Jump to Content
Sublime Security
DocumentationAPI Reference
Log InSublime Security
Log In
DocumentationAPI Reference

Getting Started

  • Introduction
  • Installation
    • Docker
    • AWS CloudFormation
  • Add a message source
    • Add a Microsoft 365 message source
    • Add a Google Workspace message source
    • Add an IMAP message source
  • User-reported phishing
    • Add your abuse mailbox
    • Gmail's "Report phishing" feature
  • MQL Rules
    • Detection Rules
    • Triage Rules
  • Actions
    • Webhook
    • Email Alert
    • Email Alert with EML Attached
    • Slack Alert
    • Auto-trash
    • Quarantine
    • Warning Banners
  • Rule Feeds
    • Private rule feed authentication
    • Rules file format (YAML)
  • Lists
    • Configure the org_vips list
  • YARA

Reference

  • Message Data Model (MDM)
  • Message Query Language (MQL)
    • Syntax
    • Functions
    • Strings functions
    • RegEx functions
    • Enrichment functions
    • Missing or null values
    • Common snippets
    • Using the MQL Editor
  • Message groups
  • Message types
  • Role-Based Access Control (RBAC)
  • Message Access Controls
  • Rule Severity

How-to Guides

  • How to set up a custom domain
  • How to set up Single sign-on (SSO)

How-to MQL Guides

  • How to detect keywords or phrases in the body content of messages
  • How to detect lookalike domains
  • How to detect text in attachments
  • How to use message header values in a rule
Powered by 

MQL Rules

Suggest Edits

There are two types of Message Query Language (MQL) rules in Sublime:

  • Detection Rules run on live email flow and are used for phishing detection, DLP, and policy enforcement.
  • Triage Rules run on reported messages (and soon flagged messages) and are used to automatically triage and remediate user reports.

Updated 4 months ago

What’s Next
  • Detection Rules
  • Triage Rules