Queries
Queries are used to extract or summarize information from a message. They're denoted with type: query
in Sublime YAML files.
Open-source queries written by the Sublime team are in the Sublime Rules repo on Github.
You can use queries to determine things like:
- Authentication failures (SPF, DKIM, DMARC)
- File sharing links
- Freemail senders
- URL shorteners
- Mismatched links
- Suspicious TLDs
- Open redirects
Message Data Model
binexplode
scratch, sort sometime
Multiple rules or queries
One YAML file can contain multiple rules or queries.
Multiple rules should be saved as a list using the rules
key, and multiple queries should be saved as a list using the queries
key. Elements of a list in YAML are denoted using -
. Example:
rules:
- name: "Inbound message"
source: type.inbound
...
queries:
- name: "Message type"
source: type
- name: "Sender display name"
source: sender.display_name
Each of the rules in the list can have any or all of the optional fields defined above, but still must have the required name
and source
fields.
Updated over 1 year ago