Jump to Content
Sublime Security
DocumentationAPI Reference
Log InSublime Security
Log In
DocumentationAPI Reference

Getting Started

  • Introduction
  • Installation
  • Add a message source
    • Add a Microsoft 365 message source
    • Add a Google Workspace message source
    • Add an IMAP message source
  • User-reported phishing
    • Add your abuse mailbox
    • Gmail's "Report phishing" feature
  • MQL Rules
    • Detection Rules
    • Triage Rules
  • Actions
    • Webhook
    • Email Alert
    • Email Alert with EML Attached
    • Slack Alert
  • Rule Feeds
    • Private rule feed authentication
    • Rules file format (YAML)
  • Lists
    • Configure the org_vips list

Reference

  • Message Data Model (MDM)
  • Message Query Language (MQL)
    • Syntax
    • Functions
    • Strings functions
    • RegEx functions
    • Enrichment functions
    • Missing or null values
    • Common snippets
    • Using the MQL Editor
  • Message groups
  • Message types
  • Role-Based Access Control (RBAC)
  • Rule Severity

How-to Guides

  • How to set up a custom domain
  • How to set up Single sign-on (SSO)

How-to MQL Guides

  • How to detect executive or VIP impersonation
  • How to detect keywords or phrases in the body content of messages
  • How to detect lookalike domains
  • How to detect text in attachments
  • How to use message header values in a rule
Powered by 

MQL Rules

Suggest Edits

There are two types of Rules in Sublime:

  • Detection Rules run on live email flow and are used for phishing detection, DLP, and policy enforcement.
  • Triage Rules run on reported messages (and soon flagged messages) and are used to automatically triage and remediate user reports.

Updated 21 days ago


What’s Next
  • Detection Rulesarrow-right
  • Triage Rulesarrow-right