-27T10:00:00Z" } ``` ``` -------------------------------- ### Analyze Email with Sublime Python Module Source: https://docs.sublime.security/reference/analysis-api-quickstart Programmatically analyzes an email message using the Sublime Python module. It loads rules, queries, and the email content, then sends it to the Sublime client for analysis. Requires the 'sublime-cli' package to be installed. ```python import sublime sublime_client = sublime.Sublime() rules, queries = sublime.util.load_yml_path("sublime-rules/detection-rules/") raw_message = sublime.util.load_eml("sublime-rules/emls/reported_phish.eml") response = sublime_client.analyze_raw_message(raw_message, rules, queries) ``` -------------------------------- ### Analyze Email with Sublime CLI Source: https://docs.sublime.security/reference/analysis-api-quickstart Analyzes a specific email file ('reported_phish.eml') using detection rules from a specified directory. This command-line operation outputs the analysis results directly to the terminal. ```console sublime analyze -i sublime-rules/emls/reported_phish.eml -r sublime-rules/detection-rules/ ``` -------------------------------- ### GET /v0/message-groups/hunt/{id} Source: https://docs.sublime.security/reference/gethuntresults-1 Retrieves the results of a completed hunt. This endpoint is deprecated and users should migrate to GET /v0/hunt-jobs/:id. ```APIDOC ## GET /v0/message-groups/hunt/{id} ### Description Retrieves the results of a completed hunt. This endpoint is deprecated and users should migrate to GET /v0/hunt-jobs/:id. ### Method GET ### Endpoint /v0/message-groups/hunt/{id} ### Parameters #### Path Parameters - **id** (string) - Required - Task ID (uuid format) ### Request Example ```json { "example": "request body" } ``` ### Response #### Success Response (200) - **Handler_typesGetHuntResponse** (object) - The schema for the hunt results. #### Response Example ```json { "example": "response body" } ``` ``` -------------------------------- ### Sublime Platform API Overview Source: https://docs.sublime.security/reference/introduction This section provides an overview of the Sublime Platform API, including its capabilities, base URL structure, and usage with webhooks and request IDs. ```APIDOC ## Sublime Platform API ### Description The Sublime Platform API allows you to interact with your Sublime deployment programmatically. You can use it to trash malicious messages, update threat intelligence lists, and enrich alerts. ### Capabilities * Trash malicious messages from your SOAR * Update a List containing malicious attachment hashes using threat intel * Enrich alerts (e.g. a JIRA or ServiceNow ticket) with message metadata or screenshots ### Base URL Structure The Base URL depends on your deployment type and region. Examples include: * General: `https://platform.sublime.security/` * NA-East: `https://platform.sublimesecurity` * NA-West: `https://na-west.platform.sublime.security` * Canada: `https://ca.platform.sublime.security` * UK (London): `https://uk.platform.sublime.security` * Europe (Dublin): `https://eu.platform.sublime.security` * Australia: `https://au.platform.sublime.security` ### Webhooks Integration The Sublime API integrates with Sublime's webhooks to receive notifications for flagged messages and take automated actions. ### Request IDs Every API response includes an `X-Request-ID` header for support purposes. ``` -------------------------------- ### Sublime CLI Help Source: https://docs.sublime.security/reference/analysis-api-cli Displays the main help message for the Sublime CLI, listing available commands and general options. Use this to get an overview of the CLI's capabilities. ```bash Usage: sublime [OPTIONS] COMMAND [ARGS]... Sublime CLI. Options: -h, --help Show this message and exit. Commands: analyze Analyze a file or directory of EMLs, MSGs, MDMs, or MBOX files. create Create a Message Data Model from an EML or MSG. feedback Send feedback directly to the Sublime team. help Show this message and exit. me Get information about the currently authenticated Sublime user. repl Start an interactive shell. setup Configure defaults. version Get version and OS information for your Sublime commandline... ``` -------------------------------- ### GET /v0/lists/{id}/entries/entry Source: https://docs.sublime.security/reference/getlistentry-1 Retrieves a specific entry from a list if it exists. Requires the list ID and the string representation of the entry. ```APIDOC ## GET /v0/lists/{id}/entries/entry ### Description Retrieves a specific entry from a list if it exists. Requires the list ID and the string representation of the entry. ### Method GET ### Endpoint /v0/lists/{id}/entries/entry ### Parameters #### Path Parameters - **id** (string) - Required - List ID (format: uuid) #### Query Parameters - **string** (string) - Required - String list entry (maxLength: 2000) ### Request Example ```json { "example": "Not applicable for GET request" } ``` ### Response #### Success Response (200) - **string** (string) - The content of the list entry if found. #### Response Example ```json { "example": "entry_content_string" } ``` ``` -------------------------------- ### POST /v0/hunt-jobs Source: https://docs.sublime.security/reference/starthuntjob Starts a new hunt job. This endpoint allows you to initiate a search or analysis job within the Sublime platform, specifying parameters such as the time range, source query, and triage options. ```APIDOC ## POST /v0/hunt-jobs ### Description Starts a new hunt job. This endpoint allows you to initiate a search or analysis job within the Sublime platform, specifying parameters such as the time range, source query, and triage options. ### Method POST ### Endpoint /v0/hunt-jobs ### Parameters #### Query Parameters None #### Request Body - **range_end_time** (string) - Required - Exclusive end datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). - **range_start_time** (string) - Required - Inclusive start datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). - **source** (string) - Required - MQL source of the hunt job. - **name** (string) - Optional - Name of the hunt job. - **private** (boolean) - Optional - Restrict hunt job visibility to admins only. - **triage_email_bomb** (boolean) - Optional - Pre-filters to only include messages that are contained in an email bomb. Combined with triage_reported, triage_flagged, and triage_dlp_rule_matched with a logical OR. - **triage_flagged** (boolean) - Optional - Pre-filters to only includes flagged messages. Combined with triage_reported, triage_email_bomb, and triage_dlp_rule_matched with a logical OR. - **triage_reported** (boolean) - Optional - Pre-filters to only includes user-reported messages. Combined with triage_flagged, triage_email_bomb, and triage_dlp_rule_matched with a logical OR. ### Request Example ```json { "range_start_time": "2023-01-01T00:00:00Z", "range_end_time": "2023-01-02T00:00:00Z", "source": "SELECT * FROM emails WHERE recipient = 'test@example.com'", "name": "Test Hunt Job", "private": false, "triage_reported": true } ``` ### Response #### Success Response (201) - **hunt_job_id** (string) - ID of the started hunt job. #### Response Example ```json { "hunt_job_id": "a1b2c3d4-e5f6-7890-1234-567890abcdef" } ``` ``` -------------------------------- ### GET /v0/scim/ResourceTypes/{id} Source: https://docs.sublime.security/reference/getscimresourcetype Retrieves a specific SCIM resource type by its ID. This endpoint is useful for inspecting the schema and details of available SCIM resources. ```APIDOC ## GET /v0/scim/ResourceTypes/{id} ### Description Retrieves a specific SCIM resource type by its ID. This endpoint is useful for inspecting the schema and details of available SCIM resources. ### Method GET ### Endpoint /v0/scim/ResourceTypes/{id} ### Parameters #### Path Parameters - **id** (string) - Required - The unique identifier of the SCIM resource type to retrieve. ### Request Example ```json { "example": "No request body needed for GET request." } ``` ### Response #### Success Response (200) - **id** (string) - The ID of the resource type in Sublime. - **name** (string) - The name of the resource type. - **description** (string) - A description of the resource type. - **endpoint** (string) - The API endpoint for this resource type. - **schema** (string) - The schema URI for the resource type. - **schemas** (array of strings) - A list of schema URIs associated with the resource type. - **schemaExtensions** (array of objects) - A list of schema extensions, each with 'required' (boolean) and 'schema' (string) properties. - **meta** (object) - Metadata about the resource, including 'created' (string), 'lastModified' (string), 'location' (string), and 'resourceType' (string). #### Response Example ```json { "id": "Users", "name": "User", "description": "User Account Resource", "endpoint": "/v0/scim/Users", "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "schemaExtensions": [], "meta": { "created": "2023-01-01T12:00:00Z", "lastModified": "2023-01-01T12:00:00Z", "location": "https://platform.sublime.security/v0/scim/ResourceTypes/Users", "resourceType": "ResourceType" } } ``` ``` -------------------------------- ### Mdm_serviceAuthSummary Source: https://docs.sublime.security/reference/getmessagedatamodel-1 Provides a summary of authentication results, including DMARC and SPF. ```APIDOC ## Mdm_serviceAuthSummary ### Description Provides a summary of authentication results, including DMARC and SPF. ### Method N/A (Schema Definition) ### Endpoint N/A (Schema Definition) ### Parameters #### Path Parameters N/A #### Query Parameters N/A #### Request Body N/A ### Request Example ```json { "dmarc": {"$ref": "#/components/schemas/Mdm_serviceDMARCSummary"}, "spf": {"$ref": "#/components/schemas/Mdm_serviceSPFSummary"} } ``` ### Response #### Success Response (200) - **dmarc** (Mdm_serviceDMARCSummary) - DMARC summary - **spf** (Mdm_serviceSPFSummary) - SPF summary #### Response Example ```json { "dmarc": {}, "spf": {} } ``` ``` -------------------------------- ### Get SCIM Resource Type OpenAPI Definition (JSON) Source: https://docs.sublime.security/reference/getscimresourcetype This OpenAPI definition specifies the endpoint for retrieving a SCIM resource type by its ID. It includes the request parameters, response schema, and security requirements. ```json { "components": { "schemas": { "Handler_typesSCIMMeta": { "description": "Schema metadata", "properties": { "created": { "description": "DateTime when the resource was created", "type": "string" }, "lastModified": { "description": "DateTime when the resource was last modified", "type": "string" }, "location": { "description": "URL of the resource", "type": "string" }, "resourceType": { "description": "Resource type", "type": "string" } }, "type": "object" }, "Handler_typesSCIMResourceType": { "properties": { "description": { "description": "Description of the resource", "type": "string" }, "endpoint": { "description": "Endpoint for the resource", "type": "string" }, "id": { "description": "ID of the resource in Sublime", "type": "string" }, "meta": { "$ref": "#/components/schemas/Handler_typesSCIMMeta" }, "name": { "description": "Name of the resource", "type": "string" }, "schema": { "description": "Schema for the resource", "type": "string" }, "schemaExtensions": { "description": "Schema Extensions for the resource", "items": { "$ref": "#/components/schemas/Handler_typesSCIMSchemaExtension" }, "type": "array" }, "schemas": { "items": { "type": "string" }, "type": "array" } }, "type": "object" }, "Handler_typesSCIMSchemaExtension": { "properties": { "required": { "description": "Whether the extension is required", "type": "boolean" }, "schema": { "description": "URI of the schema extension", "type": "string" } }, "type": "object" } }, "securitySchemes": { "bearerAuth": { "scheme": "bearer", "type": "http" } } }, "info": { "contact": { "email": "support@sublime.security" }, "title": "Sublime Platform API", "version": "0.14.1" }, "openapi": "3.0.1", "paths": { "/v0/scim/ResourceTypes/{id}": { "get": { "description": "Get SCIM resource type", "operationId": "getSCIMResourceType", "parameters": [ { "description": "ID of the resource type", "in": "path", "name": "id", "required": true, "schema": { "description": "ID of the resource type", "type": "string" } } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Handler_typesSCIMResourceType" } } }, "description": "OK" } }, "summary": "Get SCIM resource type", "tags": [ "SCIM" ] } } }, "security": [ { "bearerAuth": [] } ], "servers": [ { "url": "{scheme}://{server}", "variables": { "scheme": { "default": "https", "enum": [ "http", "https" ] }, "server": { "default": "platform.sublime.security", "description": "Base URL of your Sublime deployment" } } } ], "tags": [ { "name": "SCIM" } ], "x-readme": { "explorer-enabled": false } } ``` -------------------------------- ### StrelkaZLib Module Source: https://docs.sublime.security/reference/getscan-1 Unpacks SLZI files and reports the size of the uncompressed content. ```APIDOC ## StrelkaZLib Module ### Description Unpacks slzi files. Reports size. ### Method N/A (Module Schema) ### Endpoint N/A (Module Schema) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (200) - **size** (integer, nullable) - Size of the uncompressed file within. #### Response Example ```json { "size": 10240 } ``` ``` -------------------------------- ### OpenAPI Definition for Get List Entry Source: https://docs.sublime.security/reference/getlistentry-1 This OpenAPI 3.0.1 definition describes the 'getListEntry' operation. It allows fetching a list entry by providing a list ID and a string identifier. The endpoint is secured with Bearer authentication and returns the entry as a string. ```json { "components": { "securitySchemes": { "bearerAuth": { "scheme": "bearer", "type": "http" } } }, "info": { "contact": { "email": "support@sublime.security" }, "title": "Sublime Platform API", "version": "0.14.1" }, "openapi": "3.0.1", "paths": { "/v0/lists/{id}/entries/entry": { "get": { "description": "Get list entry, if present", "operationId": "getListEntry", "parameters": [ { "description": "List ID", "in": "path", "name": "id", "required": true, "schema": { "description": "List ID", "format": "uuid", "type": "string" } }, { "description": "String list entry", "in": "query", "name": "string", "required": true, "schema": { "description": "String list entry", "maxLength": 2000, "type": "string" } } ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "string" } } }, "description": "OK" } }, "summary": "Get list entry", "tags": [ "Lists" ] } } }, "security": [ { "bearerAuth": [] } ], "servers": [ { "url": "{scheme}://{server}", "variables": { "scheme": { "default": "https", "enum": [ "http", "https" ] }, "server": { "default": "platform.sublime.security", "description": "Base URL of your Sublime deployment" } } } ], "tags": [ { "name": "Lists" } ], "x-readme": { "explorer-enabled": false } } ``` -------------------------------- ### GET /websites/sublime_security_reference/hunts/:id/results Source: https://docs.sublime.security/reference/gethuntresults-1 Retrieves the results of a completed hunt. This endpoint is deprecated. ```APIDOC ## GET /websites/sublime_security_reference/hunts/:id/results ### Description Retrieves the results of a completed hunt. This endpoint is deprecated. Please use the GET /v0/hunt-jobs/:id endpoint instead. ### Method GET ### Endpoint /websites/sublime_security_reference/hunts/:id/results ### Parameters #### Path Parameters - **id** (string) - Required - The ID of the hunt whose results are to be retrieved. ### Response #### Success Response (200) - **results** (object) - The results of the hunt. #### Response Example ```json { "results": { "example": "hunt results data" } } ``` ``` -------------------------------- ### List SCIM Schemas Endpoint (OpenAPI) Source: https://docs.sublime.security/reference/listscimschemas Defines the GET endpoint for listing SCIM schemas. It returns a 200 OK response with a schema reference to Handler_typesListSCIMSchemasResponse. ```json { "paths": { "/v0/scim/Schemas": { "get": { "description": "List SCIM schemas", "operationId": "listSCIMSchemas", "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Handler_typesListSCIMSchemasResponse" } } }, "description": "OK" } }, "summary": "List SCIM schemas", "tags": [ "SCIM" ] } } } } ``` -------------------------------- ### GET /v0/messages/{id}/eml Source: https://docs.sublime.security/reference/getmessageeml Retrieve the raw EML for a specific message by its ID. ```APIDOC ## GET /v0/messages/{id}/eml ### Description Retrieve the raw EML for the message. ### Method GET ### Endpoint /v0/messages/{id}/eml ### Parameters #### Path Parameters - **id** (string) - Required - The unique identifier of the message. ### Request Example (No request body for GET requests) ### Response #### Success Response (200) - The raw EML content of the message. #### Response Example (Response will be the raw EML content, e.g., a string containing the full EML file) ``` -------------------------------- ### POST /websites/sublime_security_reference/rules Source: https://docs.sublime.security/reference/createrule-1 Creates a new security rule. This endpoint allows for the definition of various parameters including rule name, source, actions, attack types, and more. ```APIDOC ## POST /websites/sublime_security_reference/rules ### Description Creates a new security rule with specified parameters. ### Method POST ### Endpoint /websites/sublime_security_reference/rules ### Parameters #### Request Body - **name** (string) - Required - Rule name - **source** (string) - Required - Source of the rule - **action_ids** (array[string]) - Optional - IDs of actions to run when the rule is triggered - **active** (boolean) - Optional - Activate the rule immediately - **attack_types** (array[string]) - Optional - Rule attack types - **authors** (array[TypesRuleAuthor]) - Optional - Rule authors. Defaults to the user that made the request - **auto_review_auto_share** (boolean) - Optional - Whether auto-reviewed messages will be shared - **auto_review_classification** (string | null) - Optional - The classification auto-reviewed messages will have, when an auto-review action is associated with the rule - **description** (string) - Optional - Description of rule - **detection_methods** (array[string]) - Optional - Rule detection technologies - **false_positives** (array[string]) - Optional - Descriptions of known false positives that could occur - **label** (string | null) - Optional - Rule label - **maturity** (string | null) - Optional - Rule maturity - **references** (array[string]) - Optional - URL references - **run_triage_on_excluded_messages** (boolean | null) - Optional - For Triage rules only, whether this rule will run even if the message matched a global exclusion. - **severity** (string | null) - Optional - Rule severity - **tactics_and_techniques** (array[string]) - Optional - Rule tactics and techniques - **tags** (array[string]) - Optional - Tags - **triage_abuse_reports** (boolean | null) - Optional - For Triage rules only, whether this rule will run for reported messages. For triage rules, one triage_ field must be true. - **triage_classification_changes** (boolean | null) - Optional - For Triage rules only, whether this rule will run for messages whose classification has just changed. For triage rules, one triage_ field must be true. - **triage_dlp_rule_matched** (boolean | null) - Optional - For Triage rules only, whether this rule will run for messages that matched a DLP rule. For triage rules, one triage_ field must be true. - **triage_flagged_messages** (boolean | null) - Optional - For Triage rules only, whether this rule will run for messages which flagged. For triage rules, one triage_ field must be true. - **type** (string) - Optional - Type of the rule. Enum: ["detection", "dlp", "triage"] - **user_provided_tags** (array[string]) - Optional - User-provided tags ### Request Example ```json { "name": "Example Rule", "source": "example.com", "description": "This is an example rule", "type": "detection", "active": true, "attack_types": ["T1000"], "action_ids": ["action-123"] } ``` ### Response #### Success Response (200) - **rule_id** (string) - The ID of the created rule. #### Response Example ```json { "rule_id": "rule-abc-123" } ``` ``` -------------------------------- ### EmailRep API User-Agent Header Example Source: https://docs.sublime.security/reference/emailrep-introduction Shows the required 'User-Agent' header for all EmailRep API requests. A missing or invalid user agent results in a 403 error. ```http GET https://emailrep.io/{email} User-Agent: [your app name] ``` -------------------------------- ### GET /v0/message-groups/search Source: https://docs.sublime.security/reference/searchmessagegroups-1 Search all message groups using various query parameters to filter the results. ```APIDOC ## GET /v0/message-groups/search ### Description Search all message groups. This endpoint allows for flexible searching using various query parameters to filter message groups based on content, attachments, and timestamps. ### Method GET ### Endpoint /v0/message-groups/search ### Parameters #### Query Parameters - **any** (string) - Optional - Searches every field (performs a case insensitive, OR search in all fields). Not compatible with other search fields. - **attachment_md5** (string) - Optional - Search for messages containing an attachment MD5 match. Must be 32 characters long. - **attachment_sha1** (string) - Optional - Search for messages containing an attachment SHA1 match. Must be 40 characters long. - **attachment_sha256** (string) - Optional - Search for messages containing an attachment SHA256 match. Must be 64 characters long. - **created_at[gte]** (string) - Optional - Inclusive start datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups with a message processed at or after this time will be returned. - **created_at[lt]** (string) - Optional - Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups with a message processed before this time will be returned. - **created_at[lte]** (string) - Optional - Deprecated, use created_at[lt]. Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups with a message processed before this time will be returned. - **file_name** (string) - Optional - Search in attachment filenames (case insensitive wildcard match). - **first_reported_as_phish_at[gte]** (string) - Optional - Inclusive start datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups reported at or after this time will be returned. ### Request Example ```json { "example": "GET /v0/message-groups/search?attachment_md5=d41d8cd98f00b204e9800998ecf8427e&created_at[gte]=2021-03-14T15:09:26Z" } ``` ### Response #### Success Response (200) - **message_groups** (array) - A list of message group objects matching the search criteria. - **next_page_token** (string) - Token to retrieve the next page of results, if available. #### Response Example ```json { "message_groups": [ { "id": "msg_group_123", "created_at": "2021-03-15T10:00:00Z", "first_reported_as_phish_at": "2021-03-15T10:05:00Z", "messages": [ { "id": "msg_456", "received_at": "2021-03-15T10:00:00Z", "subject": "Phishing Attempt", "from": "attacker@example.com", "attachments": [ { "file_name": "malicious.doc", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" } ] } ] } ], "next_page_token": "abc123xyz789" } ``` ``` -------------------------------- ### GET /v0/hunt-jobs/{id} Source: https://docs.sublime.security/reference/gethuntjob Retrieves details of a specific hunt job using its unique identifier. ```APIDOC ## GET /v0/hunt-jobs/{id} ### Description Retrieves details of a specific hunt job using its unique identifier. ### Method GET ### Endpoint /v0/hunt-jobs/{id} ### Parameters #### Path Parameters - **id** (string) - Required - ID of the hunt job. ### Response #### Success Response (200) - **id** (string) - ID of the hunt job. - **private** (boolean) - Restrict hunt job visibility to admins only. - **range_start_time** (string) - Inclusive start datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). - **range_end_time** (string) - Exclusive end datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). - **source** (string) - MQL source of the hunt job. - **status** (string) - Status of the hunt job. Enum: IN_PROGRESS, FAILED, CANCELED, COMPLETED. - **results_truncated** (boolean) - Whether the hunt job was truncated due to reaching the results limit. - **error** (string) - Error message if the hunt job failed. #### Response Example ```json { "id": "a1b2c3d4-e5f6-7890-1234-567890abcdef", "private": false, "range_start_time": "2023-01-01T10:00:00Z", "range_end_time": "2023-01-01T11:00:00Z", "source": "SELECT * FROM events", "status": "COMPLETED", "results_truncated": false, "error": null } ``` ``` -------------------------------- ### Analyze Email Command Help (Bash) Source: https://docs.sublime.security/reference/analysis-api-cli Displays the help message for the 'analyze' subcommand, detailing its options for input files, rule directories, query syntax, message types, and output formatting. ```bash Usage: sublime analyze [OPTIONS] Analyze a file or directory of EMLs, MSGs, MDMs, or MBOX files. Options: -k, --api-key TEXT Key to include in API requests [optional] -i, --input PATH Input file or directory (.eml, .msg, .mdm and .mbox supported) [required] -r, --run PATH Rule/query file or directory (.yml and .yaml supported). Queries outputs that return false, null, [], {} are not displayed by default -q, --query TEXT Raw MQL. Instead of using a rules file, provide raw MQL, surrounded by single quotes -t, --type [inbound|internal|outbound] Set the message type (EML and MSG files only) [optional] [default: inbound] -m, --mailbox TEXT Mailbox email address that received the message (EML and MSG files only) [optional] -o, --output FILENAME Output file -f, --format [json|txt] Output format -v, --verbose Verbose output -h, --help Show this message and exit. ``` -------------------------------- ### GET /v0/binexplode/scan/{id} Source: https://docs.sublime.security/reference/getscan-1 Retrieves the results of a completed binexplode scan using the provided task ID. ```APIDOC ## GET /v0/binexplode/scan/{id} ### Description Retrieve the results of a completed binexplode scan. ### Method GET ### Endpoint /v0/binexplode/scan/{id} ### Parameters #### Path Parameters - **id** (string) - Required - Task ID ### Request Example ```json { "example": "No request body for GET request" } ``` ### Response #### Success Response (200) - **Handler_typesGetScanResultResponse** (object) - The response object containing scan results. #### Response Example ```json { "example": "Response body schema defined in components/schemas/Handler_typesGetScanResultResponse" } ``` ``` -------------------------------- ### Mdm_serviceDomain Schema Source: https://docs.sublime.security/reference/getmessagedatamodel-1 Represents a domain parsed from email headers, providing details like domain name, punycode, root domain, SLD, subdomain, TLD, and validity. ```APIDOC ## Mdm_serviceDomain Schema ### Description Domain parsed from X-Authenticated-Domain or X-Authenticated-Sender headers, which represents the domain used for sender authentication, typically the domain of the sending organization. This field provides additional context for analyzing the legitimacy of the sender. ### Properties - **domain** (string) - The fully qualified domain name (FQDN). This may not *always* be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar - **punycode** (string) - Interpreted punycode if the domain starts with xn--. For example, if 'domain' is 'xn--ublimesecurity-4xc.com' then 'punycode' is śublimesecurity.com - **root_domain** (string) - The root domain, including the TLD - **sld** (string) - Second-level domain, e.g. 'windows' for the domain 'windows.net' - **subdomain** (string) - Subdomain, e.g. 'drive' for the domain 'drive.google.com' - **tld** (string) - The domain's top-level domain. E.g. the TLD of google.com is 'com' - **valid** (boolean) - Whether the domain is valid ### Required - domain ```