Documentation

How to Integrate Email Threat Intel with a TIP

Suggest Edits

Introduction

This guide outlines how a Sublime user can send Indicators of Compromise (IOC) to commonly used Threat Intelligence Platforms (TIPs) like MISP or RecordedFuture. Sublime provides a significant amount of flexibility for handling these use cases and this article is intended to outline an event-driven, webhook-based approach.

Setup

Create a Webhook Action

  1. From the Sublime Dashboard, navigate to the /actions page found under Manage on the left navigation menu. Create a new Action > Webhook.
  2. Name your Webhook and configure the appropriate endpoint and custom headers for the outbound request. Ensure that the "Finish message processing before sending webhooks?" is checked.

💡

For more information on Sublime webhooks, please see the documentation here .

Create an Automation

  1. From the Sublime Dashboard, navigate to the /automations page found under Automate on the left navigation menu. Create a new Automation.
  2. Set the automation triggers to be for both Flagged Messages as well as User Reports.
  3. The following MQL example will send a webhook whenever the message is sent from an Unknown sender or repeat offender and the message includes at least one hyperlink or attachment.
type.inbound
and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_false_positives
    )
)
and (length(body.links) > 0 or length(attachments) > 0)

Feel free to adjust the above MQL logic to fit your use case. See our common snippets library for inspiration on other ways to trigger the automation.

Handle the Webhook Request

By design, Sublime's webhook payload excludes properties that include PII data. Upon receiving the request you will want to retrieve the message's MDM properties via Sublime's API to pass into your TIP. This API call will require the Sublime Message ID found in the webhook payload. Common IOC strings found in the MDM include:

  • Attachment hashes
  • Sender domain
  • Sender email
  • Links from the body of the email
  • Originating IP Addresses

That's it! Once the Automation is activated Sublime will pass all flagged messages and user reports that match the automation logic to your TIP. If you have any questions about this guide please reach out to the Sublime Support team.

Updated 5 days ago