Installation

Install the CLI:

pip3 install sublime-cli --upgrade

Usage

The sublime command has several sub-commands. You can run the command or a sub-command by itself or use the -h or --help option to get help output.

sublime --help

Usage: sublime [OPTIONS] COMMAND [ARGS]...

  Sublime CLI.

Options:
  -h, --help  Show this message and exit.

Commands:
  analyze   Analyze a file or directory of EMLs, MSGs, MDMs, or MBOX files.
  create    Create a Message Data Model from an EML or MSG.
  feedback  Send feedback directly to the Sublime team.
  help      Show this message and exit.
  me        Get information about the currently authenticated Sublime user.
  repl      Start an interactive shell.
  setup     Configure defaults.
  version   Get version and OS information for your Sublime commandline...

Analyze a message

Analyze a raw message using your own custom rules or open-source community rules and queries.

Example

sublime analyze -i sublime-rules/emls/reported_phish.eml -r sublime-rules/

╔═══════════════════════════╗
║          Results          ║
╚═══════════════════════════╝

File Name: reported_phish.eml
Directory: sublime-rules/emls

Total Rules: 48
Total Queries: 19
Flagged Rules: 2

FLAGGED RULES

  - Brand impersonation: Sublime Security
  - File sharing link from freemail sender

UNFLAGGED RULES

  - Any HTML attachment
  - Any open redirect
  - Brand impersonation: ADP
...

QUERIES

  - Domains in Header
    Result: ['0.92.231.35.bc.googleusercontent.com', 'smtp.gmail.com', 'sublimesecurity.com', 'mail-sor-f65.google.com', 'mx.google.com', 'gmailapi.google.com']
...

Usage

sublime analyze -h

Usage: sublime analyze [OPTIONS]

  Analyze a file or directory of EMLs, MSGs, MDMs, or MBOX files.

Options:
  -k, --api-key TEXT              Key to include in API requests [optional]
  -i, --input PATH                Input file or directory (.eml, .msg, .mdm
                                  and .mbox supported)  [required]

  -r, --run PATH                  Rule/query file or directory (.yml and .yaml
                                  supported). Queries outputs that return
                                  false, null, [], {} are not displayed by
                                  default

  -q, --query TEXT                Raw MQL. Instead of using a rules file,
                                  provide raw MQL, surrounded by single quotes

  -t, --type [inbound|internal|outbound]
                                  Set the message type (EML and MSG files
                                  only) [optional]  [default: inbound]

  -m, --mailbox TEXT              Mailbox email address that received the
                                  message (EML and MSG files only) [optional]

  -o, --output FILENAME           Output file
  -f, --format [json|txt]         Output format
  -v, --verbose                   Verbose output
  -h, --help                      Show this message and exit.

Creating an MDM

Convert a raw message to a structured data model.

Example

sublime create -i sublime-rules/emls/reported_phish.eml

Output saved to reported_phish.mdm

Usage

sublime create -h

Usage: sublime create [OPTIONS]

  Generate a Message Data Model from an EML or MSG.

Options:
  -k, --api-key TEXT              Key to include in API requests
  -i, --input FILENAME            Input EML file  [required]
  -t, --type [inbound|internal|outbound]
                                  Set the message type  [default: inbound]
  -o, --output FILENAME           Output file. Defaults to the input_file name
                                  in the current directory with a .mdm
                                  extension if none is specified

  -f, --format [json|txt]         Output format  [default: json]
  -m, --mailbox TEXT              Mailbox email address that received the
                                  message

  -v, --verbose                   Verbose output
  -h, --help                      Show this message and exit.

Updating your CLI

View your current version:

sublime version

Update your CLI:

pip3 install sublime-cli --upgrade

Check your new version:

sublime version