MENU
      Contents x
      Sublime Security
      • 12 Jun 2025
      • 4 Minutes to read
      • Print
      • Dark
      Contents

      Sublime Security

      • Updated on 12 Jun 2025
      • 4 Minutes to read
      • Print
      • Dark
      Article summary

      Sublime Security is a comprehensive email security platform that allows users to create custom detections, gain visibility and control, and focus on prevention of malicious emails.

      Ingesting Audit Logs

      Audit logs from Sublime can be ingested cloud-to-cloud via the API.

      Adapter-specific Options

      Adapter Type: sublime

      • api_key: your Okta API key/token

      CLI Deployment

      Adapter downloads can be found here.

      chmod +x /path/to/lc_adapter

/path/to/lc_adapter sublime client_options.identity.installation_key=$INSTALLATION_KEY \
client_options.identity.oid=$OID \
client_options.platform=sublime \
client_options.sensor_seed_key=$SENSOR_NAME \
client_options.hostname=$SENSOR_NAME \
api_key=$API_KEY
      Bash

      Infrastructure as Code Deployment

      # Sublime Security Specific Docs: https://docs.limacharlie.io/docs/adapter-types-sublime-security

sensor_type: "sublime"
sublime:
  # Sublime Security (Email Security Platform)
  api_key: "YOUR_SUBLIME_SECURITY_API_KEY" # (required) Your Sublime Security API Key. Store securely.
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_SUBLIME" # (required) Installation key associated with the OID.
    hostname: "sublime-security-adapter-prod-01.example.com" # (required if not using sensor_hostname_path)
    platform: "saas_api_sublime_security" # (required) Indicates the source is the Sublime Security API.
    architecture: null # (optional) Not applicable for SaaS API.
    mapping:
      # Sublime Security API likely returns JSON for events/messages.
      parsing_re: null
      # (optional) Path to uniquely ID the original Sublime event or message.
      sensor_key_path: "message_details.message_id" # Example: using a unique message ID.
      sensor_hostname_path: null # (optional)
      # (optional) Example: "SUBLIME_MESSAGE_PROCESSED_CLEAN", "SUBLIME_THREAT_DETECTED_PHISHING". Based on Sublime event fields.
      event_type_path: "SUBLIME_EMAIL_{{ .detection_engine_verdict.threat_type | token | upper | default \"ANALYZED\" }}_{{ .action_taken | token | upper }}"
      # (optional) JSON path to the event's occurrence time.
      event_time_path: "timestamp" # Or "received_at".
      investigation_id_path: "detection_engine_verdict.rule_id" # (optional) Example: using the ID of the rule that triggered a detection.
      transform:
        "+email_security_platform": "SublimeSecurity"
        "+sender_email_address": "{{ .message_details.sender.email }}"
        "+recipient_email_address": "{{ .message_details.recipient.email }}"
        "+threat_name_detected": "{{ .detection_engine_verdict.threat_name }}"
        "-raw_eml_preview_if_too_large": null
      drop_fields:
      - "message_details.headers_verbose"
      - "detection_engine_verdict.confidence_score_raw"
      sid_replication_path: null # (optional)
    # mappings: null
    indexing:
      enabled: true
      default_index: "sublime-security-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional)
    sensor_seed_key: "SEED_KEY_SUBLIME_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
      YAML

      API Doc

      See the official documentation.

      Ingesting Alerts

      Sublime events can be ingested in LimaCharlie via a json Webhook Adapter configuration.

      Adapter Deployment

      Sublime Security logs are ingested via a cloud-to-cloud webhook Adapter configured to receive JSON events. The steps of creating this Adapter and enabling the input include:

      1. Creating the Webhook Adapter via the LimaCharlie CLI

      2. Discovering the URL created for the Webhook Adapter.

      3. Providing the completed URL to Sublime Security for webhook events.

      1. Creating the LimaCharlie Webhook Adapter

      The following steps are modified from the generic Webhook Adapter creation documentation, found here.

      Creating a Webhook Adapter requires a set of parameters, including organization ID, Installation Key, platform, and mapping details, among other parameters. The following configuration can be modified to easily configure a Webhook Adapter for ingesting Sublime Security events:

      {
    "sensor_type": "webhook",
    "webhook": {
       "secret": "sublime-security",
        "client_options": {
            "hostname": "sublime-security",
            "identity": {
                "oid": "<your_oid>",
                "installation_key": "<your_installation_key>"
            },
            "platform": "json",
            "sensor_seed_key": "sublime-super-secret-key",
            "mapping" : {
                "event_type_path" : "data/flagged_rules/name",
                "event_time_path" : "created_at"
            }
        }
    }
}
      JSON

      Note that in the mapping above, we make the following changes:

      • event_type_path is mapped to the rule name from the Sublime alert

      • event_time_path is mapped to the created_at field from the Sublime alert

      2. Building the Adapter URL

      After creating the webhook, you'll need to retrieve the webhook URL from the Get Org URLs API call. You'll need the following information to complete the Webhook URL:

      • Organization ID

      • Webhook name (from the config)

      • Secret (from the config)

      Let's assume the returned domain looks like 9157798c50af372c.hook.limacharlie.io, the format of the URL would be:

      https://9157798c50af372c.hook.limacharlie.io/OID/HOOKNAME/SECRET

      Note that the secret value can be provided in the webhook URL or as an HTTP header named lc-secret.

      3. Configuring the Sublime webhook Action

      Within the Sublime Security console, navigate to Manage > Actions. From here, you can select New Action > Webhook.

      image.png

      Within the Configure webhook menu, provide a name and the Adapter URL constructed in Step 2 above.

      image.png

      As mentioned in Step 2, you can configure the HTTP header lc-secret, if so desired.

      Upon configuration of the webhook within Sublime Security, alerts can be configured to be sent to the LimaCharlie platform. To test the Webhook, select Trigger Custom Action from any Flagged message, and send to the LimaCharlie webhook.

      Was this article helpful?
      Related articles
      What's Next