Recommended Automations
This guide provides a set of recommended automation rules that you can implement in your instance to enhance your email security posture. These automations are designed to provide additional protection against various email threats by automatically handling different types of messages based on their risk level and user reports.
Each automation rule includes:
- A descriptive name and purpose
- The default action it takes when triggered
- What triggers the automation
- The specific MQL (Message Query Language) syntax used
Creating Automations in Sublime
Below you'll find a comprehensive table of these recommended automations. You can enable/create these from the interface shown above.
| Name | Description | Default Remediative Action | Triggers | MQL Source |
|---|---|---|---|---|
| Remediate malicious flagged messages | Remediate flagged messages with a Malicious Attack Score | Auto-quarantine | flagged message | type.inbound and ml.attack_score().verdict == "malicious" |
| Remediate malicious user reports | Remediate user reported messages with a Malicious Attack Score | Auto-quarantine | user report | type.inbound and ml.attack_score().verdict == "malicious" |
| Remediate spam flagged messages | Move flagged spam messages to the spam folder | Move to Spam | flagged message | type.inbound and beta.spam_detection().verdict == "spam" |
| Remediate spam user reports | Move user-reported spam messages to the spam folder | Move to Spam | user report | type.inbound and beta.spam_detection().verdict == "spam" |
| Remediate user reports via herd immunity | Quarantine full message group if multiple users report messages in the group | Auto-quarantine | user report | type.inbound and triage.user_reports.count > 5 |
| Remediate suspicious messages that landed in spam | Remediate flagged messages with a Suspicious Attack Score that landed in the Spam or Junk folder | Quarantine | flagged message | type.inbound and external.spam and ml.attack_score().verdict == "suspicious" |
| Ignore likely-benign user reports | Ignore user reported messages with a Likely Benign Attack Score | Auto-review | user report | type.inbound and length(triage.flagged_rules) == 0 and ml.attack_score().verdict == "likely_benign" |
| Banner suspicious messages that didn't land in spam | Add a warning banner to flagged messages with a Suspicious Attack Score that did not land in the user's Spam or Junk folder | Warning banner | flagged message | type.inbound and not external.spam and ml.attack_score().verdict == "suspicious" |
| Banner suspicious user reports | Add a warning banner to user reported messages with a Suspicious Attack Score | Warning banner Move to spam | user report | type.inbound and ml.attack_score().verdict == "suspicious" |
| Banner unknown messages that landed in spam | Add a warning banner to flagged messages with an Unknown Attack Score that landed in Spam, and move the rest of the group to Spam in case some messages went to the Inbox | Warning banner Move to spam | flagged message | type.inbound and external.spam and ml.attack_score().verdict == "unknown" |
Core Automations
You will notice that the first 5 of those listed in the table are already in your Sublime instance but are marked as inactive by default. These are our Core Automations.
If you wish to modify any Core Automation, you can simply copy the MQL and create a custom one with the additional logic.
Updated 3 days ago