top of page
Search

Meet ASA: Your New AI-Powered Security Teammate from Sublime Security

  • Aug 15
  • 5 min read

Updated: Aug 16

ree

Let’s be real—dealing with hundreds (sometimes thousands) of user-reported phishing emails every day can be a nightmare for security teams. You’ve got analysts drowning in emails, managers worrying about response time, and users clicking “report” like it’s a game.


That’s where ASA (Autonomous Security Analyst) from Sublime Security swoops in like a superhero

🦸‍♂️—only smarter, faster, and it doesn’t need coffee breaks.


So, What Exactly is ASA?

Think of ASA as your virtual security analyst. It’s an AI-powered automation tool that investigates those user-reported emails that land in your abuse mailbox. It looks at everything, makes decisions, and gives you a neat little report so your real human analysts don’t burn out staring at spam all day.


When someone reports a suspicious email, ASA jumps into action automatically—no need to press a button. It does the full analysis and tells you exactly what it thinks: is the message malicious, spam, graymail, totally fine (benign), or something it’s not sure about (unknown)?


🔍 What Does ASA Actually Do?

Here’s what makes ASA such a gem:

  • Checks files and links for malware 🧨

  • Looks at logos and visual content for phishing tricks 🕵️

  • Investigates the sender to see if they’ve caused trouble before 📬

  • Points out misclassifications or weird behaviors in the email 🤔


It does everything a human analyst would do—just way faster.


🛠️ How Do You Use ASA?

If you're using Sublime Security in an Enterprise setup and already have your abuse mailbox configured, it’s super easy.


All you need to do is turn on the Automation called “Send user reports to ASA”.

That’s it. ASA is now your new team member.

ree


🌍 Where Does ASA Live?

Right now, ASA runs either in:


  • Sublime’s cloud environment (SaaS)

  • Or your own AWS cloud (self-hosted)


Currently supported AWS regions include:

🇺🇸 Virginia | Oregon | Ohio🇪🇺 Dublin🇬🇧 London


🧑‍💼 ASA Has Two Personalities (a.k.a. Modes)

ree

1. Passive Mode – “The Analyst Buddy”

ASA analyzes emails and gives you all the info, but it doesn’t take any action. You (or your team) still make the final call.


Great if you want control, but still want a huge head start on the analysis.

2. Active Mode – “The Autonomous Agent”

ASA goes full robot mode 🤖—it analyzes, makes decisions, and takes actions like:


  • Quarantining bad stuff

  • Moving spam to the junk folder

  • Dismissing false positives

  • Escalating uncertain stuff to a human analyst


This is perfect when you need 24/7 automated help—especially when your team’s off the clock.

🗂️ ASA Verdicts: What Does It Call the Messages?

ASA can label emails as:


  • Malicious – Dangerous!

  • Spam – Junk it.

  • Graymail – Meh, promotional or boring stuff.

  • Benign – Totally safe.

  • Unknown – Needs a human eye.


For each verdict, you can set what ASA should do: quarantine, trash, move to spam, or just add a warning banner.
ree



📋 ASA Reports: What Do You Get?

ASA doesn’t just say “Spam” and walk away. It gives you a full breakdown, including:


  • A one-liner summary with verdict, user reports, and message actions

  • An Executive Summary with the juicy details

  • A full attack chain (if malicious)

  • Deep-dive into the sender, content, attachments, links, and why ASA decided what it did


Honestly, it’s like a mini threat intel report for every message.

-------------------------------------------------------------------------------------


Before ending this article and after this one last left which is very interesting article!.. Let me show you last tab called admin
ree

Alright, so we’ve explored Sublime’s amazing features—from automations and verdicts to ASA doing the heavy lifting. But before we wrap this up, let’s quickly peek behind the curtain into the Admin tab—the place where the real control lives. It might not be the flashiest part of Sublime, but it’s where the magic of setup, permissions, and policies happens. Let’s break it down, no jargon—just straight talk. 😎


👥 Roles & Permissions

Sublime comes with predefined roles to help you manage who can do what:


  • Admin – Has full control. (79/79 permissions)

  • Analyst – Has what they need for investigations. (28 permissions)

  • Engineer – Somewhere in between. (47 permissions)

ree

🧑‍🔧 Want more flexibility? If you're an Admin, you can create your own roles and fine-tune permissions for users based on your team’s needs.


🗃️ Message Retention Settings

You don’t want to keep every email forever—but you do want to keep the important ones long enough for investigations.

ree

Here’s what you can manage:

  • Raw EML (Unflagged): Pick how long to keep emails that weren’t flagged or reported. After this period, the message metadata stays, but body, links, screenshots, etc. are gone.

  • Raw EML (Flagged/User-Reported): These stick around longer. Same deal—pick the retention time.

  • MDM Retention: MDMs (Message Data Models) are kept for up to 30 days or whatever your unflagged EML retention is (whichever is shorter).


Think of this as your time machine settings—how far back in time can you go to re-analyze or investigate emails?


🔐 Authentication & Security

Hook Sublime into your SSO provider of choice:

ree

  • Okta ✅

  • Azure AD ✅

  • OneLogin ✅

  • Or any OpenID Connect or SAML provider


Also:

  • You can control how people view message contents (opt-in for extra control)

    ree

  • And even set an IP Allow List so that only approved IPs can access the Sublime dashboard or API.

    ree

Very enterprise. Very secure.

Abuse Mailbox – The Front Door for Phishing Reports

If your users forward suspicious emails, this is where Sublime catches them.

ree

Set up your abuse mailbox (up to 5 addresses), and Sublime will:

  • Grab the original message that was reported (using smart headers, attachments, or references)

  • Group messages from the same attack together

  • Skip duplicates so your team isn’t doing the same thing twice


It’s like a smart inbox that’s built for security teams.


And yes—you can use a user mailbox, a distribution list, or a Google Group. Just make sure at least one subscriber gets all the mail.


📝 Audit Logs – Because Receipts Matter

Need to know who did what and when?


Sublime’s Audit Log keeps track of:

  • Message actions

  • Rule changes

  • Logins

  • Pretty much everything


Perfect for compliance or when someone swears “they didn’t touch it.”

✉️ Adding Message Sources

You can connect Sublime to:


  • Microsoft 365

  • Google Workspace

  • IMAP accounts


Each source gives Sublime access to ingest messages from your environment.

📫 Mailboxes Tab

This one’s simple: it lists all mailboxes connected to your Sublime environment—so you always know what you’re monitoring.

ree


-------------------------------------------------------------------------------------

🎯 Final Thoughts

ASA is like that one intern who learns fast, works 24/7, and doesn’t need supervision. Whether you want full control or full automation, ASA can slot into your team and start saving time and catching threats instantly.


It’s where you lay the foundation—so the cool stuff (like ASA) can do its thing without chaos.

And there you go. That’s Sublime Security’s Admin tab, decoded in plain English.

-----------------------------------Dean-------------------------------------------

Upcoming Article: (Last Article): The Final Piece: Hunting, Searching, and Analyzing Like a Pro in Sublime EDR for Email

-------------------------------------------------------------------------------------


 
 
 

Comments

bottom of page