Beyond Detection: Hidden Power Features of Sublime Security
- 3 days ago
- 2 min read
Updated: 2 days ago
While Detection Rules and Automations are at the heart of Sublime Security's threat detection and response, the platform is packed with additional tools and capabilities that make it even more powerful, customizable, and community-driven.
Here are a few advanced features every security team should explore.
🧠 Git-Backed Rule Feeds
Stay Updated, Stay Ahead
Sublime supports Git-backed rule feeds that allow you to receive continuous updates from the Sublime team and the broader security community.
Sublime Rules Feed is included by default and maintained by the Sublime team.
You can add custom feeds from GitHub, GitLab, or Bitbucket—perfect for managing and sharing detection rules across teams or community groups.
To manage feeds, just head to the Feeds section in your dashboard and click New Feed.
🔗 Pro Tip: Community collaboration makes rule evolution much faster. Embrace it.
🗂 Lists
Dynamic Sets for Smarter Matching
Sublime supports the use of named lists—these are reusable sets of data (like domains, email addresses, or file hashes) you can reference within your detection logic using MQL.
All list names start with $ (e.g., $org_vips, $blocked_domains)
You can create your own lists or use the built-in ones provided by Sublime.
Lists simplify rule maintenance and improve readability.
🚫 Exclusions
Cut Out the Noise
Exclusions are used to suppress alerts on known benign messages (like phishing simulations or internal test emails). They're evaluated before rules or automations trigger.
There are three types of exclusions:
Global Exclusion – Message is skipped from all rules and automations
Detection Rule Exclusion – Message bypasses detection rules, but still hits automations
Rule-Specific Exclusion – Blocks a specific rule from matching a sender, domain, or recipient
Sublime ships with built-in global exclusions for vendors like Cofense, KnowBe4, and Hoxhunt—inactive by default, but available if needed.
✅ Use exclusions strategically to reduce alert fatigue and fine-tune precision.
⚙️ Actions: How You Enforce Responses
Actions are what you want to do when something is detected. You can apply actions manually or automatically through Rules and Automations. Here are two key ones:
🛑 Quarantine (Enterprise)
Makes the email inaccessible to end users
In Microsoft 365, the message goes to “Recoverable Items Purges”
In Google Workspace, it's deleted from the user's inbox but retrievable by Sublime admins
📌 To add quarantine:
Open a Rule or Automation
Click "Edit"
Under Actions, choose Quarantine
Save
📬 Move to Spam (Core + Enterprise)
Moves suspicious messages to the Spam/Junk folder
Good for messages that are unwanted but not outright malicious
Often paired with Warning Banners for extra visibility
📌 To use Move to Spam:
Open your Rule or Automation
Click "Edit"
Select Move to Spam under Actions
Save
✨ Final Thoughts
These extra features may seem small, but they can supercharge your email security operations when used properly:
Feed integrations keep your detections fresh
Lists and Exclusions fine-tune your logic
Actions like Quarantine and Move to Spam help automate response
And Git-based feeds make Sublime feel like a true DevSecOps-native platform
Let the platform do the heavy lifting—you focus on what matters most.
---------------------------------------------------Dean--------------------------------------------------
Upcoming Article: Meet ASA: Your New AI-Powered Security Teammate from Sublime Security
----------------------------------------------------------------------------------------------------------
Commentaires