Automations in Sublime Security: A Smarter Way to Respond to Email Threats
- 4 days ago
- 2 min read
Updated: 3 days ago
In our previous articles, we talked about how Sublime Security’s Detection Rules can be configured to automatically perform actions like auto-quarantining or triggering a review.
But what if you want more control—or prefer separating detection from remediation workflows?
That’s where Automations come into play.
🚀 What Are Automations?
Automations are logic-based workflows in Sublime Security that focus on triaging and responding to email threats, especially those flagged by detection rules or reported by users.
Think of Automations as your response engine—while Detection Rules identify the problem, Automations decide what to do with it.
You can configure Automations to:
🛡 Auto-quarantine emails with a “Malicious” verdict
📛 Trash phishing messages or apply visual warning banners
📣 Alert when VIPs receive suspicious emails
👥 Take action when a certain number of users report the same message
🧵 Quarantine an entire campaign based on multiple detection triggers
🧠 How Do Automations Work?
Automations are built on MQL (Message Query Language)—the same language used by Detection Rules. They trigger based on:
A message being reported by a user
A Detection Rule flagging a message
Or both
Once triggered, Automations can take two types of actions:
✅ Active Response: Auto-quarantine, trash, or apply a banner
👀 Passive Mode: Only generate alerts (e.g., webhooks, dashboard signals) without taking action
This makes it super flexible—test in passive mode, then flip the switch when you're ready to go live.
⚙️ Active vs Passive Mode
Sublime gives you fine-grained control with Active and Passive Modes:
Mode | Description |
Active | Takes immediate action (e.g., quarantine, trash) |
Passive | Only generates alerts—ideal for testing and tuning |
You can even toggle between them easily as you fine-tune your playbooks.
📦 Core Feed of Automations
Just like Detection Rules, Sublime Security ships with a Core Feed of recommended Automations:
They’re inactive by default
You can activate them in Active or Passive Mode
They're designed to respond to common threat patterns, saving you time and effort
These prebuilt workflows give you a solid foundation to build upon or customize for your unique threat landscape.
🔌 Bonus: API Integrations for Power Users
Sublime Security also offers a powerful REST API, which lets you:
🧼 Trash or quarantine messages directly from your SOAR
🔍 Update blocklists with IOCs from your threat intel feeds
📎 Enrich JIRA, ServiceNow, or Slack alerts with email metadata
The API uses standard HTTP verbs, JSON payloads, and predictable URLs. You’ll find your exact Base URL under Automate > API in the Sublime dashboard.
🎯 Final Thoughts
Automations in Sublime Security are powerful, flexible, and designed to reduce analyst fatigue. Whether you want fully hands-off auto-remediation or prefer a passive alerting model, Automations help you tailor the perfect response strategy.
Let Sublime handle the triage.You stay in control.
-------------------------------------------Dean-------------------------------------------------------------
Upcoming article: Beyond Detection: Hidden Power Features of Sublime Security
------------------------------------------------------------------------------------------------------------
Comments