Configure the org_vips list

Overview

The Sublime Platform provides a standard list named org_vips that is useful for creating rules to detect VIP/Executive impersonations.

Here's a Sublime Feed Rule that uses this list.

The org_vips list is backed by a Google Workspace group or a Microsoft 365 distribution list you specify, which should be a relatively small group or distribution list including VIPs in your organization who are especially likely to be impersonated by attackers. Members of this group are synced to Sublime daily, so that the list stays fresh.

πŸ“˜

Initial Sync

The initial sync of Google Workspace groups or Microsoft 365 distribution lists can take up to a few hours. If you don't see any user groups available when following the setup instructions below, check back later.

Setup

To configure the org_vips list:

  1. In the Sublime dashboard, click Lists in the navigation bar
  2. Click the row for the org_vips list
  3. Click the Edit button in the modal that appears
  4. In the User Group section, search for the group or distribution list for your VIPs/executives
  5. Select the matching group or list
  6. Click Save
  7. Click the row for the org_vips list again to view the list members synced to Sublime from Google Workspace or Microsoft 365

You're now able to use the org_vips list in your Sublime rules!

MQL Example

Here is an MQL snippet that checks if a message's sender matches the display name of any member of the org_vips list:

any($org_vips, .display_name == sender.display_name)

And here's a Sublime Feed Rule that uses this list.