Installation
Install the CLI:
pip3 install sublime-cli --upgrade
Usage
The sublime command has several sub-commands. You can run the command or a sub-command by itself or use the -h or --help option to get help output.
sublime --help
Usage: sublime [OPTIONS] COMMAND [ARGS]...
Sublime CLI.
Options:
-h, --help Show this message and exit.
Commands:
analyze Analyze a file or directory of EMLs, MSGs, MDMs, or MBOX files.
create Create a Message Data Model from an EML or MSG.
feedback Send feedback directly to the Sublime team.
help Show this message and exit.
me Get information about the currently authenticated Sublime user.
repl Start an interactive shell.
setup Configure defaults.
version Get version and OS information for your Sublime commandline...
Analyze a message
Analyze a raw message using your own custom rules or open-source community rules and queries.
Example
sublime analyze -i sublime-rules/emls/reported_phish.eml -r sublime-rules/
╔═══════════════════════════╗
║ Results ║
╚═══════════════════════════╝
File Name: reported_phish.eml
Directory: sublime-rules/emls
Total Rules: 48
Total Queries: 19
Flagged Rules: 2
FLAGGED RULES
- Brand impersonation: Sublime Security
- File sharing link from freemail sender
UNFLAGGED RULES
- Any HTML attachment
- Any open redirect
- Brand impersonation: ADP
...
QUERIES
- Domains in Header
Result: ['0.92.231.35.bc.googleusercontent.com', 'smtp.gmail.com', 'sublimesecurity.com', 'mail-sor-f65.google.com', 'mx.google.com', 'gmailapi.google.com']
...
Usage
sublime analyze -h
Usage: sublime analyze [OPTIONS]
Analyze a file or directory of EMLs, MSGs, MDMs, or MBOX files.
Options:
-k, --api-key TEXT Key to include in API requests [optional]
-i, --input PATH Input file or directory (.eml, .msg, .mdm
and .mbox supported) [required]
-r, --run PATH Rule/query file or directory (.yml and .yaml
supported). Queries outputs that return
false, null, [], {} are not displayed by
default
-q, --query TEXT Raw MQL. Instead of using a rules file,
provide raw MQL, surrounded by single quotes
-t, --type [inbound|internal|outbound]
Set the message type (EML and MSG files
only) [optional] [default: inbound]
-m, --mailbox TEXT Mailbox email address that received the
message (EML and MSG files only) [optional]
-o, --output FILENAME Output file
-f, --format [json|txt] Output format
-v, --verbose Verbose output
-h, --help Show this message and exit.
Creating an MDM
Convert a raw message to a structured data model.
Example
sublime create -i sublime-rules/emls/reported_phish.eml
Output saved to reported_phish.mdm
Usage
sublime create -h
Usage: sublime create [OPTIONS]
Generate a Message Data Model from an EML or MSG.
Options:
-k, --api-key TEXT Key to include in API requests
-i, --input FILENAME Input EML file [required]
-t, --type [inbound|internal|outbound]
Set the message type [default: inbound]
-o, --output FILENAME Output file. Defaults to the input_file name
in the current directory with a .mdm
extension if none is specified
-f, --format [json|txt] Output format [default: json]
-m, --mailbox TEXT Mailbox email address that received the
message
-v, --verbose Verbose output
-h, --help Show this message and exit.
Updating your CLI
- View your current version:
sublime version
- Update your CLI:
pip3 install sublime-cli --upgrade
- Check your new version:
sublime version