Sublime Security

the sublime security connector enables seamless integration with swimlane turbine, allowing users to manage email security rules and lists, and analyze message content for threats directly through the automation platform sublime security provides a robust platform for email threat detection and rule management this connector enables swimlane turbine users to integrate with sublime security's services, allowing for the activation and deactivation of security rules, analysis of messages, and management of lists and rules within the organization by leveraging this integration, users can automate complex security workflows, enhance email security, and streamline threat detection and response without the need for coding limitations the connector requires a valid api key with appropriate permissions api rate limits may apply based on your sublime security subscription supported version the sublime security connector supports v0 version of the sublime security api configuration prerequisites to utilize the sublime security connector within swimlane turbine, ensure you have the following prerequisites sublime security api authentication url endpoint for the sublime security api api key unique identifier to authenticate requests to the sublime security api authentication methods sublime security uses api key authentication for secure access to its endpoints when authenticating with the sublime security connector, provide your api key in the asset configuration the connector will automatically include the key in the authorization header of every request api key location header authorization bearer \<your api key> how to retrieve api key log into your sublime security admin portal go to the api section under account settings or integrations generate a new api key (or reuse an existing one with sufficient permissions) copy this key and paste it into the api key field during asset setup in swimlane important always store and handle your api key securely do not share your key externally if you believe your api key is compromised, revoke it immediately and generate a new one capabilities this connector provides the following capabilities activate rule analyze a raw message create list create message create rule deactivate rule delete list delete rule get list list rules patch list retrieve message data model retrieve rule retrieve lists update rule notes for detailed api documentation, refer to the https //docs sublime security/reference/introduction authentication documentation https //docs sublime security/reference/authentication the api uses restful conventions with json request/response bodies all api requests require api key authentication using the x apikey header base url format varies by deployment type (cloud, on premises, etc ) and region raw email messages must be base64 encoded before sending to the create message and analyze message endpoints for triage rules, at least one triage field must be set to true for issues, questions, or contributions, please visit the https //github com/swimlane connectors/t sublime security configurations sublime security api authentication sublime security api authentication configuration parameters parameter description type required url a url to the target host string required x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions activate rule activates a specified rule within your sublime security organization using the rule's unique identifier endpoint url v0/rules/{{id}}/activate method post input argument name type required description path parameters id string required the unique identifier of the rule to activate input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description id string unique identifier active boolean output field active message string response message output example {"id" "string","active"\ true,"message" "string"} analyze a raw message analyzes a raw message using the active or specified rules within your sublime security organization endpoint url v0/messages/analyze method post input argument name type required description raw message string optional the full base64 encoded raw eml message queries array optional queries to analyze queries name \['string', 'null'] optional query name queries severity \['string', 'null'] optional severity associated with the query queries source \['string', 'null'] required the mql source to run against the message rules array optional rules to analyze run active detection rules boolean optional whether to analyze the message with all active detection rules in your organization defaults to false run all detection rules boolean optional whether to analyze with all detection rules from all feeds, including uninstalled/inactive feed rules and your active rules defaults to false run all insights boolean optional whether to analyze with all insights defaults to false input example {"raw message" "string","queries" \[],"rules" \[],"run active detection rules"\ true,"run all detection rules"\ true,"run all insights"\ true} output parameter type description status code number http status code of the response reason string response reason phrase query results array result of the operation query results error string result of the operation query results execution time number result of the operation query results external errors array result of the operation query results query object result of the operation query results query name string name of the resource query results query severity string result of the operation query results query source string result of the operation query results success boolean result of the operation rule results array result of the operation rule results error string result of the operation rule results execution time number result of the operation rule results external errors array result of the operation rule results matched boolean result of the operation rule results rule object result of the operation rule results rule id string unique identifier rule results rule name string name of the resource rule results rule severity string result of the operation rule results rule source string result of the operation rule results success boolean result of the operation output example {"json body" {"query results" \[{}],"rule results" \[{}]},"status code" 200,"reason" "ok"} create list generates a new list within your sublime security organization using the specified name endpoint url v0/lists method post input argument name type required description name string optional name of the list description string optional description of the list (optional) input example {"name" "example name","description" "string"} output parameter type description id string unique identifier for the list name string name of the created list description string description of the list created at string creation timestamp of the list updated at string last updated timestamp for the list editable boolean indicates if the list is editable entry type string entry type of the list output example {"id" "string","name" "string","description" "string","created at" "string","updated at" "string","editable"\ true,"entry type" "string"} create message generates a new message data model in sublime security from a base64 encoded raw message endpoint url v0/messages/create method post input argument name type required description raw message string optional the full base64 encoded raw eml message canonical id string optional the canonical id of the message, if known (optional) external created at string optional timestamp the message created at according to the external source (optional) external message id string optional id of the message according to the external source (optional) external thread id string optional id of the thread the message belongs to according to the external source (optional) folder string optional the mailbox folder the message is in (optional) labels array optional labels applied to the message by the mailbox (optional) mailbox email address string optional the email address of the mailbox containing this message (optional) message type object optional override on message types, defined from the perspective of your organization (optional) message type inbound boolean optional message was sent from someone outside your organization, to at least one recipient inside your organization message type internal boolean optional message was sent from someone inside your organization, to at least one recipient inside your organization messages must be authenticated by either spf or dkim to be treated as internal message type outbound boolean optional message was sent from someone inside your organization, to at least one recipient outside your organization route type string optional the directional route type of the message (optional) input example {"raw message" "string","canonical id" "string","external created at" "string","external message id" "string","external thread id" "string","folder" "string","labels" \["string"],"mailbox email address" "string","message type" {"inbound"\ true,"internal"\ true,"outbound"\ true},"route type" "string"} output parameter type description id string unique identifier message id string unique identifier created at string output field created at output example {"id" "string","message id" "string","created at" "string"} create rule generates a new detection rule in sublime security using the specified 'name' and 'source' a json body input is required endpoint url v0/rules method post input argument name type required description name string optional rule name source string optional source type string optional type of the rule description string optional description of rule active boolean optional activate the rule immediately action ids array optional ids of actions to run when the rule is triggered attack types array optional rule attack types authors array optional rule authors defaults to the user that made the request authors name string optional name of a rule author authors twitter string optional twitter handle for a rule author auto review auto share boolean optional whether auto reviewed messages will be shared auto review classification string optional the classification auto reviewed messages will have, when an auto review action is associated with the rule detection methods array optional rule detection technologies false positives array optional descriptions of known false positives that could occur label string optional rule label maturity string optional rule maturity references array optional url references severity string optional rule severity tactics and techniques array optional rule tactics and techniques tags array optional tags triage abuse reports boolean optional for triage rules only, whether this rule will run for reported messages for triage rules, one triage field must be true triage classification changes boolean optional for triage rules only, whether this rule will run for messages whose classification has just changed for triage rules, one triage field must be true triage flagged messages boolean optional for triage rules only, whether this rule will run for messages which flagged for triage rules, one triage field must be true user provided tags array optional user provided tags input example {"name" "example name","source" "string","type" "string","description" "string","active"\ true,"action ids" \["string"],"attack types" \["string"],"authors" \[{"name" "example name","twitter" "string"}],"auto review auto share"\ true,"auto review classification" "string","detection methods" \["string"],"false positives" \["string"],"label" "string","maturity" "string","references" \["string"],"severity" "string","tactics and techniques" \["string"],"tags" \["string"],"triage abuse reports"\ true,"triage classification changes"\ true,"triage flagged messages"\ true,"user provided tags" \["string"]} output parameter type description id string unique identifier for the rule name string name of the rule source string mql source code of the rule type string type of the rule description string description of the rule active boolean whether the rule is active passive boolean whether the rule is passive action ids array ids of actions associated with the rule attack types array attack types associated with the rule authors array authors of the rule authors name string name of the resource authors twitter string output field authors twitter auto review auto share boolean whether auto reviewed messages will be shared auto review classification string classification for auto reviewed messages detection methods array detection methods used by the rule false positives array known false positives label string rule label maturity string rule maturity references array url references severity string rule severity tactics and techniques array tactics and techniques tags array tags associated with the rule triage abuse reports boolean whether rule runs for reported messages (triage rules only) triage classification changes boolean whether rule runs for classification changes (triage rules only) triage flagged messages boolean whether rule runs for flagged messages (triage rules only) output example {"id" "string","name" "string","source" "string","type" "string","description" "string","active"\ true,"passive"\ true,"action ids" \[],"attack types" \[],"authors" \[],"auto review auto share"\ true,"auto review classification" "string","detection methods" \[],"false positives" \[],"label" "string"} deactivate rule deactivates a specified rule within your sublime security organization using the rule's unique identifier endpoint url v0/rules/{{id}}/deactivate method post input argument name type required description path parameters id string required the unique identifier of the rule to deactivate input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description id string unique identifier active boolean output field active message string response message output example {"id" "string","active"\ true,"message" "string"} delete list remove a specified list from your organization in sublime security by providing the unique identifier endpoint url v0/lists/{{id}} method delete input argument name type required description path parameters id string required the unique identifier of the list to delete input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description success boolean whether the operation was successful message string response message output example {"success"\ true,"message" "string"} delete rule remove a specified rule from your organization in sublime security by providing the unique identifier endpoint url v0/rules/{{id}} method delete input argument name type required description path parameters id string required the unique identifier of the rule to delete input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description success boolean whether the operation was successful message string response message output example {"success"\ true,"message" "string"} get list retrieves detailed information for a specific list in sublime security using the provided list id endpoint url v0/lists/{{id}} method get input argument name type required description path parameters id string required the unique identifier of the list to retrieve input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description id string unique identifier for the list name string name of the list description string description of the list created at string creation timestamp of the list updated at string last updated timestamp for the list editable boolean indicates if the list is editable entry type string entry type of the list output example {"id" "string","name" "string","description" "string","created at" "string","updated at" "string","editable"\ true,"entry type" "string"} list rules retrieve a list of all active security rules from sublime security for further analysis or management endpoint url v0/rules method get input argument name type required description parameters in feed boolean optional restrict to rules that are explicitly in or not in a feed parameters limit integer optional the maximum number of entries to return maximum value is 500 parameters offset integer optional the (zero based) offset of the first rule to return parameters search string optional search for matching case insensitive substring across rule name, description, and mql source input example {"parameters" {"in feed"\ true,"limit" 50,"offset" 123,"search" "string"}} output parameter type description count integer number of rules returned in this response rules array output field rules rules id string unique identifier for the rule rules name string name of the rule rules description string description of the rule rules active boolean whether the rule is active rules severity string severity level of the rule rules source string mql source code of the rule rules references array list of references used by the rule rules tags array tags associated with the rule rules created at string iso timestamp when the rule was created rules updated at string iso timestamp when the rule was last updated total integer total number of rules matching the query output example {"count" 123,"rules" \[],"total" 123} patch list updates an existing list identified by 'id' in sublime security with a new 'description' required inputs include path parameters and json body endpoint url v0/lists/{{id}} method patch input argument name type required description path parameters id string required the unique identifier of the list to update description string optional updated description of the list input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"description" "string"} output parameter type description id string the unique identifier for the list name string name of the list description string updated description of the list created at string iso timestamp when the list was created updated at string iso timestamp when the list was last updated editable boolean indicates if the list can be edited entry type string the type of entries contained in the list output example {"id" "string","name" "string","description" "string","created at" "string","updated at" "string","editable"\ true,"entry type" "string"} retrieve lists retrieve filtered lists from sublime security based on the specified entry type parameter endpoint url v0/lists method get input argument name type required description parameters entry type string required list type to filter by currently must be set to 'string' parameters id string optional optional id (exact match) to filter by parameters name string optional optional name (exact match) to filter by input example {"parameters" {"entry type" "string","id" "12345678 1234 1234 1234 123456789abc","name" "example name"}} output parameter type description lists array output field lists lists id string unique identifier lists name string name of the resource lists description string output field lists description lists entry type string type of the resource lists editable boolean output field lists editable lists created at string output field lists created at lists updated at string output field lists updated at output example {"lists" \[]} retrieve message data model retrieve the data model for a specific message in sublime security using the message's unique identifier endpoint url v0/messages/{{id}} method get input argument name type required description path parameters id string required the unique identifier of the message to retrieve input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description errors array error message if any errors additionalprop string error message if any meta object output field meta meta canonical id string unique identifier meta created at string output field meta created at meta effective at string output field meta effective at meta id string unique identifier attachments array output field attachments attachments content id string unique identifier attachments content transfer encoding string response content attachments content type string type of the resource attachments file extension string output field attachments file extension attachments file name string name of the resource attachments file type string type of the resource attachments md5 string output field attachments md5 attachments raw string output field attachments raw attachments sha1 string output field attachments sha1 attachments sha256 string output field attachments sha256 attachments size integer output field attachments size body object request body data body current thread object request body data body current thread links array request body data body current thread links display text string request body data body current thread links display url string display url body current thread links href url string href url output example {" errors" \[]," meta" {"canonical id" "string","created at" "string","effective at" "string","id" "12345678 1234 1234 1234 123456789abc"},"attachments" \[],"body" {"current thread" {"links" \[],"text" "string"},"html" {"charset" "string","content transfer encoding" "string","display text" "string","inner text" "string","raw" "string"},"ips" \[{}],"links" \[{}],"plain" {"charset" "string","content transfer encoding" "string","raw" "string"},"previous threads" \[{}]},"external" {"created at" "string"," retrieve rule retrieve details of a specific rule in sublime security using the unique identifier provided as a path parameter endpoint url v0/rules/{{id}} method get input argument name type required description path parameters id string required the unique identifier of the rule to retrieve input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description id string unique identifier for the rule name string name of the rule description string description of the rule action ids array ids of actions to run when the rule is triggered active boolean whether the rule is active attack types array rule attack types authors array rule authors authors name string name of a rule author authors twitter string twitter handle for a rule author auto review auto share boolean whether auto reviewed messages will be shared auto review classification string the classification for auto reviewed messages created at string creation timestamp of the rule detection methods array rule detection technologies false positives array known false positives that could occur label string label of the rule last activated at string last time the rule was activated maturity string maturity of the rule passive boolean whether the rule runs passively references array rule references severity string severity level of the rule source string mql source of the rule tactics and techniques array mitre att\&ck tactics and techniques tags array tags associated with the rule triage abuse reports boolean whether to triage abuse reports triage classification changes boolean whether to triage classification changes output example {"id" "string","name" "string","description" "string","action ids" \[],"active"\ true,"attack types" \[],"authors" \[],"auto review auto share"\ true,"auto review classification" "string","created at" "string","detection methods" \[],"false positives" \[],"label" "string","last activated at" "string","maturity" "string"} update rule updates an existing rule in sublime security with a new definition, requiring the rule's id, name, and source endpoint url v0/rules/{{id}} method put input argument name type required description path parameters id string required rule id name string optional rule name source string optional source description string optional description of rule action ids array optional ids of actions to run when the rule is triggered attack types array optional rule attack types authors array optional rule authors defaults to the user that made the request authors name string optional name of a rule author authors twitter string optional twitter handle for a rule author auto review auto share boolean optional whether auto reviewed messages will be shared auto review classification string optional the classification auto reviewed messages will have, when an auto review action is associated with the rule detection methods array optional rule detection technologies false positives array optional descriptions of known false positives that could occur label string optional rule label maturity string optional rule maturity references array optional url references severity string optional rule severity tactics and techniques array optional rule tactics and techniques tags array optional tags triage abuse reports boolean optional for triage rules only, whether this rule will run for reported messages for triage rules, one triage field must be true triage classification changes boolean optional for triage rules only, whether this rule will run for messages whose classification has just changed for triage rules, one triage field must be true triage flagged messages boolean optional for triage rules only, whether this rule will run for messages which flagged for triage rules, one triage field must be true user provided tags array optional user provided tags input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"name" "example name","source" "string","description" "string","action ids" \["string"],"attack types" \["string"],"authors" \[{"name" "example name","twitter" "string"}],"auto review auto share"\ true,"auto review classification" "string","detection methods" \["string"],"false positives" \["string"],"label" "string","maturity" "string","references" \["string"],"severity" "string","tactics and techniques" \["string"],"tags" \["string"],"triage abuse reports"\ true,"triage classification changes"\ true,"triage flagged messages"\ true,"user provided tags" \["string"]} output parameter type description id string unique identifier for the rule name string name of the rule source string mql source code of the rule type string type of the rule description string description of the rule active boolean whether the rule is active passive boolean whether the rule is passive action ids array ids of actions associated with the rule attack types array attack types associated with the rule authors array authors of the rule authors name string name of the resource authors twitter string output field authors twitter auto review auto share boolean whether auto reviewed messages will be shared auto review classification string classification for auto reviewed messages detection methods array detection methods used by the rule false positives array known false positives label string rule label maturity string rule maturity references array url references severity string rule severity tactics and techniques array tactics and techniques tags array tags associated with the rule triage abuse reports boolean whether rule runs for reported messages (triage rules only) triage classification changes boolean whether rule runs for classification changes (triage rules only) triage flagged messages boolean whether rule runs for flagged messages (triage rules only) output example {"id" "string","name" "string","source" "string","type" "string","description" "string","active"\ true,"passive"\ true,"action ids" \[],"attack types" \[],"authors" \[],"auto review auto share"\ true,"auto review classification" "string","detection methods" \[],"false positives" \[],"label" "string"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt