MQL Rules

Sublime detects threats out of the box using AI and a library of built-in, community-driven detections. Most teams need no rule-writing to get that protection.

Rules and Message Query Language (MQL) are the optional advanced layer for teams who want fine-grained control on top of that automatic defense. Because every detection is readable MQL, a human analyst or an AI agent can write, validate, and deploy rules directly. Black-box architectures cannot offer that.

There are two types of MQL rules in Sublime:

  • Detection Rules run on live email flow and are used for phishing detection, DLP, and policy enforcement.
  • Automations run on flagged messages and/or user reported messages, and are used for automatic triage and remediation.